Solution 1 :

I would use a prepared statement. As a rule of thumb I would always use prepared statements even in development code as
A) They are usually designed with good, self documenting interfaces which results in cleaner – more understandable – code, and
B) It means you do not have to refactor your code base before production (you had better not be using unprepared statements in production)

Doing this with the mysqli driver in php (using OOP)

// Constructor the statement object
$stmt = $conn->prepare("INSERT INTO documentconfirmation (document,p_name,confirm,query) VALUES 
      (?, ?, ?, ?)");

// Bind parameters ssbs stands for string-string-bool-string
$stmt->bind_param('ssbs', $document, $user_name, $confirmation, $comment);
// Execute the statement

I would also check that the values are not null for any of those variables as that is likely another problem and caused by improper posting to the script

Problem :

Below is my code:
Can anyone see where I am going wrong?



//Confirm document reading
$document = $_POST["document"]; 
$user_name = $_POST["p_name"]; 
$confirmation = $_POST["confirm"]; 
$comment = $_POST["query"];

$insert="INSERT INTO documentconfirmation (document,p_name,confirm,query) VALUES 
  ('$document', '$user_name','$confirmation','$comment')";

$result3 =mysqli_query($conn,$insert) or die (mysqli_error($conn));?>'


Comment posted by Barmar

Are you using the same script to display the form and process the submission? Then you need to check that the form was submitted with something like

Comment posted by Barmar


Comment posted by The fourth bird

Perhaps validate / sanitize the variables as well before inserting them into the database.

Comment posted by Don’t Panic

A couple of common causes for this are not setting the form method to post, and not naming or misnaming the form inputs. (Assuming the request is a form submission.)

Comment posted by SQL injection attacks