$query = sprintf("INSERT INTO dat(empid,empname,reason,date)VALUES\n%s",
implode(",\n", $values) )
$query1= real_escape_string($query );
Please help me on abpove code . I cant insert character.
-
What is the value in $values variable?Archana– Archana2015-10-16 12:20:49 +00:00Commented Oct 16, 2015 at 12:20
-
1Highly recommended to use prepared statement. Also you can try this: stackoverflow.com/questions/920353/…stack– stack2015-10-16 12:26:45 +00:00Commented Oct 16, 2015 at 12:26
-
#archana : if i gave int to empid,empname,reason and date i can insert to db. if i use character to empid showing error like "Unknown column 'shyam' in 'field list".shyam– shyam2015-10-20 04:09:51 +00:00Commented Oct 20, 2015 at 4:09
Add a comment
|
1 Answer
Firstly, always make sure that you data is safe.
$emp_id_safe = filter_var($_POST['emp_id'], FILTER_SANITIZE_NUMBER_INT);
$emp_name_safe = filter_var($_POST['emp_name'], FILTER_SANITIZE_STRING);
$reason_safe = filter_var($_POST['reason'], FILTER_SANITIZE_STRING);
$end_date_safe = filter_var($_POST['to_date'], FILTER_SANITIZE_STRING);
Secondly, the mysql PHP extension is deprecated and will be removed in the future. Replace it with mysqli.
if ($emp_id_safe == FALSE || $emp_name_safe == FALSE ||
$reason_safe == FALSE || $end_date_safe == FALSE) {
die('Filter failure');
} else {
$stmt = $mysqli->prepare("INSERT INTO date(empid, empname, reason, date) VALUES (?, ?, ?, ?)");
$stmt->bind_param("ssss", $emp_id_safe, $emp_name_safe, $reason_safe, $end_date_safe);
$stmt->execute();
}
2 Comments
shyam
#anna Unknown column 'shyam' in 'field list' .( cant give character to empid.)
shyam
<?php include("connect.php"); $start_date =$_POST['from_date']; $end_date = $_POST['to_date']; $reason = $_POST['reason']; $emp_id = $_POST['emp_id']; $emp_name =$_POST['emp_name']; $startTime = strtotime($start_date); $endTime = strtotime($end_date); $values = array(); for($time = $startTime; $time <= $endTime; $time = strtotime('+1 day', $time)) { $thisDate = date('Y-m-d', $time); $values[] = "($emp_id, $emp_name, $reason,'$thisDate')";} $query = sprintf("INSERT INTO date(empid, empname, reason, date) VALUES (%s)", implode(",", $values)); mysql_query($query) or die (mysql_error())?>