string creation for mysql INSERT from $_POST

Question

Im using javascript ajax to post a value to PHP. In this case, its an object of {x: 5, y, 5}

This will create a proper sql query which results in INSERT.

if (isset($_POST["item"])) {
    $var = $_POST["item"];
    $x = $var["x"];
    $y  = $var["y"];
    $sql = "INSERT INTO hex (id, x, y) VALUES (NULL, $x, $y)";
}

This however, will not work - at all. Why and how can it be fixed ? - thanks

if (isset($_POST["item"])) {
    $var = $_POST["item"];

    $sql = "INSERT INTO hex (id, x, y) VALUES (NULL, $var["x"], $var["y"])";
}

Will not work either:

if (isset($_POST["item"])) {
    $var = $_POST["item"];

    $sql = "INSERT INTO hex (id, x, y) VALUES (NULL, '$var["x"]', '$var["y"]')";
}

score 0 · Answer 1 · edited May 23 '17 at 10:27

The issue is that you use the " to create a String, and you use it to define your array variable. You cannot combine this. But you can do this to combine strings:

$sql = "INSERT INTO hex (id, x, y) VALUES (NULL, '" . $var["x"] . "', '" . $var["y"] . "')";

Note: that this is not a safe query since MySQL injection will be really easy. Please try to use PDO and parameters. See this answer:

prepared parameterized query with PDO

score 0 · Answer 2 · answered Oct 25 '15 at 19:22

0

Maybe your problem is caused becasuse of the double quotes.

Try this one:

$sql = "INSERT INTO hex (id, x, y) VALUES (NULL, $var['x'], $var['y'])";

Or even this:

$sql = 'INSERT INTO hex (id, x, y) VALUES (NULL, '.$x.', '.$y.')";

answered Oct 25 '15 at 19:22

cooper

635
1
8
23

string creation for mysql INSERT from $_POST

2 Answers2