MySql syntax error while trying to insert serialized array

Question

When I'm trying to do this:

$query  = "INSERT INTO news ( ";
            $query .= "page_link,title,content,images,date";
            $query .= ") VALUES ( ";
            $query .= "'{$page_link}','{$title}','{$content}',''" . serialize($images_array) . "'','{$date}'";
            $query .= ")";

I give this error :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'a:33:{i:0;s:76:\"http://www.example.com/wp-content/uploads/2016/07/Abc.jpg' at line 1

I'm sure it's for serialize($images_array) because when I remove it other values will be inserted into database.
my array contains links of images.

Answer 1

Check here you have extra single quotes '

$query .= "'{$page_link}','{$title}','{$content}','" . serialize($images_array) . "','{$date}'";

Answer 2

Instead of using direct substitution values, you could use below methods to avoid sql injection.

Hope this will solve your problem

You basically have two options to achieve this:

Using PDO (for any supported database driver):

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute(array('name' => $name));

foreach ($stmt as $row) {
    // do something with $row
}

Using MySQLi (for MySQL):

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

Please refer How can I prevent SQL-injection in PHP?

Answer 3

Change your Query to this there is a extra '' in your query make it like this,

'" . serialize($images_array) . "'

$query  = "INSERT INTO news ( ";
            $query .= "page_link,title,content,images,date";
            $query .= ") VALUES ( ";
            $query .= "'{$page_link}','{$title}','{$content}','" . serialize($images_array) . "','{$date}'";
            $query .= ")";