PHP Mysql Parse Error

Question

I'm using this Code, to insert the data which is sent with POST into my database.

mysql_query("INSERT INTO pending 
 (name, alter, mail, kd, steam, spiele)
 VALUES
 ('$_POST["name"]', '$_POST["alter"]', '$_POST["mail"]', '$_POST["kd"]', '$_POST["steam"]', '$_POST["spiele"]')");

but PHP keeps throwing the following error:

PHP Parse error: syntax error, unexpected '"', expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /var/www/bewerben.php on line 34

I cant see the problem there, because i think the '"' is needed there?

Wrap the $_POST values in {} braces, and perform sanitation before you put them in your query, otherwise you will be vulnerable to SQL injection attacks — NorthBridge
– NorthBridge, Commented Apr 17, 2014 at 7:34
Yes, I know how to secure my Code from SQL Injection, but I just wanted that it works before. — sidisido
– sidisido, Commented Apr 17, 2014 at 7:37

Ivanka Todorova · Accepted Answer · 2014-08-13 19:21:38Z

You have a bad quote ordering. You can use curly bracers, to escape the variables:

mysql_query("INSERT INTO pending 
 (name, alter, mail, kd, steam, spiele)
 VALUES
 ('{$_POST['name']}', '{$_POST['alter']}', '{$_POST['mail']}', '{$_POST['kd']}', '{$_POST['steam']}', '{$_POST['spiele']}')");

From the docs:

Complex (curly) syntax

This isn't called complex because the syntax is complex, but because it allows for the use of complex expressions.

Any scalar variable, array element or object property with a string representation can be included via this syntax. Simply write the expression the same way as it would appear outside the string, and then wrap it in { and }.

To further explain, we have two variables:

$fruit = 'Orange';
$sentence = "$fruits are my favorite fruit";

What I'm trying to get is: Oranges are my favorite fruit. However, this won't work. PHP will instead be looking for a variable called $fruits, and when it doesn't find it, it'll show an error.

So to complete the task properly, we have to wrap the variable in curly braces { }:

$fruit = 'Orange';
$sentence = "{$fruit}s are my favorite fruit";

Great! Now PHP will know where the variable name ends and the string starts.

P.S. I recommend using mysqli.

I'm not quite sure I have the rights to write this here, but I looked at your code & I noticed a problem:

You are using mysql_* which is deprecated since PHP 5.5.0. This extension is deprecated as of PHP 5.5.0, and will be removed in the future.

Instead of mysql_* you can use PDO or MySQLi.

Here is a simple example of using MySQLi:

$mysqli = mysqli_init();
$mysqli->real_connect($db_host, $db_user, $db_pass, $db_name);

Then you can prepare your query:

$stmt = $mysqli->prepare("insert into table values(?, ?)");

Bind the params:

$stmt->bind_param("is", $param1, $param2);

We say that the first variable $param1 is an integer and $param2 is a string.

The last thing we need to do is to assign to those variables some values and execute the statement.

$param1 = 1;
$param2 = "somestring";
$stmt->execute();

souslov · Accepted Answer · 2014-04-17 07:33:01Z

1

You should wrap you $_POST variables in {} or escape double quotes in its' keys with \:

mysql_query("INSERT INTO pending 
(name, alter, mail, kd, steam, spiele)
VALUES
('{$_POST["name"]}', '{$_POST["alter"]}', '{$_POST["mail"]}', '{$_POST["kd"]}',    '{$_POST["steam"]}', '{$_POST["spiele"]}')");

answered Apr 17, 2014 at 7:33

souslov

44.7k11 gold badges92 silver badges113 bronze badges

2 Comments

Shankar Narayana Damodaran Over a year ago

You should explain what you did. :)

sidisido Over a year ago

Next error: PHP Parse error: syntax error, unexpected ''})");\r' (T_ENCAPSED_AND_WHITESPACE), expecting '}' in /var/www/bewerben.php on line 34

user3517652 · Accepted Answer · 2014-04-17 07:34:58Z

0

or you can try this :

mysql_query("INSERT INTO pending 
 (name, alter, mail, kd, steam, spiele)
 VALUES
 ('".$_POST["name"]."', '".$_POST["alter"]."', '".$_POST["mail"]."', '".$_POST["kd"]', '".$_POST["steam"]."', '".$_POST["spiele"]."')");

answered Apr 17, 2014 at 7:34

user3517652

941 silver badge8 bronze badges

Comments

Swaraj Giri · Accepted Answer · 2014-04-17 07:36:19Z

0

Try this

INSERT INTO pending (name, alter, mail, kd, steam, spiele) VALUES ($_POST["name"], $_POST["alter"], $_POST["mail"], $_POST["kd"], $_POST["steam"], $_POST["spiele"])

NEVER INSERT POSTED VALUES WITHOUT VALIDATION / SANITIZING INTO THE DB

Read about SQL injection : http://www.php.net/manual/en/security.database.sql-injection.php

answered Apr 17, 2014 at 7:36

Swaraj Giri

4,0372 gold badges30 silver badges45 bronze badges

Comments

Dewald Els · Accepted Answer · 2014-04-17 07:58:23Z

0

Why don't you create a function so your code is more reusable?. It's always good to make a single place for reoccurring processes, like adding quotes to strings.

$sql   = "INSERT INTO pending SET
          name   = ".quote($_POST['name']).",
          alter  = ".quote($_POST['alter']).",
          mail   = ".quote($_POST['mail']).",
          kd     = ".quote($_POST['kd']).",
          steam  = ".quote($_POST['steam']).",
          spiele = ".quote($_POST['spiele']);

mysql_query($sql);

function quote($val) {
    return "'".$val."'";
}

Also, I prefer using the SET colname = value method for sql, it makes for much more readable code.

answered Apr 17, 2014 at 7:58

Dewald Els

2011 silver badge12 bronze badges

Collectives™ on Stack Overflow

PHP Mysql Parse Error

5 Answers 5

Comments

2 Comments

Comments

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

Comments

2 Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related