I am trying to make my insert query protected against sql injection. But I am having issues getting this to work. any ideas? I have tried several things.
$bullets = Input::get('bullet_content');
$product_id = Input::get('product_id');
$user_id = Input::get('user_id');
$retailer_id = Input::get('retailer_id');
$date = date("Y-m-d H:i:s");
foreach ($bullets as $bullet){
$query = "'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at)
VALUES('?','?','?','?','?','?')', [$product_id,$user_id,$bullet,'N',$date,$date]";
DB::insert($query);
}
return back()->with('message','Features add successfully!');
When I try this I get the following errror:
SQLSTATE[07002]: [Microsoft][ODBC Driver 11 for SQL Server]COUNT field incorrect or syntax error (SQL: 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('?','?','?','?','?','?')', [1,1,can't,'N',2017-11-10 16:28:44,2017-11-10 16:28:44])
I have also tried:
$bullets = Input::get('bullet_content');
$product_id = Input::get('product_id');
$user_id = Input::get('user_id');
$retailer_id = Input::get('retailer_id');
$date = date("Y-m-d H:i:s");
foreach ($bullets as $bullet){
$query = "'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at)
VALUES('?','?','?','?','?','?')' ";
$values = [$product_id,$user_id,$bullet,'N',$date,$date];
DB::insert($query,$values);
}
return back()->with('message','Features add successfully!');
and got the following error:
SQLSTATE[42000]: [Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Incorrect syntax near 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('. (SQL: 'INSERT INTO bullets(product_id, user_id,bullet_content, bullet_deleted, created_at, updated_at) VALUES('1','1','can't','N','2017-11-10 16:33:43','2017-11-10 16:33:43')' )