PHP Insert Prepared Statement

Question

I looking through different post regarding prepared statements. I am getting the following error

ERROR: Could not prepare query: INSERT INTO contact (, ,) VALUES (?, ?). You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , , ) VALUES (?, ?)' at line 1

I can't seem to figure out why I am getting this error. Everything I find online hasn't been helpful. I am hoping someone can point me in the right direction.

    // Check connection
     if($link === false){
     die("ERROR: Could not connect. " . mysqli_connect_error());
      }

    // Prepare an insert statement
   $sql = "INSERT INTO tablename (name, email) VALUES (?, ?)";

   if($stmt = mysqli_prepare($link, $sql)){
   // Bind variables to the prepared statement as parameters
   mysqli_stmt_bind_param($stmt, "ss", $name, $email);

   // Set parameters
   $name = $_REQUEST['name'];
   $email = $_REQUEST['email'];

   // Attempt to execute the prepared statement
   if(mysqli_stmt_execute($stmt)){
    echo "Records inserted successfully.";
      } else{
    echo "ERROR: Could not execute query: $sql. " . mysqli_error($link);
    }
   } else{
   echo "ERROR: Could not prepare query: $sql. " . mysqli_error($link);
    }

   // Close statement
   mysqli_stmt_close($stmt);

   // Close connection
   mysqli_close($link);
   ?>

Thank you,

You have `"sss",` and only 2 parameters. Also looks as though `$name` and the other field aren't set so your statement ends up with blanks as column names. — Nigel Ren, Jun 05 '18 at 06:10
It would appear that `$name` and `$email` are empty or undefined at the time you assign a value to `$sql`. It looks to me like you actually want `$sql = 'INSERT INTO contact(name, email) VALUES (?, ?)';` where `name` and `email` are the column names of your table (just guessing). You don't want to accept those from the request — Phil, Jun 05 '18 at 06:12
You probably don't want to use the values of `$name` and `$email` as the names of the columns, are they just called `name` (drop the $ sign) — Nigel Ren, Jun 05 '18 at 06:17
@Nigel Ren @u_mulder I made the change suggested above. I am still getting a blank page. Is there something I have to change with this section `// Set parameters $name = $_REQUEST['name']; $email = $_REQUEST['email'];` Thank you for your help. — Reed, Jun 05 '18 at 06:51
You need to look at how the name and email are sent to the page. Are they POST, GET parameters? — Nigel Ren, Jun 05 '18 at 07:43
@Nigel Ren thanks for your help. I changed the $_REQUEST to $_POST but still get a blank page. I am going to abandon the prepared statement idea. — Reed, Jun 05 '18 at 20:53

score 1 · Accepted Answer · edited Mar 06 '23 at 06:11

Found the answer for this issue.

<?php
 $servername = "mysql";
 $username = "root";
 $password = "passwrd";
 $dbname = "dbname";

 $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username,
    $password);
 // set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// prepare sql and bind parameters
$stmt = $conn->prepare("INSERT INTO tablename (name, email, commtype, 
comment, confirm) 
VALUES (:name, :email, :commtype, :comment, :confirm)");
  $stmt->bindParam(':name', $name);
  $stmt->bindParam(':email', $email);
  $stmt->bindParam(':commtype', $commtype);
  $stmt->bindParam(':comment', $comment);
  $stmt->bindParam(':confirm', $confirm);

// insert a row
   $name = $_POST['name'];
   $email = $_POST['email'];
   $commtype = $_POST['commtype'];
   $comment = $_POST['comment'];
   $confirm = $_POST['confirm'];
   $stmt->execute();

   echo "New records created successfully";

PHP Insert Prepared Statement

1 Answers1

Linked