I get an error with my PHP

Question

When I sign up on my form, I get this error. Any help would be great.

Error:

Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or 
T_NUM_STRING in /home/u378761662/public_html/action.php on line 3

My PHP:

<?php
$con=mysqli_connect("myhost.com","user","password","db");
$sql="INSERT INTO users values ($_POST["username"], $_POST["pwd"], $_POST["email"])";
if (mysqli_query($con,$sql)) {
echo "User added!";
}

My HTML:

<form action="action.php" method="post">
  Username<input type="text" name="username">
  <p>
    Password<input type="password" name="pwd">
    <p>
      Email<input type="text" name="Email">
<p>
    <input type="submit" name="Sign Up" value="Sign Up">
</form>

FYI, you are also wide open to [SQL injections](http://stackoverflow.com/q/60174) — John Conde, Dec 13 '13 at 21:13
You need to filter input.The way you storing the values they are not secure.Just look you form input field name of email is 'Email' and you are trying to get as 'email' — amarjit singh, Dec 13 '13 at 21:43

Bill Karwin · Accepted Answer · 2013-12-14T08:47:07.283

3

You should develop the habit of using query parameters for dynamic values you want to include in SQL queries. This helps to avoid confusion about quotes, and it helps to avoid security vulnerabilities.

It's easy too!

$sql="INSERT INTO users values (?, ?, ?)";
if ($stmt = mysqli_prepare($con,$sql)) {
  mysqli_stmt_bind_param($stmt, "sss", 
    $_POST["username"], $_POST["pwd"], $_POST["Email"]);
  if (mysqli_stmt_execute($stmt)) {
    echo "User added!";
  }
}

PS: You're Probably Storing Passwords Incorrectly

edited Dec 14 '13 at 08:47

answered Dec 13 '13 at 21:17

Bill Karwin

538,548
86
673
828

Thanks for the help! Now I don't get an error when I sign up, but the stuff inserted into the form doesn't show up in the database. Any suggestions? – Dec 13 '13 at 21:35
Never mind, I figured it out – Dec 13 '13 at 21:41
1

Bill did you see the input field name is 'Email' and you are getting as 'email' – amarjit singh Dec 13 '13 at 21:47
@amarjitsngh I just noticed that. Thanks! – Dec 13 '13 at 22:07

score 0 · Answer 2 · edited May 23 '17 at 12:11

0

It's a quoting problem:

$sql="INSERT INTO users values ($_POST['username'], $_POST['pwd'], $_POST['email'])";

The original "s were causing parser errors. Also, as @JohnConde points out, this is "wide open to SQL injections."

edited May 23 '17 at 12:11

Community

1
1

answered Dec 13 '13 at 21:16

elixenide

44,308
16
74
100

score 0 · Answer 3 · answered Dec 13 '13 at 21:17

Warning: You're still vulnerable to SQL Injection. Check out Bill Karwin's answer for a solution to your issue as well as a way to keep yourself from being vulnerable to these types of attacks.

As the error says, check out line 3, your quotes are awry:

$sql="INSERT INTO users values (" . $_POST["username"] . ", " . $_POST["pwd"] . ", " . $_POST["email"] . ")";

I get an error with my PHP

3 Answers3