I changed the code so that it is using prepared statements but I just get new errors now. I altered the table so that the date_col column has the data type of varchar. I get the following warning:
mysqli_stmt_bind_param(): Number of variables doesn't match number of parameters in prepared statement
if(isset($REQUEST["submit"]) ) {
$date = new DateTime('', new DateTimeZone('America/New_York'));
$name = mysqli_real_escape_string($connection, $REQUEST["name"]);
$date_col = $date->format('M d, Y H:i');
$website = $REQUEST["website"];
$comment = mysqli_real_escape_string($connection, $REQUEST["comment"]);
$sql = "INSERT INTO comment_table (name,date_col,website,comment) VALUES ('$name', '$date_col','$website','$comment')";
if($stmt = mysqli_prepare($connection, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt,'ssss',$name,$date_col,$website,$comment);
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
echo "Records inserted successfully.";
} else{
echo "ERROR: Could not execute query: $sql. " . mysqli_error($connection);
}
} else{
echo "ERROR: Could not prepare query: $sql. " . mysqli_error($connection);
}
// Close statement
mysqli_stmt_close($stmt);
// Close connection
mysqli_close($connection);