ERROR WHILE INSERTING USING MYSQLI

Tags: php html
Question!

i'm new to this PHP please help me here i'm unable to insert values into table. But if i gave values directly to insert command in place of variables it works.

<?php
include ("db.php"); 
$msg = "";
if(isset($_POST["submit"]))
{
    $name = $_POST["name"];
    $email = $_POST["email"];
    $password = $_POST["password"];
    $name = mysqli_real_escape_string($db, $name);
    $email = mysqli_real_escape_string($db, $email);
    $password = mysqli_real_escape_string($db, $password);
    $password = md5($password);
    $sql="SELECT email FROM users2 WHERE email='$email'";
    $result=mysqli_query($db,$sql);
    $row=mysqli_fetch_array($result,MYSQLI_ASSOC);
    if(mysqli_num_rows($result) == 1)
    {
        $msg = "Sorry...This email already exist...";
    }
    else
    {
        $query = mysqli_query($db, "INSERT INTO users2 (name, email, password)VALUES ('$name', '$email', '$password')");
        if($query)
        {
            $msg = "Thank You! you are now registered.";
        }
    }
}
?>


Answers

You have to concat the variable in string of insert not just put as variable

$query = mysqli_query($db,"INSERT INTO users2 (name, email, password)VALUES ('".$name."', '".$email."', '".$password."')")

or

$query = mysqli_query($db,"INSERT INTO users2 (name, email, password)VALUES ('{$name}', '{$email}', '{$password}')")

You should use prepare statement for this mysql_real_escape_string-versus-Prepared-Statements

Never use md5() is-md5-considered-insecure

Prefer password_hash() or password_verify() Manuel

``

By : gaurav


$sql = "INSERT INTO users2 (name, email, password) VALUES (?,?,?)";
            if (!$stmt = $db-


This video can help you solving your question :)
By: admin