0
$query = sprintf("INSERT INTO dat(empid,empname,reason,date)VALUES\n%s",  

 implode(",\n", $values) )

$query1= real_escape_string($query );

Please help me on abpove code . I cant insert character.

Ben Swinburne
  • 25,669
  • 10
  • 69
  • 108
shyam
  • 11
  • What is the value in $values variable? – Archana Oct 16 '15 at 12:20
  • 1
    Highly recommended to use prepared statement. Also you can try this: http://stackoverflow.com/questions/920353/can-i-bind-an-array-to-an-in-condition#920523 – stack Oct 16 '15 at 12:26
  • #archana : if i gave int to empid,empname,reason and date i can insert to db. if i use character to empid showing error like "Unknown column 'shyam' in 'field list". – shyam Oct 20 '15 at 04:09

1 Answers1

1

Firstly, always make sure that you data is safe.

    $emp_id_safe = filter_var($_POST['emp_id'], FILTER_SANITIZE_NUMBER_INT);
    $emp_name_safe = filter_var($_POST['emp_name'], FILTER_SANITIZE_STRING);
    $reason_safe = filter_var($_POST['reason'], FILTER_SANITIZE_STRING);
    $end_date_safe = filter_var($_POST['to_date'], FILTER_SANITIZE_STRING);

Secondly, the mysql PHP extension is deprecated and will be removed in the future. Replace it with mysqli.

        if ($emp_id_safe == FALSE || $emp_name_safe == FALSE || 
            $reason_safe == FALSE || $end_date_safe == FALSE) {
            die('Filter failure');
        } else {
            $stmt = $mysqli->prepare("INSERT INTO date(empid, empname, reason, date) VALUES (?, ?, ?, ?)");
            $stmt->bind_param("ssss", $emp_id_safe, $emp_name_safe, $reason_safe, $end_date_safe);
            $stmt->execute();
        }
anna
  • 585
  • 1
  • 6
  • 22