Insert into table with prepared statement

Question

I'm trying to insert data from a form into a database using PHP and Mysqli but I can't get it working! My database has 4 fields: DATE, TITLE, CONTENT, ID. The ID field is auto-increment.

I've checked the connection and that's working fine. I've also echoed the form field values and the $blogDate variable I created, they're all fine too.

Here's my prepared statement:

if ($newBlog = $mysqli->prepare('INSERT INTO Blog VALUES ($blogDate, $_POST["bTitle"], $_POST["bContent"])')) {
  $newBlog->execute();
  $newBlog->close();
}

It's just not inserting the values into my table.

Answer 1

You are generating SQL containing strings that are not quoted or escaped.

Don't insert the data directly into the SQL string, use placeholders ( ? ) and then bind the parameters before executing.

$query = "INSERT INTO Blog VALUES (?, ?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("sss", $blogDate, $_POST["bTitle"], $_POST["bContent"]);
$stmt->execute();

Answer 2

Since you are aware about prepared statement:

$newBlog = $mysqli->prepare('INSERT INTO Blog (`dateCol`, `titleCol`, `contentCol`) VALUES (?, ?, ?)');
$newBlog->bind_param( 'sss', $blogDate, $_POST["bTitle"], $_POST["bContent"] );
$newBlog->execute();
$newBlog->close();

Answer 3

since you are using auto increment field you need to specify column name and then values try this code

$query = "INSERT INTO Blog (colname_1,colname_2,colname_3) VALUES (?, ?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("sss", $blogDate, $_POST["bTitle"], $_POST["bContent"]);
$stmt->execute();