Insert data with GET in mysql

Question

I want insert data in table "test" but I have problem when insert data in mysql my database name mytesttable

that code insert data with GET :

<?php
include_once('confi.php');

echo "hi there this is a test";
//Get the variables here
$username= isset($_GET['username']) ? mysql_real_escape_string($_GET['username']) :  "";
$email = isset($_GET['email']) ? mysql_real_escape_string($_GET['email']) :  "";
$password = isset($_GET['password']) ? mysql_real_escape_string($_GET['password']) :  "";
$insertstatement = 'INSERT INTO `test`(`id`,`username`,`email`,`password`) VAlUES (NULL,"'.$username.'","'.$email.'","'.$password.'")';

$query123 = mysql_query($insertstatement) or trigger_error(mysql_error()." ".$insertstatement);

echo "$query123";


?>

this my code connect with MySQL :

<?php header('Access-Control-Allow-Origin: *'); ?>
<?php header('Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept'); ?>
<?php header('Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT'); ?>

<?php

    $con = mysqli_connect("localhost","root","root","mytesttable","8889");

    if(mysqli_connect_errno())
    {
        echo "Error occured while connecting with database ".mysqli_connect_errno();
    }


?>

what is problem in my code ?

Answer 1

Use mysqli_prepare.

<?php
include_once('confi.php');

$username= isset($_GET['username']) ? mysql_real_escape_string($_GET['username']) :  "";
$email = isset($_GET['email']) ? mysql_real_escape_string($_GET['email']) :  "";
$password = isset($_GET['password']) ? mysql_real_escape_string($_GET['password']) :  "";

$stmt = mysqli_prepare($con, "INSERT INTO `test`(`username`,`email`,`password`) VALUES (?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sss', $username, $email, $password);

$query123 = mysqli_stmt_execute($stmt);

?>

Learn Prepared Statements

[NOTE: Mysql is deprecated ]