Having learnt the basics of PHP and MySQL, I am now learning how to protect against SQL injection attacks by using prepared statements. I have the following code:
for ($i = 0; $i < $delegateno ;$i++){
$q = "INSERT INTO delegates (delegate_id,booker_name, booker_email, booker_tel, booker_company, delegate_name, delegate_email, delegate_tel) VALUES (NULL, ?, ?, ?, ?, ?, ?, ? )";//Insert delegate information into delegate tables
$stmt = mysqli_query($dbc, $q);
mysqli_stmt_bind_param($stmt,'sssssss', $fullname, $email, $tel, $company,$delegatename[$i],$delegateemail[$i],$delegatetel[$i]);
mysqli_stmt_execute($stmt);
}
However, this throws:
Notice: Query: INSERT INTO delegates (delegate_id,booker_name, booker_email, booker_tel, booker_company, delegate_name, delegate_email, delegate_tel) VALUES (NULL, ?, ?, ?, ?, ?, ?, ? )
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?, ?, ?, ?, ?, ?, ? )'
What am I doing wrong?
Because you're executing the raw query containing the placeholders. You need to prepare() the query first.
This is how it goes (usually): prepare -> bind_param -> execute -> fetch.
Change:
$stmt = mysqli_query($dbc, $q);
to:
$stmt = mysqli_prepare($dbc, $q);