0

I'm getting the following error when I run this code:

Parse error: syntax error, unexpected ',', expecting ')' in /Applications/XAMPP/...results.php on line 43

Line 43 corresponds to the query line below.

Here is my code. The variables are related to form inputs from a questionnaire page. $source_of_fund_1 and $source_of_fund_1 are related to radio button form inputs. The other variables are related to text fields/areas. I'm using validation of isset for the radio button variables and !empty for the text field/areas.

<?php

$source_of_fund_1 = $_POST['source_of_fund_1'];
$source_of_fund_2 = $_POST['source_of_fund_2'];
$repayment_date = $_POST['repayment_date'];
$do_differently = $_POST['do_differently'];

require_once 'connect.inc.php';

$query = "INSERT INTO tablename 
            (source_of_fund_1, source_of_fund_2, repayment_date, do_differently)
            VALUES 
            ('$source_of_fund_1', '$source_of_fund_2', '$repayment_date',  '$do_differently')";

$result = @mysqli_query($link, $query);

if (($result) && !empty($repayment_date, $do_differently) 
        && isset($source_of_fund_1, $source_of_fund_2)) {
    echo 'Thank you for your submission.';
} else {
    echo 'We were unable to process your information.'.mysqli_error($link).'Please ensure all required fields were filled out.';
}

mysqli_close($link);

?>

Any help at all would be much appreciated! Thank you!

Improve this question
5
  • Pretty sure you can't do multi-lined strings in PHP Commented Jul 26, 2013 at 18:25
  • 3
    warning your code is vulnerable to sql injection attacks! Commented Jul 26, 2013 at 18:26
  • Why are you checking whether all $_POST data are filled after you run the MySQL query? Commented Jul 26, 2013 at 18:31
  • How to prevent SQL injection in PHP: stackoverflow.com/questions/60174/… Commented Jul 26, 2013 at 18:33
  • Thanks everyone for the comments, tips! Commented Jul 26, 2013 at 19:44

2 Answers 2

Reset to default
3

Your problem is with the empty call. It does not take more than one parameter:

!empty($repayment_date, $do_differently)

should be:

!empty($repayment_date) && !empty($do_differently)
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Glad to help. If it worked for you, you should accept the answer for future reference when people come across this question.
0

The immediate issue is, I think, because you're using empty with multiple parameters - unlike isset, it only takes one.

There are a couple of other issues, though.

  1. Don't suppress any errors with the @ - if something goes wrong, you want to know about it, so you can handle it appropriately.

  2. You're passing content from $_POST directly into your SQL with no sanity checking. This is not safe. At the least you should be using mysqli_real_escape_string - but if you're using mysqli, why not make it into a prepared statement, and bind the variables instead? It's much, much safer.

Improve this answer

2 Comments

Hi, thanks! What do you mean by making a prepared statement and binding the variables?
Have a look at this answer here: stackoverflow.com/a/60496/1315962 - it's a way to help you write more secure code. As things stand, if someone enters data that includes an apostrophe, it will at best break your query; and possibly do much, much worse. Prepared statements help you avoid that sort of thing.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.