PHP MySQLi和存储过程

Question

I have a stored procedure:

Create procedure news(in dt datetime,in title varchar(10),in desc varchar(200))

Begin
Insert into news values (dt,title,desc);
End

Now my php:

$db = new mysqli("","","","");

$dt = $_POST['date'];
$ttl = $_POST['title'];
$desc = $_POST['descrip'];
$sql = $db->query("CALL news('$dt','$ttl','$desc')");
if($sql)
{
echo "data sent";

}else{
echo "data not sent";

}

I'm new with php please help thank you

My php doesn't work i keep getting the "data not sent" message. Am I doing something incorrectly?

Answer 1

First thing that comes to mind, might not be the only issue:

$db = new mysqli("","","","");

should be something like

$db = new mysqli("localhost","username","pa$$w0rd","database_name");

or if you have your ini set up correctly (see ini_get() default values) ,

$db = new mysqli();

Edit : By the way, you probably really want to use parametrised queries (or just generally escape your input) through-out, your 'CALL' query writes user input directly into the query, you're quite vulnerable to SQL injection. Just imagine what'd happen if someone put in Description'); DELETE FROM news WHERE (title LIKE '% Description'); DELETE FROM news WHERE (title LIKE '% into $_POST['descrip'] :

$sql = $db->query("CALL news('...','...','Description'); DELETE FROM news WHERE (title LIKE '%')");

Not so good.

Answer 2

I think where you have

$sql = $db->query("CALL news('$dt','$ttl','$desc')");

you need

$sql = $db->query("CALL news('".$dt."','".$ttl."','".$desc."')");

The first fails because you are sending a string '$dt' as the date-time (and '$tt1' and '$desc' as the field values, for that matter).