Home/ Questions/Q 7739883
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T08:38:07+00:00

Using the SQL in the below code: public function saveOrder() { $id = $this->getUserId();

  • 0

Using the SQL in the below code:

public function saveOrder() {
  $id = $this->getUserId();
  $this->db->query("INSERT INTO orders VALUES (null, '$id', '$this->basket_lines', '$this->total', NOW() )");
  return $this->db->id();  
}

Where the last column in the above is a DATETIME field, the result in the database keeps defaulting to 0000-00-00 00:00:00.

I have tried the column format as timestamp too and used:

ALTER TABLE  `content ` CHANGE  `date`  `date` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP

from another post but to no avail.

Can anyone spot whats wrong?

Thanks

Edit: BTW I am escaping my SQL statement from within the DB class using 

    $this->SQL = $this->mysqli->real_escape_string($SQL);
    $this->result = $this->mysqli->query($SQL);

Edit 2: I am now escaping pre query with

 $i=mysql_real_escape_string($id);
    $b=mysql_real_escape_string($this->basket_lines);
    $t=mysql_real_escape_string($this->total);
    $this->db->query("INSERT INTO orders VALUES (null, '$i', '$b', '$t', NOW() )");

Still not working, this all all rather odd?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You got the escaping concept wrong, you need to escape the data you will insert in DB, to prevent SQL injection, not the whole query!
    So you should do something like:

    $id=$this->mysqli->real_escape_string($id);
$basketlines=$this->mysqli->real_escape_string($this->basket_lines);
$total=$this->mysqli->real_escape_string($this->total);   
$SQL="INSERT INTO orders VALUES (null, '$id', '$basketlines', '$total', NOW() )");
$this->result = $this->mysqli->query($SQL);

    I am pretty sure that all your problem is because when escaping the whole query, then query becomes malformed and not a valid SQL query anymore.

    • 0