-3
$query='insert into shopping_tbl (itemcode,name)values ("'$num."/".$barcode.","."$name"'")';

the itemcode wont be inserted because of the "/". however if i use "-" instead of "/" it will be inserted however i need to use "/"

sample data: itemcode: 23/xxdd22, name: watchx

picolo
  • 41
  • 5
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Mar 06 '18 at 15:56
  • 1
    Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Mar 06 '18 at 15:57
  • The question definitely needs more context. Column types, error message, the final `$query` string etc. – Fred Mar 06 '18 at 15:59
  • 1
    You should be getting a syntax error with that I think. – Jonnix Mar 06 '18 at 16:00
  • That they should @JonStirling but they either didn't tell us what it was, or aren't checking for them properly. – Funk Forty Niner Mar 06 '18 at 16:01
  • @FunkFortyNiner Or didn't give us the right code. – Jonnix Mar 06 '18 at 16:01
  • this isn't in production right? – Rotimi Mar 06 '18 at 16:02
  • it has no error. it just dont insert on the database. however if i use "-" in concatenating them, it will be inserted – picolo Mar 06 '18 at 16:02
  • I'm just wondering "why" you want to do this. Believe me, this would be easier if you were to first concatenate both variables, *then* use that new variable assignment in the query. – Funk Forty Niner Mar 06 '18 at 16:04
  • You're not completing the quoting between the barcode, comma, and name. This is a good place where using prepared statements and parameter binding would eliminate quoting issues. – aynber Mar 06 '18 at 16:05

3 Answers3

2

This is an example of a parameterized statement, that people are talking about in the comments. 

$params = [ 'itemcode' => "$num/$barcode", 'name' => $name ];
$sql = 'insert into shopping_tbl (itemcode, name) values (:itemcode, :name)';
$stmt = $pdo->prepare($sql);
$stmt->execute($params);

Stop struggling with quotes-within-quotes in SQL, you'll only give yourself eyestrain.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
1

As I said in comments; this would be easier if you were to first concatenate both variables, then use that new variable assignment in the query, rather than fighting with munging a bunch of unnecessary quotes/dots, etc.

I.e.:

$new = $num."/".$barcode;

Then do:

values ('$new','$name')

Given that the itemcode column is VARCHAR and not an INT; that is unknownst to us.

Although using a prepared statement would be safer and better in a case like this, should user input be involved.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0

omitting that your solution isn't perfect. You have problem with the quotation marks. on my local database this works correctly. 

$query="insert into shopping_tbl (itemcode,name)values ('".$num."/".$barcode."','".$name."')";
Janusz Albin
  • 1
  • 1