0
    <?php
include '../connectdb.php';


$sqlNAME = 'INSERT INTO group_general (group_name)
VALUES (?)';

if($statementNAME = $connect->prepare($sqlNAME)) {

    $statementNAME->bind_param(

        "s",
        $_POST['groupName']
        );


/* Insert group name into DB */
    if ($statementNAME->execute()) {

        echo "Success";

    }
     else {
    echo "Failed";
}
}

$groupName = $_POST['groupName'];

$selectGROUPID = 'SELECT * FROM group_general WHERE group_name = "'.$groupName.'"';

$resultGROUPID = $connect->query($selectGROUPID);


if ($resultGROUPID->num_rows > 0) {
    $rowGROUPID = $resultGROUPID->fetch_assoc();
}

/* For each user selected and put in the array, insert them into the DB combined with the ID of the group */

for ($x=0; $x<sizeof($_POST['addedUsers']); $x++) { 
    $rowUSERS[$x] = $_POST['addedUsers'][$x];

    $sqlUSERS = 'INSERT INTO group_users (user_name, group_id)
    VALUES ("'.$rowUSERS[$x].'", "'.$rowGROUPID.'")';
}
?>

I don't understand what I did wrong. At the end it says "Array to string conversion in ...", while I am inserting one value of an array into the DB. Can you please help me?

Gouden Enderoog
  • 13
  • 4
  • `$rowGROUPID` is an array. You need to extract the specific information you want from it. Perhaps you want to insert something like `$rowGROUPID['id']`? – Qirel Dec 04 '16 at 16:09
  • Like Qirel mentioned, on the second to last line of your first block of code you assign an array to $rowGROUPID (through fetch_assoc()) and then you insert that in your second block of code. But a bigger issue here is the SQL injection options (it's easy to break your database with this code) on offer in this code. Please take a look at http://stackoverflow.com/questions/4712037/what-is-parameterized-query :) – Rob Dec 04 '16 at 16:18
  • 1
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Dec 04 '16 at 21:37
  • Why did you do the first query properly with a prepared statement and then go totally off the rails on the remainder of your code? – tadman Dec 04 '16 at 21:38

0 Answers0