php + mysql 在数据库中插入变量

Question

I'm totally PHP beginner, and I'm trying to insert variables in a database in PHP and MySQL. This is my code:

$link = mysql_connect('localhost','','','onlynews') or die('Cannot connect to the DB');
mysql_select_db('TEST',$link) or die('Cannot select the DB');

$strSQL = "INSERT INTO news(id, title,photo,url,source, at) VALUES('$x','$title','$url','$imgurl ','$source','$at')"; 

mysql_query($strSQL) or die(mysql_error());

The problem is it is doing: NOTHING! No Entries at all, Nothing changes in the database.

-How can I fix this?

-Do I have to write codes to prevent SQL Injection, even if the variables are coming from an API, not from users?

Answer 1

You have to execute your query using $conn->query($sql); .

However, to avoid SQL injections you should definitely use prepared statements or at least $conn->real_escape_string() to escape the values in your SQL statement.

For example, this is your code using prepared statements:

 $servername = "localhost";
 $username = "";
 $password = "";
 $dbname = "onlynews";
 $tableName = "news";
 $conn = new mysqli($servername, $username, $password, $dbname);
 $stmt = $conn->prepare("INSERT INTO news (id, title, photo, url, source, at)
                         VALUES (?, ?, ?, ?, ?, ?)");
 $stmt->bind_param('ssssss', $thetitle, $urlToImage, $theurl, $thesource, $thetime);
 $stmt->execute();
 $stmt->close();

You should also add some error checking, since $conn->prepare() and $stmt->execute() may fail (and return false ). Of course, establishing the connection to the database during the construction of $conn could also fail, which can be checked using $conn->connect_error .