0

I'm having some problems with using $_GET as a value for insert into. The connection works fine and using normal strings will result in a successful insert to the database:

$sql = 'INSERT INTO product(productplaatje, productnaam, productbeschrijving, 
  allergieen, productprijs, bijnaop, op)
values("hoi", "hoi","hoi","hoi","1.50",0,0 )';

This code doesnt:

$sql = 'INSERT INTO product(productplaatje, productnaam, productbeschrijving, 
  allergieen, productprijs, bijnaop, op)
values(' . $_GET["productimage"] . ', "hoi","hoi","hoi","1.50",0,0 )';

Error code:

Fatal error: Uncaught PDOException: 
SQLSTATE[42S22]: Column not found: 1054 Unknown column 'd' in 'field list' 
 in C:\inetpub\Students\ADSD\2017\s1117723\addsucces.php:66 
Stack trace: 
 #0 C:\inetpub\Students\ADSD\2017\s1117723\addsucces.php(66): PDO->exec('INSERT INTO pro...') 
 #1 C:\inetpub\Students\ADSD\2017\s1117723\addsucces.php(75): Connection->insertProduct() 
 #2 {main} thrown in C:\inetpub\Students\ADSD\2017\s1117723\addsucces.php on line 66

Can anyone explain to me why it isn't working?

Edit: Why is this marked as a duplicate of some post with double qoutations and single qouations? I looked at the post and I still don't know how to fix my problem.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Daniel
  • 39
  • 7
  • 2
    I think he's saying you need to add double quotes around the $_GET variable (as in values(" ' . $_GET["productimage"] . ' ", "hoi" ... ) – Michael Beeson Oct 15 '17 at 16:00
  • You're right, but I couldn't make that up from the post. Would've been better if he commented your answer instead. Thanks Michael, it works now :) – Daniel Oct 15 '17 at 16:03
  • Please escape your user input data. This code is wide open for a mysql injection. https://hackadaycom.files.wordpress.com/2016/12/exploits_of_a_mom.png – SuperDJ Oct 15 '17 at 16:06
  • 3
    It would be better to parameterize all queries, then you won't run into these issues. – chris85 Oct 15 '17 at 16:07

0 Answers0