This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
I am using a script form 2002
can anyone help me whit this code
$add_topic = insert into forum_topics values ('', '$_POST['topic_title']',
It gives me a "Parse error: syntax error, unexpected 'into' (T_STRING)" Please help
Thank you
You need to put quotes around your SQL statement. You also might get some errors with using your variable $_POST['topic_title']. Put double quotes around it like below.
$add_topic = "INSERT INTO forum_topics VALUES('', '".$_POST['topic_title']."')";
It's also a good idea to add parenthesis after "forum_topics" so that you can get an idea of what you are actually inserting.
$add_topic = "INSERT INTO forum_topics(some_value, topic_title) VALUES('', '".$_POST['topic_title']."')";
Also use Prepared Statements so your code is not open to SQL injection. Please search Google first before coming here as there are a lot of resources related to errors. It should look like this:
$add_topic = "INSERT INTO forum_topics(some_value, topic_title) VALUES(?, ?)";
if ($stmt = mysqli_prepare($conn, $add_topic) {
mysqli_stmt_bind_param($stmt, "ss", $some_var, $_POST['topic_title'];
$some_var = ' ';
mysqli_stmt_execute($stmt);
// Execution successful.
} else {
// Error.
}
Related
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 6 years ago.
How can I select the 'description' row from my 'users' table? I want to just grab the description row depending on what user is logged in.
So far I have this code
$sql = "SELECT description FROM users WHERE uid="$_SESSION['uid']";
but I get this error:
Parse error: syntax error, unexpected '$_SESSION' (T_VARIABLE) in /Applications/XAMPP/xamppfiles/htdocs/login_sys/includes/profile.inc.php on line 19`
That's because your code is syntaxically wrong.
The correct code would be this:
$uid = $_SESSION['uid'];
$sql = "SELECT description FROM users WHERE uid='$uid'";
(I put the $_SESSION['uid'] in a variable to avoid the problem with lots of quotes in the query).
However, this solution is also wrong, in that you should never use a variable directly in the database like this, even when it's a session. You should read up on prepared queries, and make sure you use either mysqli_ or PDO as a database-handler in PHP.
you are getting this error beacause you are missing one " at end of query
$sql = 'SELECT description FROM users WHERE uid="$_SESSION['uid']"';
but always use prepare queries or pdo's as you query this is vulnerable to sql
injection
this should work
$sql = "SELECT description FROM users WHERE uid='$_SESSION[uid]'";
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 7 years ago.
So I am having the $sql variable which is supposed to be a string containing an sql insert statement.Here's the piece of code:
$fields = array('Nume_dep' => $params['Nume_dep'],
'Id_manager' => $params['Id_manager']);
$id = $params['Id_manager'];
$sql = "insert into departament(Nume_dep,Id_manager) values('$params['Nume_dep']', CONVERT($id, UNSIGNED))";
This is the error message that I get:
Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE),
expecting identifier (T_STRING) or variable (T_VARIABLE) or number
(T_NUM_STRING)
The syntax error is in the insert statement, but I don't know how to fix it.
$id = $params['Id_manager'];
$nume_dep=$params['Nume_dep'];
$sql = "INSERT INTO departament(Nume_dep,Id_manager) values('$nume_dep', CONVERT($id, UNSIGNED))";
In strings PHP will only do rather basic automatic variable expansion. The Issue is with the index operator here: $params['Nume_dep']
Consider to use prepared statements in order to prevent SQL injection. If an attacker can make sure, that your function is called with something like "', 43); drop table department; --" as value for $params['Nume_dep'], you're going to be in big trouble.
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 7 years ago.
I'm trying to add a simple form data to a mysql databse and it seems to not work.
It gives me this error
Parse error: syntax error, unexpected ';' in portfolio-add-website.php on line 7
and portfolio-add-website.php looks like this:
<?php
include 'connect_db.php';
$connect = mysqli_connect(HOST,USERNAME,PASSWORD,DB);
mysqli_query($connect,"INSERT INTO portfolio_websites
(name, link, description, profile_img_name,
cover_img_name, client_name, donedate)
VALUES ('$_POST[name]', '$_POST[link]',
'$_POST[description]',
'$_POST[profile_img_name]',
'$_POST[cover_img_name]', '$_POST[client_name]',
'$_POST[donedate]')";
?>
I don't see any unexpected ";". Can anyone help me? I'm sure it's something small.
You missed a closing brace
mysqli_query($connect,"INSERT INTO portfolio_websites (name, link, description, profile_img_name, cover_img_name, client_name, donedate)
VALUES ('$_POST[name]', '$_POST[link]', '$_POST[description]', '$_POST[profile_img_name]', '$_POST[cover_img_name]', '$_POST[client_name]', '$_POST[donedate]')");
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 7 years ago.
<?php
$name=$_POST['name'];
$telephone=$_POST['telephone'];
$comment=$_POST['comment'];
$conn= mysql_connect("localhost","root","");
mysql_select_db("comments",$conn);
$sql= "INSERT INTO inside VALUES{($_POST['name']),($_POST['telephone']),($_POST['comment'])}";
if(mysql_query($sql,$conn))
{
echo 'record added';
}
else
{
echo 'error';
}
?>
I don't know what is the error in line 10, line 10 is:
$sql= "INSERT INTO inside VALUES{($_POST['name']),($_POST['telephone']),($_POST['comment'])}";
My database name is comments and table name is inside, and also sometimes when I finished this I got the result as 'error' I think it comes from the line 18. can you please tell me how to solve this, I'am fed of this!
You have syntax errors in your query. You need to have the curley brackets around every $_POST in your query, and your query should be ... VALUE (....)
change -
$sql= "INSERT INTO inside VALUES{($_POST['name']),($_POST['telephone']),($_POST['comment'])}";
to
$sql= "INSERT INTO inside VALUES ( {$_POST['name']}, {$_POST['telephone']},{$_POST['comment']})";
see
http://dev.mysql.com/doc/refman/5.6/en/insert.html
and
http://php.net/manual/en/language.types.string.php#language.types.string.parsing.complex
also, you should not be inserting user data directly into your database. take a look at
How can I prevent SQL injection in PHP?
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 7 years ago.
Here is my PHP code :
$query = "INSERT INTO `user` (`email`, `password`) VALUES('".mysqli_real_escape_string($link, $_POST['email'])."', '"md5(md5($_POST['email']).$_POST['password'])"')";
I cann't avoid these lines error report like this:
Parse error: syntax error, unexpected 'md5' (T_STRING) in G:\Private
files\xampp\phpMyAdmin\abc\projects\diary.php on line 32
Help from anyone is expected...
Create a variable, then assign value to that variable, pass that variable to query. This will give better readability and less errors
Code shown below..
$value = md5(md5($_POST['email']).$_POST['password']);
$query = "INSERT INTO user (email, password) VALUES('".mysqli_real_escape_string($link, $_POST['email'])."', '$value')";
It's simple a Syntax error:
you forget the dots on "md5(md5($_POST['email']).$_POST['password'])"
Change this part to
".md5(md5($_POST['email']).$_POST['password'])."