0
$sql = "INSERT INTO class_schedule
   (date, start_id, end_id, classroom_id, type_id, name_id)
    VALUES (
      '". $_REQUEST['date'] ."',
       '". $_REQUEST['start'] ."',
       '". $_REQUEST['end'] ."',
        ". $_REQUEST['classroom'] .",
         ". $_REQUEST['type'] .",
         ". $_REQUEST['name'] ."  
     )";

Is this the way to write it all out? I don't know if the quotes are written out correctly.

vchat
  • 5
  • 3
  • Well, does it work? If not, what errors do you get? – j08691 Sep 16 '22 at 21:05
  • 1
    as a side note, your current code is wide open to `SQL Injection`. Consider using [`Prepared Statements`](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. – ThS Sep 16 '22 at 21:10
  • @j08691 It doesn't matter. We should always recommend using prepared statements, not concatenating variables. – Barmar Sep 16 '22 at 21:11
  • What do you mean by `write it all out`, insert into, or output the query? For query execution prepared statements should be used with parameterized values. With that approach you never will need to worry about `if the quotes are written out correctly`. Something like `$sql = 'INSERT INTO class_schedule (date, start_id, end_id, classroom_id, type_id, name_id) VALUES (?, ?, ?, ?, ?, ?)';` – user3783243 Sep 16 '22 at 21:12
  • 1
    This is entirely **not** the way to do it. Your code is dangerously vulnerable to SQL injection. Use prepared statements, and then the quotes won't be needed. – Tangentially Perpendicular Sep 16 '22 at 21:12

0 Answers0