I am having question about why single quote should be used within the double quote when preparing insert statement. My understanding is variable with double quotes will get interpreted. variable with single quotes will not get interpreted.
$var1 = 5; print "$var1"; //output value 5
$var2 = 'jason'; print '$var2'; //output $var2
I am not sure why the single quotes are used in the values section in the code below. Please give me some explanation. Thanks!
$first_name = $_POST['first_name'];
$first_name = trim($first_name);
$last_name = $_POST['last_name'];
$stmt = $con->prepare("insert into reg_data (first_name, last_name)
values('$first_name', '$last_name')");
Your usage of quotes is correct, but you're using prepared statements incorrectly - your code is vulnerable to SQL injection! Instead, use placeholders (without quotes) in the query, and pass in the actual values later, as in the example:
$first_name = $_POST['first_name'];
$first_name = trim($first_name);
$last_name = $_POST['last_name'];
$stmt = $con->prepare("insert into reg_data (first_name, last_name)
values(:first_name, :last_name)");
$stmt->execute(array(':first_name' => $first_name, ':last_name' => $last_name));