1
For example:
$query = "INSERT INTO tabela (data, assunto, destino, elaborado) VALUES('{$data}', '{$assunto}', '{$destino}', '{$elaborado}')";
Where is tabela, i want to put a variable in place, because depending on what the user chooses, will use a different table.
I’ve tried it with quotes, with dots, with keys...
5
In PHP when you have a string wrapped with double quotes. The PHP interpreter will scroll through it and check if it has no variables to replace.
<?php
$tabela = 'Tabela1';
$data = '2018-06-20';
$assunto = 'Assunto';
$destino = 'Destino';
$elaborado = 'Elaborado';
$query = "INSERT INTO $tabela (data, assunto, destino, elaborado)
VALUES('$data', '$assunto', '$destino', '$elaborado')";
echo $query;
The excerpt echo $query; will print INSERT INTO Tabela1 (data, assunto, destino, elaborado) VALUES('2018-06-20', 'Assunto', 'Destino', 'Elaborado')
4
Thiagosilr’s answer is correct, just put the variable names inside the string with double quotes. However, I suggest not using this method to form darlings to be executed at your bank, as it makes you vulnerable to SQL injection attacks.
For example, if the user has control of the variable content $assunto through a form, could fill it as '1'); DROP DATABASE ... and try to destroy your bank only of pirraça.
A way to execute that same INSERT ensuring that input variables do not cause damage is using prepared statements, as demonstrated in the responses to this question from the SOE.
So, if you are using Mysqli, you instantiate an object of statement using the method prepare() of your connection object, specifying the gaps for parameters of bind using question marks, then pass the parameters in order in the method bind_param() of statement finally executes it:
//cria o statement
$statement = $dbConnection->prepare("INSERT INTO $tabela (data, assunto, destino, elaborado) VALUES(?, ?, ?, ?)");
//passa as variáveis para preencher os pontos de interrogação
//o parametro 's' significa que você está passando uma string. É como um printf...
$statement->bind_param('s', $data);
$statement->bind_param('s', $assunto);
$statement->bind_param('s', $destino);
$statement->bind_param('s', $elaborado);
//executa o statement
$stmt->execute();
Note that a Prepared statement only supports the parameterization of values of a query. Thus, the table name variable must be passed with simple string concatenation as in Thiago’s answer. I imagine it is somewhat unlikely that such a variable is an attack vector, since it is unusual to allow the user of an application to decide on which table of the system you want to query.
-6
One way is to use it as follows:
$query = "INSERT INTO tabela (data, assunto, destino, elaborado) VALUES({$data}, {$assunto}, {$destino}, {$elaborado})";
Without the simple quotes.
Without the simple quotes, Mysql will not consider the values as strings; not to mention that this way opens space for SQL Injection as commented in the nunks response.
You did exactly the same question, only it got worse because you removed the apostrophes, so you’ll probably have syntax error when you run. There are 2 answers already in the question, but apparently you didn’t bother to read them and left assuming a "solution", recommend you read, study and then try to suggest something, because if not you will teach your mistakes to people who are here to learn.
Browser other questions tagged php mysql mysqli
You are not signed in. Login or sign up in order to post.
This answers your question? How to prevent SQL code injection into my PHP code?
– Icaro Martins