Error while concatenating query for SQL in PHP

Question

I am getting aerror while concatenating query for SQL in PHP

$query = "INSERT INTO bookings (date, start, userId)
VALUES ('$booking_date','$booking_time','$_SESSION['userIdSession']');";

The single quotes '' in $_SESSION['userIdSession'] are causing this problem.

What is the right way to concatenate this string without getting error?

(I am beginner in PHP, do not down vote me)

See [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Marcel Korpel, Dec 22 '13 at 20:27
oops, my bad, add a variable, `$userIdSession = $_SESSION['userIdSession']` — , Dec 22 '13 at 20:28

score 0 · Answer 1 · answered Dec 22 '13 at 20:30

0

This is most likely what you are looking for:

$query = "INSERT INTO bookings (date, start, userId)
VALUES ('" . $booking_date . "','" . $booking_time . "','" . $_SESSION['userIdSession'] . "');";

However always make sure you are protecting against SQL Injections, else you might end up with serious problems if someone manage to mess with your database through unprotected user input.

answered Dec 22 '13 at 20:30

Søren Kjeldsen

17
3

What's wrong with curly braces? – Marcel Korpel Dec 22 '13 at 20:30
First of all SO removed them automaticly, besides it is better without and then have that formating as I just posted. The bad thing when using them is to make sure the server and mysql is supporting and allowing the use of them. – Søren Kjeldsen Dec 22 '13 at 20:33

score -1 · Answer 2 · answered Dec 22 '13 at 20:30

When using array variables in double-quoted strings, you must surround them with curly brackets:

$query = "INSERT INTO bookings (date, start, userId)
    VALUES ('$booking_date','$booking_time','{$_SESSION['userIdSession']}');";

Otherwise PHP will not correctly recognize the array access in the string.

Additionally, you must prevent SQL Injection as stated in the comments above.

Error while concatenating query for SQL in PHP

2 Answers2