-4

I've some problems with my query can some one help me fix it?

This is my code:

 mysql_query ("INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES ('$sale_id','$catid', '$_POST['txtCategorie_' . '$catid']') ");

When I use this code I get the following error:

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in addsales.php on line 91

I think it might have something to do with the $_POST[].

lepel100
  • 579
  • 1
  • 5
  • 11
  • 3
    It's a quoting issue. Also, **you are wide open to [SQL injections](http://stackoverflow.com/q/60174)** – John Conde Oct 14 '13 at 14:18
  • No @deceze that's something else. – lepel100 Oct 14 '13 at 14:20
  • @lepel100: It has *everything* to do with the `$_POST` and how you're executing user input as SQL code. This is called a SQL Injection vulnerability. Start here: http://php.net/manual/en/security.database.sql-injection.php – David Oct 14 '13 at 14:23
  • @john conde thanks for the concerns but it's company website and only internal. Their not going to hack the site. And I will add mysql_real_escape once I've got this query working... – lepel100 Oct 14 '13 at 14:23
  • 1
    Yes, it does have something to do with the post variable. I could explain how to correct it, but really; I don't want to be responsible for code like this actually being used. There are multiple layers of bad practice here, even once we fix the initial parse issue. Since you're clearly only just learning PHP, I'll cut you some slack, but please go and find a *decent* PHP tutorial, because you've obviously been reading some pretty bad/out of date ones up until now. – Spudley Oct 14 '13 at 14:24
  • Spudley, what's bad about that MySQL code? I know it's not safe. but I first wanted to get it working cuz it first had mysql_real_escape_strings and qouting but I cut it because I got that error showed above.. – lepel100 Oct 14 '13 at 14:29
  • Please demonstrate how it's a different issue than the linked one. The error message has the same root cause. You certainly have *bigger* problems on top of that too though. – deceze Oct 14 '13 at 14:45

3 Answers3

0

I fixed the query by changing it into: 

  mysql_query("INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES ('$sale_id','$catid', '" . $_POST['txtCategorie_' . "$catid"] . "' )");
lepel100
  • 579
  • 1
  • 5
  • 11
-1

It is a quoting issue where you are handling the $_POST (as you suspected). Try this:

mysql_query ("INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES ('$sale_id','$catid', '".$_POST['txtCategorie_' . $catid]."') ");

Notice the added quotes around the $_POST portion.

As mentioned in the other comments, you really should be escaping the $_POST value, as well as using mysqli instead of mysql.

Even better would be something like this:

$sql = "INSERT INTO categories_to_sales
          (sales_id, categories_id, value)
        VALUES
          ('".mysqli_real_escape_string($db, $sale_id)."',
           '".mysqli_real_escape_string($db, $catid)."',
           '".mysqli_real_escape_string($db, $_POST['txtCategorie_' . $catid])."');";

mysqli_query($db, $sql);
justanotherprogrammer
  • 662
  • 9
  • 18
  • Im getting this error when using that $_POST: Parse error: syntax error, unexpected ';' in addsales.php on line 93 – lepel100 Oct 14 '13 at 14:43
  • 1
    Maybe try changing the `$_POST` portion to this: `'".$_POST['txtCategorie_' . $catid]."'`, which removes the single quotes around `$catid`. – justanotherprogrammer Oct 14 '13 at 14:47
-2

This should work (and is a little bit more breakdown):

Version 1, if the "_" is part of the name of your post param:

$value  = $_POST['txtCategorie_']; 
$value .= $_POST['$catid'];

$query  = "INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES
('$sale_id','$catid', '$value');

$result = mysql_query ($query);

Version 2, if the "_" is not part of the name of your post param and should just append to your value

$value  = $_POST['txtCategorie'];
$value .= "_"; 
$value .= $_POST['$catid'];

$query  = "INSERT INTO categories_to_sales (sales_id, categories_id, value) VALUES
('$sale_id','$catid', '$value');

$result = mysql_query ($query);

But as mentioned in the comments of course you should read some lecture about SQL-Injection and security.

kinske
  • 597
  • 8
  • 24
  • It looks like the OP is trying to get the value of $_POST['txtCategorie_$catID'], which would look more like `$cat = 'txtCategorie_'.$catID; $value = $_POST[$cat];` – aynber Oct 14 '13 at 14:43
  • @anyber there's a much easier solution? When using this code: `'" . $_POST['txtCategorie_' . "$catid"] . "'` it works fine now. – lepel100 Oct 14 '13 at 14:50
  • Mine was more of an example of what the array key would look like, adn why the answer was not correct :-) – aynber Oct 14 '13 at 14:59