variables in mysqli query

Question

i cant understand the way of forming the mysqli query when variables are involved. I have been trying for days different ways modifying it but getting all the time the very same error SQLSTATE[42000]: Syntax error or access violation: 1064. Can anybode help me telling what is wrong with this line of code when the firt variable is a string, as the second as well...?

`$tablename = 'sofka';
$sql = "INSERT INTO " . $tablename . " (" . $columns[1] . ")
VALUES (" . $columnsval[1] . ")";`

It should be like this: `$tablename = 'sofka'; $sql = "INSERT INTO " . $tablename . " (" . $columns[1] . ") VALUES ('" . $columnsval[1] . "')";` — Hari Lamichhane, Mar 26 '17 at 09:15
it is Figth Club and browser says : INSERT INTO sofka (Naziv kluba) VALUES ('Figth Club') ......SQLSTATE[42000]: Syntax error or access violation: 1064 .....You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'kluba) VALUES ('Figth Club')' at line 1 .... i have to add i tryed all the possible combinations of using " or ' with . — dkrx81, Mar 26 '17 at 09:23
The reason is the name of your column has space. So you need to wrap it using ` symbol — Hari Lamichhane, Mar 26 '17 at 09:24

r4ccoon · Accepted Answer · 2017-03-26T09:30:35.893

0

for formulating/concatenating query or string in general, it's better to use sprintf.

$tablename = 'sofka';

$sql = sprintf("INSERT INTO `%s` (`%s`) VALUES ('%s');", $tablename, $columns[1],     
$columnsval[1]);

echo $sql;

In addition to that, I would make a wrapper function that takes an array of dictionary, and loop through these key and vals, and formulate the SQL.

function generateSqlInsert($tablename, $parameters){ 
   $columns = $values = [];

   foreach($parameters as $key => $val){
      $columns[] = "`" . $key . "`";
      $values[] = "'" . $val . "'";
   }

   $columnsSql = "(". implode(",", $columns) . ")";
   $valuesSql = "(". implode(",", mysqli_real_escape_string($values)) . ")";

   $sql = sprintf("INSERT INTO %s %s %s", $tablename, $columnsSql, $valuesSql);

   return $sql;
}

You would then use this function:

  $parameters = ['title' => 'fight club', 'year' => 1995];
  $sql = generateSqlInsert('movies', $parameters);

edited Mar 26 '17 at 09:30

answered Mar 26 '17 at 09:23

r4ccoon

3,056
4
26
32

Your code is vulnerable to SQL injection – Your Common Sense Mar 26 '17 at 09:54
I have escaped the values. I don't put it for the keys because developers would be the one that put them in. but you are welcome to escape them if necessary. – r4ccoon Mar 26 '17 at 10:05
If you think that string escaping would help for the keys you are mistaken – Your Common Sense Mar 26 '17 at 10:13
In general, these hasty duplicated answers do more harm than good – Your Common Sense Mar 26 '17 at 10:15
Why u no suggest a proper way to prevent injection – r4ccoon Mar 26 '17 at 11:36

variables in mysqli query

1 Answers1