www.webdeveloper.com
Results 1 to 3 of 3

Thread: MySQLi stmt issue

  1. #1
    Join Date
    Dec 2011
    Posts
    163

    MySQLi stmt issue

    FORM

    PHP Code:
    <?php
    if($_POST['submit']){
        
    $section mysqli_prep($_POST['table']);
        
    $linkid mysqli_prep($_POST['linkid']);
        
    $title mysqli_prep($_POST['title']);
        
    $des mysqli_prep($_POST['des']);
        
    $date mysqli_prep($_POST['date']);
        if(isset(
    $_POST['facebook'])){$facebook mysqli_prep($_POST['facebook']); } else { $facebook NULL; }
        
        
    $sql "INSERT INTO ? (
                `linkid`, `title`, `description`, `date`, `facebook`
                ) VALUES (
                ?, ?, ?, ?, ?
                )"
    ;
        
    $stmt mysqli_stmt_init($connect);
        
    mysqli_stmt_prepare($stmt$sql);
        
    mysqli_stmt_bind_param($stmt'sissss'$section$linkid$title$des$date$facebook);
        if(
    mysqli_stmt_execute($stmt)){
            
    // Success!
            
    $display_message "<h6 class=\"displaymessage\">Ministry news article created successfully!</h6>\n";
        }else{
            
    // Failed!
            
    $display_message "<h6 class=\"displaymessage\">Ministry news article creation failed.</h6>\n";
            
    $display_message "<h6 class=\"displaymessage\">".mysqli_error($connect)."</h6>\n";
        }
        
    mysqli_stmt_close($stmt);
    }
    ?>
    Returns...

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '? ( `linkid`, `title`, `description`, `date`, `facebook` ) VALUES ( ?, ' at line 1
    Is it possible that the selected table cannot be a (?) value? I have done this no problem with basic sql queries in the past...

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,330
    Yeah, I don't think you can use place-holders for anything except literal values. You'll need to use PHP variables concatenated (or interpolated) there, I'm afraid -- which means if they come from an external source you'll need to do some sort of validation and/or sanitation of them.

    PS: another option would be to create a stored procedure, to which you could pass a parameter for the table name, I think.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Dec 2011
    Posts
    163
    Alright, that's what I was thinkin'...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles