I would use a prepared statement. As a rule of thumb I would always use prepared statements even in development code as
A) They are usually designed with good, self documenting interfaces which results in cleaner – more understandable – code, and
B) It means you do not have to refactor your code base before production (you had better not be using unprepared statements in production)
Doing this with the mysqli driver in php (using OOP)
// Constructor the statement object
$stmt = $conn->prepare("INSERT INTO documentconfirmation (document,p_name,confirm,query) VALUES
(?, ?, ?, ?)");
// Bind parameters ssbs stands for string-string-bool-string
$stmt->bind_param('ssbs', $document, $user_name, $confirmation, $comment);
// Execute the statement
$stmt->execute();
I would also check that the values are not null for any of those variables as that is likely another problem and caused by improper posting to the script
Problem :
Below is my code:
Can anyone see where I am going wrong?
<?php
include("secure/connect.php");
//Confirm document reading
$document = $_POST["document"];
$user_name = $_POST["p_name"];
$confirmation = $_POST["confirm"];
$comment = $_POST["query"];
$insert="INSERT INTO documentconfirmation (document,p_name,confirm,query) VALUES
('$document', '$user_name','$confirmation','$comment')";
$result3 =mysqli_query($conn,$insert) or die (mysqli_error($conn));?>'
Comments
Comment posted by Barmar
Are you using the same script to display the form and process the submission? Then you need to check that the form was submitted with something like
Comment posted by Barmar
Replace
Comment posted by The fourth bird
Perhaps validate / sanitize the variables as well before inserting them into the database.
Comment posted by Don’t Panic
A couple of common causes for this are not setting the form method to post, and not naming or misnaming the form inputs. (Assuming the request is a form submission.)
