0

I'm new here. I started PHP recently and I am wondering how I could insert variables, and put them into single quotes, into a double quotes string. Here's what I tried : $query = "INSERT INTO Table (Name, Activity) VALUES ('$name', '$activity');"; But when I check $query, it contains that : INSERT INTO Table (Name, Activity) VALUES (,);. I don't understand why it does that because when, instead of writing the above code, I write this one : $query = "INSERT INTO Table (Name, Activity) VALUES ($name, $activity);"; (without the single quotes), the string contains this : INSERT INTO Table (Name, Activity) VALUES (Robert, Book-seller);. Does anybody have a clue ?

Elin
  • 6,507
  • 3
  • 25
  • 47
Rody Gosset
  • 13
  • 5
  • try escaping your single quotes. – coderodour Apr 28 '17 at 20:16
  • Rody dont think i am rude, but if you are using `echo $query`; and you are getting result `INSERT INTO Table (Name, Activity) VALUES (,);` and for second one you are getting `INSERT INTO Table (Name, Activity) VALUES (Robert, Book-seller);` that will not happened, can you post more code, please – user2860957 Apr 28 '17 at 20:23
  • Are you running a regex or some string manipulation function prior to the echo of `$query`? You can see here, https://eval.in/784497, that the behavior you are describing isn't reproducible. – chris85 Apr 28 '17 at 20:28
  • @user2860957 That is true, but the described output would never occur with the provided code. The OP is doing something to the string prior to the echo. – chris85 Apr 28 '17 at 20:37

2 Answers2

3

how I could insert variables, and put them into single quotes, into a double quotes string.

Don't do that. It leaves you vulnerable to SQL injection attacks. Instead use prepared statements with bound parameters as described in this post.

Alex Howansky
  • 50,515
  • 8
  • 78
  • 98
  • Alex you posted the answer, do you know what is the original problem?? as i dont, and if you do please fix it, thanks – user2860957 Apr 28 '17 at 20:25
  • 2
    Forget about the original problem. You should never write SQL queries like that. Rewrite your code to use prepared statements. – Alex Howansky Apr 28 '17 at 20:28
  • 1
    ok, so you dont know the original problem either, i was thinking i am the only one who did not get it – user2860957 Apr 28 '17 at 20:30
  • Yes, with his first query block the result should have been atleast INSERT INTO Table (Name, Activity) VALUES ('',''); – manian Apr 28 '17 at 21:43
0

I tried your statement:

$query = "INSERT INTO Table (Name, Activity) VALUES ('$name', '$activity');";

And It worked perfectly with me. I guess you need to check the values you passing in $name and $activity. (for Robert, Book-Seller its working nicely).

Still You may try this. It might help:

$query = "INSERT INTO Table (Name, Activity) VALUES (\"$name\", \"$activity\");";

And a note for caution: as Alex Howansky says, don't do that. it leaves you vulnerable to SQL injection attacks.

Hope it helps. All the best!

TutorialsBee
  • 101
  • 2
  • 5
  • Thank you for your very helpful answer. Sorry if my question was confusing but you got it right. As you and Alex advised me, Ima use prepared statements in my code. Thanks everybody else too for your quick answers and I wish you all the best too ! – Rody Gosset Apr 28 '17 at 21:14