Get Users Comment From Mysql using Php

I'm trying to allow a user to comment on a profile on my website. I have the following php -- updated:

<?php
// Insert Comments into Database that user provides
$comm = mysql_real_escape_string($_POST['addComment']);
$pID4 = filter_input(INPUT_GET, 'pID', FILTER_SANITIZE_NUMBER_INT);
$cID = mysql_real_escape_string($_POST['courseInfoDD'])开发者_StackOverflow中文版;
        $username = "###";
        $password = "####";
        $pdo4 = new PDO('mysql:host=localhost;dbname=###', $username, $password);
        $pdo4->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$sth3 = $pdo3->prepare('
        INSERT INTO Comment (info, pID, cID)
        VALUES(:info, :pID, :cID)
             ');
$sth3->execute(array(
            ':info' => $comm, ':pID' => $pID3, ':cID' => $cID
        ));
?>

DB Table "Comment" http://postimage.org/image/16sbr0jd0/ (Moderator please convert this to show image, please)

HTML:

<input type='text' id='addComment' name='addComment' tabindex='3' value='Enter comment' />

Error Given:

No pID specified . When I try to insert a comment.

You are using single-quotes in your insert statement :

$sth3 = $pdo3->prepare('
    INSERT INTO Comment (info, pID, cID)
    VALUES($comm, $pID3, $cID)
');

With those simple quotes, $comm will not be evaluated -- and the literal $comm string will be sent to the database -- resulting in something you probably don't quite expect.

If you want variables to be interpolated, you should use double-quotes around your string.

But, as you are trying to use prepared statements, that's not what you should do, actually.

Instead, you should use placeholders in the statement -- and, then, bind those to your data, when executing the statement.

Your prepare would look a bit like this, I suppose :

$sth3 = $pdo3->prepare('
    INSERT INTO Comment (info, pID, cID)
    VALUES(:comm, :pID3, :cID)
');

Note the :comm, :pID3, and :cID placeholders.

And, then, when executing the statement, you'll actually pass some real data, to correspond to the placeholders :

$sth3->execute(array( ':comm' => $comm, ':pID3' => $pID3, ':cID' => $cID, ));

Additional note : as you are using prepared statements, you don't have to use mysql_real_escape_string() (which is not a PDO-related function, BTW, and should only be used when working with mysql_* functions) : the escaping is dealt by the prepared statement mecanism itself.

The parameters to the PDO prepared statement should be used like this:

$sth3 = $pdo3->prepare('
        INSERT INTO Comment (info, pID, cID)
        VALUES(:info, :pID, :cID)
             ');
$sth3->execute(array(
            ':info' => $comm, ':pID' => $pID3, ':cID' => $cID
        ));

First set up the "slots" for the values, then supply them when you run the query.

$variables in single quote strings are not being processed. Use double quotes instead and add quotes for the SQL statement itself:

$sth3 = $pdo3->prepare("
        INSERT INTO Comment (info, pID, cID)
        VALUES('$comm', '$pID3', '$cID')
             ");

our problem has nothing to do not with mysql not with comments.

It's basic PHP strings syntax.

Use double quotes if you want variables to be interpreted in a string.

However, you shouldn't add variables into query directly, but rather bins them