INSERT INTO goes wrong PHP CODEIGNITER

Question

screenshot

$sql = "INSERT INTO `waitinglist` (`reserver`, `roomNumber`, `hotelNumber`, `queueDepth`) 
        VALUES(".$this->db->escape($reserver).", ".$room.", ".$i.", ".$queueDepth+1.")";
$this->db->query($sql);

What did I do wrong?

_You mean appart from_ Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, May 14 '17 at 15:13

score 0 · Answer 1 · answered May 14 '17 at 15:24

0

Use better editor/IDE with error highlighting, this is easy to solve syntax error:

$sql = "INSERT INTO `waitinglist` (`reserver`, `roomNumber`, `hotelNumber`, `queueDepth`) 
        VALUES(".$this->db->escape($reserver).", ".$room.", ".$i.", ".($queueDepth+1).")";

answered May 14 '17 at 15:24

shaggy

1,708
2
15
17

or simply `", " . $queueDepth+1 . ")";` – RiggsFolly May 14 '17 at 15:27

INSERT INTO goes wrong PHP CODEIGNITER

1 Answers1