Having problems after getting data from form and submiting to mysql database

Question

When i retreive data from form and when i need to submit that data in mysql database, I get some errors. I know that the problem is in ' and " characters

My php code for submiting data :

$sql = 'INSERT INTO news (id,name)
VALUES ("$id","$name")';

Variable $name is retreived from form. $name= $_POST["name"];

So, if variable $name has value of

<p>
<span style="color: rgb(68, 68, 68); font-family: 'Open Sans', sans-serif; font-size: 16px; line-height: 26.672px;">1. Some text for example</span><br>
</p>

How I can query that text when there are problems between ' and "

Your original SQL will be interpreted as "INSERT INTO news (id,name) VALUES ("$id","$name")". Try something like this, `$sql = "INSERT INTO news (id,name) VALUES ('$id','$name')"`. You should probably consider preparing and binding your variables instead. — Amous, May 09 '16 at 18:46

score 1 · Answer 1 · edited May 23 '17 at 12:23

1

The difference between using single quotes and double quotes in php is that if we use single quotes in echo statement then it is treated as a string. If we use variables inside single quotes then it will output as it is variable name.

$sql = "INSERT INTO news (id,name)
VALUES ($id,'$name')";

Since $name is a string, its better to write the code in this manner.

I know that the problem is in ' and " characters. // from question

I hope ,now you know where the problem is .

Update

Now as our friends said in the comment section , to avoid sql injection , One of several ways is by using prepared Statements with mySQLi
Using Above method your code will be like below .

$name = $_GET['username'];
$id = $_GET['id'];

if ($stmt = $mysqli->prepare("INSERT INTO tbl_users (id, name) VALUES (?, ?)")) {

    // Bind the variables to the parameter as strings. 
    $stmt->bind_param("ss", $id, $name);

    // Execute the statement.
    $stmt->execute();

    // Close the prepared statement.
    $stmt->close();

}

For more check here
Great references by RiggsFolly,
SQL injection that gets around mysql_real_escape_string()
http://bobby-tables.com/
really awesome , thanks RiggsFolly

edited May 23 '17 at 12:23

Community

1
1

answered May 09 '16 at 18:47

Sachin

2,627
1
19
35

You dont need the `.` concateation in that query `$sql = "INSERT INTO news (id,name) VALUES ($id,'$name')";` will do just fine – RiggsFolly May 09 '16 at 18:58
This is also open to [SQL Injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – RiggsFolly May 09 '16 at 18:59
1

Wrong, so wrong... Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) – RiggsFolly May 09 '16 at 19:05
Please do not go around telling people to use code that leaves them open to a SQL injection attack. Many visitors are too inexperienced to know the difference and will use the code blindly. – Basic May 09 '16 at 19:15

score 1 · Answer 2 · answered May 09 '16 at 19:18

how about this ?

if($stmt = mysqli_prepare($con,"INSERT INTO news(id,name) values (?,?)") ){     //$con = mysqli_connect(...
        mysqli_stmt_bind_param($stmt,'ss',$id,$name); // id and name as string
        mysqli_stmt_execute($stmt);
        mysqli_stmt_close($stmt);
    }
    mysqli_close($con);

Having problems after getting data from form and submiting to mysql database

2 Answers2

Update