-4

I am new to php and trying to insert some values to my database table but query isn't working when I am passing values by php variables. The same query was working with static values.

I am making my database connection in init.php and the variable in there for same is $dbc.

<?php
require "init.php";

$mobile = "100004";
$email = "vikas4@web";
$password = "4444"

$stmt = mysqli_prepare($dbc, "INSERT INTO user_login (user_mobile, user_email, user_pwd) values(?, ?, ?)";
mysqli_stmt_bind_param($stmt, "sss", $mobile, $email, $password);
echo "after sql_query";

?>

For more detail, When I am replacing my $sql_query with below static code, it is inserting into database.

$sql_query = "INSERT INTO user_login (user_mobile, user_email, user_pwd) values('1000055', 'vikas55@web', '5555')";
maxhb
  • 8,554
  • 9
  • 29
  • 53
Vikas Rana
  • 33
  • 2
  • 9
  • Do you have any errors? – Matheno Jan 15 '16 at 10:55
  • 3
    If you echo `$sql_query` you will see that the query is invalid. The wrong way to solve this, is to add quotes around the values in the string. The right way is to use [prepared statements and passing the values are parameters](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – GolezTrol Jan 15 '16 at 10:55
  • Possible duplicate of [PHP MySQL Query Doesn't Insert](http://stackoverflow.com/questions/10939819/php-mysql-query-doesnt-insert) – Matheno Jan 15 '16 at 10:55
  • So your problem is solved? – maxhb Jan 15 '16 at 11:20
  • I didn't echo $sql_query. It is simple string in last. – Vikas Rana Jan 15 '16 at 11:24

2 Answers2

5

You have to use quotes to insert string values

$sql_query = "INSERT INTO user_login (user_mobile, user_email, user_pwd) values('$mobile', '$email', '$password')";

But even this is not a good solution as you wqould be vulnerable to sql injections.

Use prepared statements to avoid these security issues:

$stmt = mysqli_prepare($dbc, "INSERT INTO user_login (user_mobile, user_email, user_pwd) values(?, ?, ?)";
mysqli_stmt_bind_param($stmt, "sss", $mobile, $email, $password);
mysqli_stmt_execute($stmt);

Prepared statements will handle all the escaping and quote encapsulation necessary to be safe.

If you'd like to dig into the topic you may read nice tutorial at http://www.w3schools.com/php/php_mysql_prepared_statements.asp

maxhb
  • 8,554
  • 9
  • 29
  • 53
  • 1
    The quotes version is bad practice. Your other solution uses the object notation, while OP uses the functional libraries. This will be very confusing for a beginner. – GolezTrol Jan 15 '16 at 11:01
  • I updated my main post with your code but not working till now. Could you please check and put the answer for query. @GolezTrol – Vikas Rana Jan 15 '16 at 11:20
  • Please add the `mysqli_stmt_execute()` from my example. It's needed to actually execute the sql statement. – maxhb Jan 15 '16 at 11:23
  • 1
    Thanks all. Its working now. I used prepared statements and passing the values are parameters. – Vikas Rana Jan 15 '16 at 11:39
0

If user_mobile type defined int or other numeric types, you should not use '. so you can test this:

$sql_query = "INSERT INTO user_login (user_mobile, user_email, user_pwd) values($mobile, '$email', '$password')";
worldofjr
  • 3,868
  • 8
  • 37
  • 49
Behin
  • 9
  • 1
  • It's very bad practise to do it like this. An answer similar to yours was already deleted. If you would do this, you would also have to escape quotes and other characters in the values. BTW, what you say about the numeric value is not true. You can use quotes around numeric values and MySQL will just convert it. Whether 'mobile' *should* be numeric at all is a completely different matter. – GolezTrol Jan 15 '16 at 11:06