define("QUERY","INSERT INTO rft_media_invention . " " (dbInventionFileType, dbStaffId, dbInventionFileName, dbInventionFileContent)" . "VALUES (?, ?, ?, ?)");
Its always giving me this error
Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in p3t\phpappfolder\public_php\cw\UC213.php on line 20
anyone knows if my query is fully correct?
Syntax errors:
define("QUERY","INSERT INTO rft_media_invention . " " (dbIn etc...
^^^^^
should probably be
define("QUERY","INSERT INTO rft_media_invention " . " (dbIn etc...
which also begs the question of why you're concatenating the strings to begin with.
it looks like you need to transpose the first period and the quote that follows it:
...rft_media_invention . " "
should be
...rft_media_invention " . "
Try this: Your comma after rtf_media_invention should go after the double quotes, not before.
define("QUERY","INSERT INTO rft_media_invention " . "(dbInventionFileType, dbStaffId, dbInventionFileName, dbInventionFileContent)"
Related
I'm having hard time to figure out whats wrong in this code. I tried many variations but still getting error in this line:
$query= "INSERT INTO publish (name, email, title, content)" .
"VALUES ('$row['Name']','$row['Email']',$row['title'],$row['content'])";
What could be wrong?
here's the rest of the code:
<?php
// connect to the database
include('config2.php');
// check if the 'id' variable is set in URL, and check that it is valid
if (isset($_GET['id']) && is_numeric($_GET['id']))
{
// get id value
$id = $_GET['id'];
$dbc = mysqli_connect('localhost', 'x', 'x', 'x')
or die('Error');
$name = $row['Name'];
$email = $row['Email'];
$title = $row['title'];
$content = $row['content'];
$result = mysql_query("select *stories WHERE id=$id")
or die(mysql_error());
$row = mysql_fetch_array( $result );
$query= "INSERT INTO publish (name, email, title, content)" .
"VALUES ('$row['Name']','$row['Email']',$row['title'],$row['content'])";
or die('Error querying database.');
mysqli_close($dbc);
}
?>
Error message: "parse error expecting identifier (t_string) ' or variable (t_variable) ' or number (t_num_string) '"
You probably want to use complex string syntax to properly interpolate those variables. For example:
$query= "INSERT INTO publish (name, email, title, content)" .
"VALUES ('{$row['Name']}','{$row['Email']}',{$row['title']},{$row['content']})";
Though that will only fix one of the issues with the code.
Do note there are plenty of other ways to resolve this one too, such as concatenation instead of interpolation, or string replacements, etc etc.
It might also be worth reading the documentation on strings at some point.
You forgot the "." between your variables and your strings. Like so:
$query= "INSERT INTO publish (name, email, title, content)" .
"VALUES (".$row['Name'].','.$row['Email'].','.$row['title'].','.$row['content'].")";
However, it looks like you may have some additional issues going on there with the actual SQL query.
The best practice in PHP is to use single quote ' for strings. Cos PHP looks for variables inside double quoted strings and keeps on sniffing whether there is a variable (or multiple variables) inside the string.
So for example: "A very very long string... $var1 .. long string .. $var2 string" this will run slower compared to 'A very very long string... ' . $var1 . ' .. long string .. ' . $var2 . ' string'; cos when PHP sees single quote it won't sniff for variables inside it thus it's faster.
From my experience, in my early age I worked on a very large php script and used double quotes everywhere. After the above explanation from an expert I converted the whole script to single quote and the performance was much better.
So for your situation I'd suggest and request to use single quotes and it'll avoid confusions as well. Also using mysql_real_escape_string() is a good practice to avoid SQL Injection.
$query= 'INSERT INTO publish (name, email, title, content)
VALUES (
\'' . mysql_real_escape_string ($row['Name']) . '\',
\'' . mysql_real_escape_string ($row['Email']) . '\',
\'' . mysql_real_escape_string ($row['title']) . '\',
\'' . mysql_real_escape_string ($row['content']) . '\')';
Dreamweaver is reporting an error in the 3rd line of the following code:
if (isset($_POST['sitename']))
{
$query = "INSERT INTO dllist (name, url, pr) VALUES ( "$_REQUEST['sitename'], $_REQUEST['siteurl'], $_REQUEST['pagerank']" )";
$result = mysql_query($query)
or die("Query Failed".mysql_error());
echo "<br />Website Has been added<br />";
}
Also, when running the code in my browser the following error is reported
Parse error: syntax error, unexpected '$_REQUEST' (T_VARIABLE)
Can anybody tell me where the mistake is? I shall really be grateful.
The commas (and the fact your missing the containers around your values (e.g. single quotes)), it should be:
$query = "INSERT INTO dllist (name, url, pr) VALUES ('".$_REQUEST['sitename']."', '".$_REQUEST['siteurl']."', '".$_REQUEST['pagerank']."')";
Although this is still bad practice, and it has no SQL Injection protection.
You need to concatenate the string. Change VALUES (" to VALUES (" .
the values you put in insert query need to be single quoted individually like this:
$query = "INSERT INTO dllist (name, url, pr) VALUES ( '$_REQUEST['sitename']', '$_REQUEST['siteurl']', '$_REQUEST['pagerank']' )";
What would be the proper way to concatenate this query?
$query2= "SELECT * FROM relationships WHERE user_1= '.$_SESSION['user_id'].'
AND user_2= '.$user_id.' ";
I keep getting this error:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\xampp\htdocs\beta\profile.php on line 32
What would be the proper way to concatenate this query?
To let your SQL library/client/server do it for you (while escaping special characters for free). Trying to build code by mashing strings together is relatively error prone and involves fiddly combinations of various quote characters that can become hard to maintain.
Use prepared statements and bound arguments instead.
You have an incorrect nesting of single and double quotes.
$query2= "SELECT * FROM relationships WHERE user_1= '" . $_SESSION['user_id'] . "' AND user_2= '" . $user_id . "'";
Either:
$query2 = "SELECT * FROM relationships WHERE user_1='" . $_SESSION['user_id'] . "'AND user_2='" . $user_id . "'";
Or:
$query2 = "SELECT * FROM relationships WHERE user_1='${_SESSION['user_id']}' AND user_2='$user_id'";
fixes your syntax error. However, forming queries through concatenation is a bad idea. At the very least, you should mysql_realescapestring all the arguments, if not move to using PDO.
I am creating an App in php
in which i am getting an error on this line #
$sql="INSERT INTO table ( `rollnum`,'sessionid', `class`, `subject`, `theory`, `practical`, `type_of`, `term`) VALUES ('$students['rollnum']', '$session','$class','$subject['id']','$_REQUEST[$subject['id'].'_'.$students['rollnum'].'_th']','$_REQUEST[$subject['id'].'_'.$students['rollnum'].'_pr']', '$examtype', '$examsubtype')";
I dont knoe what's wrong with this line.
i even checked at an online platform.They said the same that there is error on Line #(above).
Anyone who can help me with this
Thanks
you likely need to surround the variables in a double quoted string with braces.
$string = "I want to use {$variable1} and {$variable['thisKey']}";
or the following, which is a little faster to run;
$string = 'I want to use'.$variable1.'and '.$variable['thisKey'];
So that should solve your immediate problem, however your query is very open to an injection which can be very bad, especially if your using $_REQUEST right in your query string. I'd recommend looking into preparing your query statements before running them and ensuring all the dangerous stuff is escaped.
I answered another question that includes a safe way of doing a query over here with this answer
If your PHP environment had had these settings: display_errors = On; error_reporting = E_ALL, you would have seen:
PHP Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING)
Like in this example:
$array['value'] = 'test';
echo "$array['value']";
It should be like that:
echo "".$array['value']."";
echo "{$array['value']}";
Anyway, you can use numeric keys:
$array[0] = 'test';
echo "$array[0]";
You need to surround your variable names with braces inside the string:
$sql="INSERT INTO stdexamrecord ( `rollnum`,'sessionid', `class`, `subject`, `theory`, `practical`, `type_of`, `term`) VALUES (
'${students['rollnum']}',
'$session',
'$class',
'${subject['id']}',
' " . $_REQUEST[ $subject['id'] . '_' . $students['rollnum'] . '_th'] . "',
' " . $_REQUEST[ $subject['id'] . '_' . $students['rollnum'] . '_pr'] . "',
'$examtype',
'$examsubtype')";
try to use dreamweaver or net bean that might help you to find the error at the correct place
I am trying to INSERT some data into a database. I can do this on one FIELD just not on multiple. It seems to be a simple syntax issue. The error I get is:
Parse error: syntax error, unexpected ',', expecting ']'
The error is on the INSERT line:
<?php
$con = mysql_connect("local","username","password");
if (!$con)
{die('Could not connect: ' . mysql_error());}
mysql_select_db("npsreviews", $con);
$sql="INSERT INTO burkett (DATE, STORE, 5STAR, 4STAR, 3STAR, 2STAR, 1STAR, TOTAL, NPS) VALUES ('$_POST[DATE]', '$_POST[STORE]', '$_POST[5STAR]', '$_POST[4STAR]', '$_POST[3STAR]', '$_POST[2STAR]', '$_POST[1STAR]', '$_POST[TOTAL]', '$_POST[NPS]')";
if (!mysql_query($sql,$con)){die('Error: ' . mysql_error());}
mysql_close($con)
?>
Thanks in advance, I cannot find the answer when looking for Multiple $POST.
First of all, you're missing quotes around the array indices; It should be $_POST["STORE"], not $_POST[STORE]. Secondly, you can't index arrays this way with string interpolation. You'll need to use {$...} syntax:
$x = array("key" => "value");
echo "The value of 'key' is '{$x["key"]}'";
Or concatenate the pieces of the string:
echo "The value of 'key' is '" . $x["key"] . "'";
Either method will produce:
The value of 'key' is 'value'
Note: I've answered your question as a simple syntax error, but this does not solve your real problem, which is rampant SQL injection vulnerability.
SQL query should look like this
$sql="INSERT INTO burkett (DATE, STORE, 5STAR, 4STAR, 3STAR, 2STAR, 1STAR, TOTAL, NPS) VALUES ('{$_POST["DATE"]}',
'{$_POST["STORE"]}', '{$_POST["5STAR"]}', '{$_POST["4STAR"]}', '{$_POST["3STAR"]}', '{$_POST["2STAR"]}',
'{$_POST["1STAR"]}', '{$_POST["TOTAL"]}', '{$_POST["NPS"]}')";
But in all your SQL query is prone to SQL Injection so I would recommend to clean your POST before doing something with it
read more about SQL injections here
You can clean your $_POST using this
$_POST = array_map('mysql_real_escape_string',$_POST);
Or use PDO and use prepared statements to accomplish sql INSERTS, UPDATES etc
escape it as so:
$sql= "INSERT INTO burkett (DATE, STORE, 5STAR, 4STAR, 3STAR, 2STAR, 1STAR, TOTAL, NPS) VALUES ('" . $_POST['DATE'] . "', '" . $_POST['STORE'] . "', '" . $_POST['5STAR'] . "', '" . $_POST['4STAR'] . "', '" . $_POST['3STAR'] . "', '" . $_POST['2STAR'] . "', '" . $_POST['1STAR'] . "', '" . $_POST['TOTAL'] . "', '" . $_POST['NPS'] . "')";