This question already has answers here:
Reference - What does this error mean in PHP?
(38 answers)
Closed 9 years ago.
I've some problems with my query can some one help me fix it?
This is my code:
mysql_query ("INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES ('$sale_id','$catid', '$_POST['txtCategorie_' . '$catid']') ");
When I use this code I get the following error:
Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in addsales.php on line 91
I think it might have something to do with the $_POST[].
I fixed the query by changing it into:
mysql_query("INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES ('$sale_id','$catid', '" . $_POST['txtCategorie_' . "$catid"] . "' )");
It is a quoting issue where you are handling the $_POST (as you suspected). Try this:
mysql_query ("INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES ('$sale_id','$catid', '".$_POST['txtCategorie_' . $catid]."') ");
Notice the added quotes around the $_POST portion.
As mentioned in the other comments, you really should be escaping the $_POST value, as well as using mysqli instead of mysql.
Even better would be something like this:
$sql = "INSERT INTO categories_to_sales
(sales_id, categories_id, value)
VALUES
('".mysqli_real_escape_string($db, $sale_id)."',
'".mysqli_real_escape_string($db, $catid)."',
'".mysqli_real_escape_string($db, $_POST['txtCategorie_' . $catid])."');";
mysqli_query($db, $sql);
This should work (and is a little bit more breakdown):
Version 1, if the "_" is part of the name of your post param:
$value = $_POST['txtCategorie_'];
$value .= $_POST['$catid'];
$query = "INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES
('$sale_id','$catid', '$value');
$result = mysql_query ($query);
Version 2, if the "_" is not part of the name of your post param and should just append to your value
$value = $_POST['txtCategorie'];
$value .= "_";
$value .= $_POST['$catid'];
$query = "INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES
('$sale_id','$catid', '$value');
$result = mysql_query ($query);
But as mentioned in the comments of course you should read some lecture about SQL-Injection and security.
Related
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 6 years ago.
$marka = $_POST['marka'];
$model = $_POST['model'];
$godiste = $_POST['godiste'];
$cena = $_POST['cena'];
$query = "INSERT INTO `auto` (`id`, `marka`, `model`, `godiste`, `cena`) VALUES (NULL, '$marka', '$model', '$godiste', '$cena');"
if(mysqli_query($connection,$query)) {
echo "New record created";
} else {
echo "Error: " . $query . "<br>" . mysqli_error($connection);
}
I can't find what is problem here:
Parse error: syntax error, unexpected 'if' (T_IF) in C:\wamp\www\autoplac\forma.php on line 16
Do not stuff user-input values into query strings. The usual reason given is SQL injection -- and that is an important reason. An even better reason is that you can get unexpected syntax errors, because the content of the string interferes with the rest of the query.
It is easy enough to use parameters. Start with mysqli_prepare(). Here is a place in the documentation to start.
You forgot the semicolon AFTER the Double cuote in the query sentence
Missing ; on end of line
$query = "INSERT INTO `auto` (`id`, `marka`, `model`, `godiste`, `cena`) VALUES (NULL, '$marka', '$model', '$godiste', '$cena');"
should be
$query = "INSERT INTO `auto` (`id`, `marka`, `model`, `godiste`, `cena`) VALUES (NULL, '$marka', '$model', '$godiste', '$cena');";
$sql = "INSERT INTO users (name, password, email, phone, address)
VALUES ('$_POST['name']', '$_POST['password']', '$_POST['email']', '$_POST['phone']', '$_POST['address']', )";
As one can possibly see, I am trying to insert these values into my table; however I am getting an unexpected error: Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/csc4370FA14_18/public_html/program/assignments/group project3/register.php on line 35.
I assume it has something to do with the single quotations; is there a way to fix this with double quotes, backslash characters?
Try assigning post values to new variable and then use the new variables in your sql statement. For example,
$name = $_POST['name'];
$sql = "INSERT INTO users ".
"(name) ".
"VALUES('$name')";
This should solve your purpose.
$sql = "INSERT INTO users (name, password, email, phone, address)
VALUES ('".$_POST['name']."', '".$_POST['password']."', '".$_POST['email']."', '".$_POST['phone']."', '".$_POST['address']."', )";
Note: I hope you are adding something after the last , in the query, otherwise this query will fail.
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
Well I'm getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc,fb_title,fb_pic,fb_url,fb_desc) VALUES('', '', '', '', '', '', '', ''' at line 1
For the following code:
$sql="INSERT INTO page(title,css,favicon,charset,keywords,author,desc,fb_title,fb_pic,fb_url,fb_desc)
VALUES('$title', '$css', '$favicon', '$charset', '$keywords', '$author', '$desc', '$fb_title', '$fb_pic', '$fb_url', '$fb_desc')";
Everything looks fine to me.. what's wrong?
DESC is a reserved keyword. you should put it as `DESC` to escape it.
INSERT INTO page(title,css,favicon,charset,keywords,author,`desc`,fb_title,fb_pic,fb_url,fb_desc)
VALUES('$title', '$css', '$favicon', '$charset', '$keywords', '$author', '$desc', '$fb_title', '$fb_pic', '$fb_url', '$fb_desc')
Add Backtic around desc because its a reserve word
INSERT INTO page(title,css,favicon,charset,keywords,author,`desc`,fb_title,fb_pic,fb_url,fb_desc)
VALUES('$title', '$css', '$favicon', '$charset', '$keywords', '$author', '$desc', '$fb_title', '$fb_pic', '$fb_url', '$fb_desc')
DESC is a reserved keyword and you cannot have that as a column else surround it using a backtick operator .
Here..
$sql="INSERT INTO page(title,css,favicon,charset,keywords,author,desc,fb_t
------------^
Disclaimer: Stop using mysql_* functions as they are deprecated. Switch to MySQLi or PDO instead.
desc is reserved keyword of mysql
$sql="INSERT INTO page(`title`, `css`, `favicon`, `charset`, `keywords`, `author`,`desc`,`fb_title`,`fb_pic`,`fb_url`,`fb_desc`)
VALUES('$title', '$css', '$favicon', '$charset', '$keywords', '$author', '$desc', '$fb_title', '$fb_pic', '$fb_url', '$fb_desc')";
This question already has answers here:
Reference - What does this error mean in PHP?
(38 answers)
Closed 9 years ago.
This is the error I am getting.
"Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in on line 188"
What I am trying to do is connect to the database and insert data into the table, but i can't figure out this error.
$tableName = "customer";
$nullStr = "NULL";
$SQLstring = "INSERT INTO $tableName VALUES
('".$nullstr."','".$fname."', '".$lname."','".$address."','".$state."','".$zip."', '".$phone"','".$email"')";
$result = $mysqli->query($SQLstring);
You're missing the string concatenation operator . in a couple of places.
Replace
$SQLstring = "INSERT INTO $tableName VALUES
('".$nullstr."','".$fname."', ".$lname."','".$address."','".$state."','".$zip."','".$phone"','".$email"')";
with
$SQLstring = "INSERT INTO $tableName VALUES
('".$nullStr."','".$fname."', '".$lname."','".$address."','".$state."','".$zip."','".$phone."','".$email."')";
BTW, variable names are case-sensitive. You define $nullStr then try to use $nullstr. I fixed it in the above code.
Use a prepared statement with parameter binding instead. Not only does it make this a lot cleaner, it also avoids SQL injection.
$query = "INSERT INTO $tableName VALUES (NULL, ?, ?, ?, ?, ?, ?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('sssssss', $fname, $lname, $address, $state,
$zip, $phone, $email);
$stmt->execute();
You are missing some periods. Try this...
$SQLstring = "INSERT INTO $tableName VALUES ('".$nullstr."','".$fname."','".$lname."','".$address."','".$state."','".$zip."','".$phone."','".$email."')";
I acces my page passing some parameters through the URL:
www.mypage.com/page.php?aID=4091cdcd-773d-4ca5-bab2-41e1188870a9&sID=1_MX4yMjI1MTgxMn4xMjcuMC4wLjF-V2VkIERlYyAyNiAwOTo1MDoyNiBQU1QgMjAxMn4wLjg1MjA4MTF-&nam=Gab&tel=7777777777
then in my PHP code I have:
if(isset($_GET['sID'])) {
$sID = $_GET['sID'];
}
if(isset($_GET['aID'])) {
$aID = $_GET['aID'];
}
if(isset($_GET['nam'])) {
$nam = $_GET['nam'];
}
if(isset($_GET['tel'])) {
$tel = $_GET['tel'];
}
I have no problem retrieving $nam and $tel, but $aID and $sID always get an empty string. I have tried using double quotes (isset($_GET["aID"])) , but it has not made any difference.
Are there illegal characters on the string or a limit in size of a variable you can pass through the URL? How can I GET variables $aID and $sID?
$query = "INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('$aiD', '$siD', '$nam', '$tel' )";
echo $query;
Echo $query's output is:
INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('', '', 'Gab', '7777777777' )
Testing your URL, I get the following result:
Array
(
[aID] => 4091cdcd-773d-4ca5-bab2-41e1188870a9
[sID] => 1_MX4yMjI1MTgxMn4xMjcuMC4wLjF-V2VkIERlYyAyNiAwOTo1MDoyNiBQU1QgMjAxMn4wLjg1MjA4MTF-
[nam] => Gab
[tel] => 7777777777
)
Therefore, I'm not sure what you mean by you're getting an empty string. You did have a typo in your code, where $tel references $_GET['aID']. I would advise you verify your code.
I would recommend that you also use $_SERVER['REQUEST_METHOD'] to verify that your script is using GET.
Update
Per your updated query, it seems as though your case is incorrect. The variable name is case-sensitive.
$query = "INSERT INTO ... VALUES ('$aiD', '$siD', '$nam', '$tel' )";
^ ^
Should be:
$query = "INSERT INTO ... VALUES ('$aID', '$sID', '$nam', '$tel' )";
You have to enable error reporting and logging to the highest level when you develop PHP.
You have to check return values of methods you call to see if they did what you thought they did. You have to look for more error information if something failed.
You have to look into prepared statements to prevent SQL injection.
And yes, mysql_* functions are deprecated. Do not use it for new code.
You notice in your sql statement you are not calling the variables you defined:
$query = "INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('$aiD', '$siD', '$nam', '$tel' )";
should be:
$query = "INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('$aID', '$sID', '$nam', '$tel' )";
and looks like njk updated his answer to reflect this so he should be credited for the answer.