Why use quote and dot before $_POST in insert query?

Question

For example I have a html file like below:

<html>
  <form action="insert.php" method="post">
    Name:<input type="text" name="txtname" />
    <input type="submit" name="but" value="Submit" />
  </form>
</html>

and a php file like below:

<?php
  if(isset($_POST['but']))
  {
    mysqli_query($con,"insert into student(Name) values(".$_POST["txtname"].")");
  }
?>

My question is that if I can write $name=$post['txtname'] and I use $name in values part then dot is not used but if I write directly post in values part then dot is used, why this dot used?

Otherwise the double quote for the index of `$_POST` would stop the string! — Rizier123, Dec 13 '14 at 12:22
Your code is vulnerable to SQL injections; you should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). — Gumbo, Dec 13 '14 at 12:26
save the query in a variable and echo it. And execute the echo string in phpmyadmin will give you the result of whether the written query is right or wrong? — Gunaseelan, Dec 13 '14 at 12:28

Dwza · Answer 1 · 2014-12-13T12:49:44.113

You have two possibilitys to do this...

First:

mysqli_query($con,"insert into student(Name) values(" . $_POST['txtname'] . ")");
// using single quotes instead of double quotes

Second

mysqli_query($con,"insert into student(Name) values({$_POST['txtname']})");
//dont use any dots but single quotes and simply add it to the string

Also you should care about some singlequotes to the content...

"... values('{$_POST['txtname']}')"

so it should be

mysqli_query($con,"insert into student(Name) values('{$_POST['txtname']}')");

and as in the comments pointed... you have injection problems and consider to solve this.

Your PHP

<?php 
    $mysqli = new mysqli('localhost', 'my_user', 'my_password', 'foobar');

    /* check connection */
    if (mysqli_connect_errno()) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }

    $stmt = $mysqli->prepare("INSERT INTO students ( Name ) VALUES ( ? )");
    $stmt->bind_param('s', $_POST['txtname']);

    /* execute prepared statement */
    $stmt->execute();

    printf("%d Row inserted.\n", $stmt->affected_rows);

    /* close statement and connection */
    $stmt->close();

    /* close connection */
    $mysqli->close();

?>

RST · Answer 2 · 2014-12-13T13:10:55.680

0

You can use $name with and without dots, but $_POST['something'] is different in the way that the index has quotes. It will break your query.

It is not related to $_POST it is related to arrays

You could also write it like

mysqli_query($con,"insert into student(Name) values('{$_POST['txtname']}')");

On another note, you should not insert form input directly into the database. Do some validation first.

edited Dec 13 '14 at 13:10

answered Dec 13 '14 at 12:29

RST

3,899
2
20
33

This will cause an error because you stopping the string when you use the POST like this. String is: `"insert into student(Name) values('{$_POST["` and than you will get the error... – Dwza Dec 13 '14 at 12:41
Actually the information between the curly brackets is handled by PHP so it shouldn't affect the query but I'll change it. – RST Dec 13 '14 at 13:10

Why use quote and dot before $_POST in insert query?

2 Answers2