how to insert multiple variables into a sql query

Question

<?php
  session_start();
  include('function.php');

  site::db();
  $type=$_GET['type'];
  $date=$_GET['date'];
  $amount=$_GET['amount'];

  switch($type) {
    case "in_park":
      $table = "lot_income";
      $col = "date,amount";
      $val = $date $type $amount;
      break;
  }

  $sql = mysql_query("INSERT INTO $table ($col) VALUES ('$val')");
  if(!$sql) {
    die(mysql_error());
  } 

  //header("LOCATION: dashboard.php")
?>

This will not work but im assuming that i will will need to explode the variables val but how to i put the comma in there too so i can put the info in many different field other than just one field.

Answer 1

Change this..

$val=$date $type $amount;

Into this

$val= "'$date', '$amount'";

And thius

$sql=mysql_query("INSERT INTO $table ($col) VALUES ('$val')");

into this

$sql=mysql_query("INSERT INTO $table ($col) VALUES ($val)");

Answer 2

I think you are missing a column in your SQL statement:

$col = "date, type, amount";

You will need to format the SQL values accordingly:

$val = "'$date', '$type', '$amount'";

Concatenate them:

$sql = mysql_query("INSERT INTO $table ($col) VALUES ($val)");

Answer 3

I usually do:

$table = "lot_income";

$data = array(
    'date' => "'".mysql_real_escape_string($date)."'", // date
    'type' => intval($type), // integer
    'amount' => intval($amount), // integer
    'text' => "'".mysql_real_escape_string($sometext)."'" // string
    // etc
  );

// I tend to wrap the following statement in a function for code reuse

$resource = mysql_query(
    "INSERT INTO ".$table." (".implode(", ", array_keys($data).")"
    . "VALUES (".implode(", ", array_values($data).")"
   );

Note: for values escaping (in order to avoid SQL injections), it would be easier/safer to bind variables by using PHP extension PDO or mysqli.