0
$query = "INSERT INTO `saved_feed_".$_SESSION['id']."` (title,description,link,pub_date,img_link) VALUES (:?,:?,:?,:?,:?)";
echo $query;
$stmt = $dbh->prepare($query);
$stmt->bindParam(1,$title,PDO::PARAM_STR);
$stmt->bindParam(2,$desc,PDO::PARAM_STR);
$stmt->bindParam(3,$link,PDO::PARAM_STR);
$stmt->bindParam(4,$pub_date,PDO::PARAM_STR);
$stmt->bindParam(5,$img_link,PDO::PARAM_STR);
$stmt->execute();
echo $title.'<br>'.$desc.'<br>'.$link.'<br>'.$pub_date.'<br>'.$img_link;

Hint: $_SESSION['id'] value of the code above is 23 in this case.

The variable are all set, in fact if I echo them I can see all the values, but in the database nothing happen.

This is a screenshot of the table

enter image description here

Sebastian Brosch
  • 42,106
  • 15
  • 72
  • 87
Giuseppe De Paola
  • 29
  • 8
  • First echo the query and then try to run the query directly in database(phpmyadmin) and see what happen – Web Artisan Apr 29 '16 at 09:27
  • 1
    Remove `:` before `?` – Saty Apr 29 '16 at 09:27
  • Parameters are notated by eiter `?,?,?` or `:name1, :name2, :name3` – RiggsFolly Apr 29 '16 at 09:28
  • Saty is right..thanks, my distraction.. – Giuseppe De Paola Apr 29 '16 at 09:29
  • Putting arbitrary data in there is super dangerous. Be extremely careful when adding column names in that manner. If you can, test against a white-list of known-good columns and refuse to execute any query that doesn't conform. It's worth mentioning that naming your placeholders helps a lot, you can just `execute` given an `array()` of name-value pairs. – tadman Apr 29 '16 at 09:31
  • but with the bindParam() function it isn't secure? Sorry but i don't know much about security with php... Maybe i don't understand you exactly (my english isn't good), can you make me an example please? – Giuseppe De Paola Apr 29 '16 at 09:34
  • Why in the world are you creating a separate table per session ?!?! – h2ooooooo Apr 29 '16 at 10:32
  • Because i haven't learnded the diffence between create a single table with a lot of data with foreign key and a table for any session (1 user = 1 session) – Giuseppe De Paola Apr 29 '16 at 10:38
  • @GiuseppeDePaola You don't even need any foreign keys here. You just need to create another column (`session_id`) and set that to the session ID instead of creating an individual table per session. – h2ooooooo Apr 29 '16 at 10:44
  • @h2ooooooo yes but it i create a very very long table with all the session id inside associated with the other content..is faster for the query to find a data inside this instead of search data directly on a table with only the user data inside? – Giuseppe De Paola Apr 29 '16 at 10:47
  • @GiuseppeDePaola It's absolutely not faster to create an individual table. [Simply index your session_id column](http://stackoverflow.com/questions/3002605/how-do-i-add-indexes-to-mysql-tables) and everything will be blazing fast unless you have literally millions/billions of rows (in which your "individual tables" would fail hard WAY before that) – h2ooooooo Apr 29 '16 at 10:49

0 Answers0