What is the correct syntax for PHP/SQL prepared statements?

Question

I recently created a PHP/SQL prepared statement where only one variable is being passed through. However it is failing to prepare. My guess is that it is probably due to syntax. What have I done wrong?

$sql = "INSERT INTO notes (noteText) VALUES ?";

Help would be greatly appreciated. Thanks

`"INSERT INTO notes(noteText) VALUES(?)"` then it depends what extension you use (mysqli vs pdo vs ...), how you do your binds and execute your query => consider providing your whole code for further help — julp, Jun 13 '20 at 22:44

score 0 · Answer 1 · answered Jun 13 '20 at 22:53

0

Try this code

$sql = "INSERT INTO notes (noteText) VALUES (?)";

I placed the ? for VALUES in brackets that's how it should be.

For more information take a look at https://www.w3schools.com/php/php_mysql_prepared_statements.asp

answered Jun 13 '20 at 22:53

Miroslav

336
1
7

score 0 · Answer 2 · answered Jun 13 '20 at 23:09

A full example using a few different methods:

// MySQLi
$conn; // connection variable
$stmt = $conn->prepare("INSERT INTO notes (noteText) VALUES (?)");
$stmt->bind_param('s', $noteText);

$noteText = "Lorem Ipsum....";
$stmt->execute();

// PDO with Named Parameters
$db; // Database Handler
$sql  ="INSERT INTO notes (noteText) VALUES (:noteText)";
$noteText = "Lorem Ipsum....";

$stmt = $db->prepare($sql);

$stmt->bindParam(':noteText', $noteText, PDO::PARAM_STR);

$stmt->execute();

Personal preference with the named parameters. Just easier for me to keep up with them :)

What is the correct syntax for PHP/SQL prepared statements?

2 Answers2