I just want to know that when it comes to inserting data into database using mysqli, if this is the best way to do it below or is there a much better way?
$insert = array();
for ($i = 1, $n = $_SESSION['sessionNum']; $i <= $n; ++$i)
{
$insert[] = "'". mysqli_real_escape_string( $_SESSION['id'] ) . ($n == 1 ? '' : $i) . "','". mysqli_real_escape_string( $_SESSION['timeChosen'] ) ."','". mysqli_real_escape_string( date("Y-m-d", strtotime( $_SESSION['dateChosen'] ) ) ) ."'
,'". mysqli_real_escape_string( $_SESSION['textWeight'] ) ."','". mysqli_real_escape_string( $time ) ."','". mysqli_real_escape_string( $_SESSION['textMarks'] ) ."'
,'". mysqli_real_escape_string( $_SESSION['module'] ) ."','". mysqli_real_escape_string( $teacherid ) ."','". mysqli_real_escape_string( $_SESSION['rooms'] ) ."'";
}
$insertsql = "INSERT INTO Session (SessionId, SessionTime, SessionDate, SessionWeight, SessionDuration, TotalMarks, ModuleId, TeacherId, Room)
VALUES (" . implode('), (', $insert) . ")";
$sqlstmt=$mysqli->prepare($insertsql);
$sqlstmt->execute();
The whole point of using prepared statements is to avoid doing half of the work you are doing. The basic idea is that you just create the basic query, prepare it and tell it the variable names you will use instead of the placeholders and then do all the work on the variables.
Your code should be something as follows: