0
$tablename = "channel";

mysql_query("INSERT INTO '".$tablename."' (episode_name,episode_title,episode_date)
  values ('$videoname','$videotitle','$date')");

 

VLS
  • 2,306
  • 4
  • 22
  • 17
Haseeb Gill
  • 7
  • 2
  • $tablename = "humtv"; mysql_query("INSERT INTO '".$tablename."' (episode_name,episode_title,episode_date) values ('$videoname','$videotitle','$date')"); } – Haseeb Gill Aug 06 '16 at 16:08
  • Please dont use [the `mysql_` database extension](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php), it is deprecated (gone for ever in PHP7) Specially if you are just learning PHP, spend your energies learning the `PDO` database extensions. [Start here](http://php.net/manual/en/book.pdo.php) its really pretty easy – RiggsFolly Aug 06 '16 at 16:10
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared statement and parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Aug 06 '16 at 16:10
  • you don't use single ( or double ) quotes around a tablename, use a backtick instead – Professor Abronsius Aug 06 '16 at 16:17

3 Answers3

1

In PHP a double quoted string literal will expand scalar variables. So that can be done like this

$sql = "INSERT INTO $tablename (episode_name,episode_title,episode_date)
                        values ('$videoname','$videotitle','$date')";

I assume you thought that the single quotes were requred around the table name, they are not in fact they are syntactically incorrect.

You may wrap the table name and the columns names in backtick like this

$sql = "INSERT INTO `$tablename` (`episode_name`,`episode_title`,`episode_date`)
                        values ('$videoname','$videotitle','$date')";

The reason that the Values(....) are wrapped in single quotes is to tell MYSQL that these are text values, so that is not only legal syntax but required syntax if the columns are defined as TEXT/CHAR/VARCHAR datatypes

However I must warn you that

the mysql_ database extension, it is deprecated (gone for ever in PHP7) Specially if you are just learning PHP, spend your energies learning the PDO database extensions. Start here its really pretty easy

And

Your script is at risk of SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe! Use prepared statement and parameterized statements

Community
  • 1
  • 1
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
0

Dont use quotes arround table name or use backtick

   mysql_query("INSERT INTO $tablename (episode_name,episode_title,episode_date)
    values ('$videoname','$videotitle','$date')");
Niklesh Raut
  • 34,013
  • 16
  • 75
  • 109
0
"INSERT INTO `$tablename` (episode_name,episode_title,episode_date) values ('$videoname','$videotitle','$date')";

OR

"INSERT INTO `".$tablename."` (episode_name,episode_title,episode_date) values ('$videoname','$videotitle','$date')";
Rashedul Alam
  • 67
  • 1
  • 8