I'm trying to run the following code:
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, $friendName)");
where $friendUID is the user ID grabbed from Facebook, and $friendName is the name of the friend grabbed from Facebook. For some reason, $friendName just won't write to MySQL. $friendUID writes fine, and so does regular text. Does anyone have an idea why, or how to get this working? Relevant code is below:
$uid = $facebook->getUser();
$friends = $facebook->api('/me/friends');
$friendUID = $value["id"];
$friendName = $value["name"];
echo $friendName;
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, $friendName)");
Thank you!
First, you should look into using MySQLi or PDO, as the PHP MySQL extension is quite old (and now deprecated in PHP5.5)
http://www.php.net/manual/en/mysqlinfo.api.choosing.php
The issue is that you are trying to insert raw text into the SQL query, which in addition to being an injection risk, causes an invalid statement:
Desired result:
INSERT INTO friend_data (UID, Name) VALUES (1234, "Friend Name");
Actual Result:
INSERT INTO friend_data (UID, Name) VALUES (1234, Friend Name);
You need to encapsulate the name value in quotes, as well as escape the values before inserting them:
$uid = $facebook->getUser();
$friends = $facebook->api('/me/friends');
$friendUID = mysql_real_escape_string($value["id"]);
$friendName = mysql_real_escape_string($value["name"]);
mysql_query("INSERT INTO friend_data (UID, Name) VALUES ($friendUID, \"$friendName\")");