how i insert 1 data with 2 string? and insert into database?

Question

i was doing a insert statement and i want 2 username become 1 data and insert into database. i no sure how to do it.

here is my php and mysql

$target = $_GET['user'];
$id = $_SESSION['id'];

$targetusername = mysqli_query($connection,"SELECT username FROM user WHERE id='$target' ")or die(mysqli_error($connection));
$username=  mysqli_query($connection,"SELECT username FROM user WHERE id='$id'") or die(mysqli_error($connection));

$direct_message_room_name ="INSERT INTO direct_message_room(`direct_message_room_name`,`user_1_id`,`user_2_id`) VALUES (('$targetusername' + ' and ' + '$username'),'$id','$target')";

If you want to store multiple variables in one field, you can `serialize()` an array. You should have a good reason to need to do this though. It may make your database table less effective, especially when it comes to searching and such. — Rasclatt, Jun 05 '16 at 03:58
i was insert 2 username is becaue it is use for direct message room name . user can view their history chat with who before — Chew, Jun 05 '16 at 04:02
Also, you are open to sql injection with you query that inserts the `$_GET` variable. — Rasclatt, Jun 05 '16 at 04:17
still new in php and sql~ thx for your advise. i will learn prevent sql injection is very important. — Chew, Jun 05 '16 at 04:32
**WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. — tadman, Jun 05 '16 at 05:12

score 2 · Answer 1 · edited May 23 '17 at 12:15

In order to have two variables in one column, you can serialize an array, though this is generally frowned upon unless it's for a good reason.

$array = array('username'=>'user1','username2'=>'user2');
$serialize = serialize($array);

Gives you:

a:2:{s:8:"username";s:5:"user1";s:9:"username2";s:5:"user2";}

Use the unserialize() function to return it to an array. Wordpress is one notable web application that stores arrays in such a way.

On a side note, you need to use bind parameter to avoid injectable sql queries:

// Do not do this
$target = $_GET['user'];
mysqli_query($connection,"SELECT username FROM user WHERE id='$target' ")

Here is a reference:

What does bind_param accomplish?

Moussa Khalil · Accepted Answer · 2016-06-05T04:46:06.233

1

You can concat two strings in php like so:

$StringAB = $StringA . " something " . $StringB;



$target = $_GET['user'];
$id = $_SESSION['id'];

$targetusername = mysqli_query($connection,"SELECT username FROM user WHERE id='$target' ")or die(mysqli_error($connection));


$username=  mysqli_query($connection,"SELECT username FROM user WHERE id='$id'") or die(mysqli_error($connection));

$rowUserName = mysql_fetch_array($username); 
$rowTargetUserName = mysql_fetch_array($targetusername );

$room_name = $rowUserName["username"] . ' and ' . $rowTargetUserName["username"]; // Create room name (assuming both exist)
$direct_message_room_name ="INSERT INTO direct_message_room(`direct_message_room_name`,`user_1_id`,`user_2_id`) VALUES ('$room_name','$id','$target')";

edited Jun 05 '16 at 04:46

answered Jun 05 '16 at 04:23

Moussa Khalil

635
5
12

i got an error on your `$room_name = $targetusername . ' and ' . $username; ` – Chew Jun 05 '16 at 04:29
`Catchable fatal error: Object of class mysqli_result could not be converted to string in` – Chew Jun 05 '16 at 04:33
1

try $username["username"] .' and '. $targetusername["username"] – Moussa Khalil Jun 05 '16 at 04:34
`Fatal error: Cannot use object of type mysqli_result as array in` – Chew Jun 05 '16 at 04:35
1

Hang on you need to fetch array. Updating anwser – Moussa Khalil Jun 05 '16 at 04:44
i edit the `$rowUserName = mysql_fetch_array($username); $rowTargetUserName = mysql_fetch_array($targetusername );` into `$rowUserName = mysqli_fetch_array($username); $rowTargetUserName = mysqli_fetch_array($targetusername );` and it works – Chew Jun 05 '16 at 05:04
1

Great. But as stated in many comments you need to protect against injections. And make sure those usernames exist :) – Moussa Khalil Jun 05 '16 at 05:05

how i insert 1 data with 2 string? and insert into database?

2 Answers2