I'm trying to insert inputted data from a form into a MySQL database with php for a school project.
If found a couple of examples, but can't get them to work. I did it without parameterized queries, and it worked fine. The code looked like this
$user_firstName = $_POST['firstName'];
$user_lastName = $_POST['lastName'];
$user_receiveTexts = "true";
$user_mobileNumber = $_POST['mobileNumber'];
$user_receiveNewsletter = $_POST['receiveNewsletter'];
$user_email = $_POST['email'];
if(isset($_POST['submit'])) {
$sql = "INSERT INTO subscribers (firstName, lastName, receiveTexts, mobileNumber, receiveNewsletter, email)
VALUES ('$user_firstName', '$user_lastName', '$user_receiveTexts', '$user_mobileNumber', '$user_receiveNewsletter', '$user_email' )";
Then I tried to change it to use Parameterized Queries/prepared statements, but can't really get it to work.
$sql = "INSERT INTO subscribers (firstName, lastName, receiveTexts, mobileNumber, receiveNewsletter, email) VALUES (?, ?, ?, ?, ?, ?)";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param($val1, $val2, $val3, $val4, $val5, $val6);
$val1 = $user_firstName;
$val2 = $user_lastName;
$val3 = "true";
$val4 = $user_mobileNumber;
$val5 = $user_receiveNewsletter;
$val6 = $user_email;
$stmt->execute();
Pretty much I'm just trying to prevent SQL inject on it :) Any help is appreciated. Thanks
