Only recently started using mysql so I'm slowly getting to grips with it, but trying to use PHP prepared statements for a webform, and upon submitting the webform, it's just displaying the php code. Any suggestions?
Thanks
<?php
$link = mysqli_connect("localhost", "root", "", "contactform");
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
$sql = "INSERT INTO contactform (firstname, surname, address1, address2,
towncity, county, postcode) VALUES (?,?,?,?,?,?,?)";
if($stmt = mysqli_prepare($link, $sql)){
mysqli_stmt_bind_param($stmt, "sssssss", $firstname, $surname, $address1,
$address2, $towncity, $county, $postcode);
$firstname = $_REQUEST['firstname'];
$surname = $_REQUEST['surname'];
$address1 = $_REQUEST['address1'];
$address2 = $_REQUEST['address2'];
$towncity = $_REQUEST['towncity'];
$county = $_REQUEST['county'];
$postcode = $_REQUEST['postcode'];
if(mysqli_stmt_execute($stmt)){
echo "Records inserted successfully.";
} else{
echo "ERROR: Could not execute query: $sql. " . mysqli_error($link);
}
} else{
echo "ERROR: Could not prepare query: $sql. " . mysqli_error($link);
}
mysqli_stmt_close($stmt);
mysqli_close($link);
?>
using eval( $text ); will execute your string as PHP code.
is that what you are looking for ?
Caution The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data