Insert into table with prepared statement

Question

I\'m trying to insert data from a form into a database using PHP and Mysqli but I can\'t get it working! My database has 4 fields: DATE, TITLE, CONTENT, ID. The ID field is auto

Answer 1

You are generating SQL containing strings that are not quoted or escaped.

Don't insert the data directly into the SQL string, use placeholders (?) and then bind the parameters before executing.

$query = "INSERT INTO Blog VALUES (?, ?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("sss", $blogDate, $_POST["bTitle"], $_POST["bContent"]);
$stmt->execute();