What's wrong in this code? It doesn't insert row in the table

Question

It doesn't insert row in the table.

/*add to group*/
if($edu_school=="I.T"){
    $group_id = $_POST["3"];
    $db->query(sprintf("INSERT INTO groups_members (group_id, user_id) VALUES (%s,%s)" )) or _error(SQL_ERROR_THROWEN); 
}

score 1 · Answer 1 · answered Feb 13 '16 at 12:06

Where is you set value?!

Try like this

if($edu_school=="I.T"){
    $group_id = (string)$_POST["3"];
    $query=sprintf("INSERT INTO groups_members (group_id, user_id) VALUES (%s,%s)",$group_id,"1" );
     $db->query($query) or _error(SQL_ERROR_THROWEN);
}

score 1 · Answer 2 · edited May 23 '17 at 11:59

1

The values for both string placeholders are missing. See sprintf for documentation.

Side note: Please be aware that with this method your code will still be vulnerable to SQL Injections.

edited May 23 '17 at 11:59

Community

1
1

answered Feb 13 '16 at 12:08

Tekay37

467
5
18

What's wrong in this code? It doesn't insert row in the table

2 Answers2