After setting up a mysqli object in php, i want to make to insert

Question

0

Asked: May 16, 20262026-05-16T07:36:57+00:00 2026-05-16T07:36:57+00:00

After setting up a mysqli object in php, i want to make to insert

0

After setting up a mysqli object in php, i want to make to insert some POST variables into a table, but I have a question about how the quotes will work out:

$sql = "INSERT INTO whatever (a, b, c)
 VALUES ('$_POST[a]','$_POST[b]','$_POST[c]')";

I’m aware, however, that most times I’ve used global variables like POST or GET, there are quotes around the variable name — my question is do I have to so in the sql statement above? Should I then escape single or double quotes around those variable names? Not sure if quotes are even necessary…

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-16T07:36:58+00:00

Editorial Team

2026-05-16T07:36:58+00:00Added an answer on May 16, 2026 at 7:36 am

Since you are using MySQLi already, why not use a prepared statement?

if ($stmt = $mysqli->prepare('INSERT INTO whatever (a,b,c) VALUES (?,?,?)') {
   $stmt->bind_param('sss', $_POST['a'], $_POST['b'], $_POST['c']);
   ....

This will take care of the quotes for you automatically and securely (against SQL injection).

See http://www.php.net/manual/en/mysqli-stmt.bind-param.php for example usage.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

After setting up a mysqli object in php, i want to make to insert

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply