PHP syntax error in this query

Question

Can anyone help me figure out what's wrong in this code? It used to work before I added that 3rd query to fill the form with the current info from the database. Now it just returns a white page.

<?php

    if (isset($_GET['edit'])) {
        echo "<form action=\"user.php\" method=\"post\">";

            $userinfo = mysqli_query($con,"SELECT * FROM members WHERE members.id='".$_COOKIE[userid]."' AND members.username='".$_COOKIE[user]."'";
        while($uir = mysqli_fetch_array($userinfo)) {

        echo "
        <label for=\"name\">Navn:</label>
            <input type=\"text\" name=\"name\" placeholder=\"Your name\" value=\"".$uir['name']."\"required /><br />    

        <label for=\"mobil\">Mobil:</label>
            <input type=\"tel\" name=\"mobil\" placeholder=\"Mobil tlf\" value=\"".$uir['mobil']."\" required /><br />          

        <label for=\"bilnr\">Bil #:</label>
            <input type=\"tel\" name=\"bilnr\" placeholder=\"Bil Nr.\" value=\"".$uir['bilnr']."\" required /><br />

        <label for=\"regnr\">Registrerings nummer:</label>
            <input autocapitalize=\"characters\" type=\"text\" name=\"regnr\" placeholder=\"Reg.Nr.\" value=\"".$uir['regnr']."\" required /><br />";   

        }
        echo "<input type=\"submit\" /></form>";    
    }
    elseif (isset($_POST["bilnr"])) {
            $sql="UPDATE members SET name='$_POST[name]', mobil='$_POST[mobil]', bilnr='$_POST[bilnr]', regnr='$_POST[regnr]' WHERE id='".$_COOKIE[userid]."' AND username='".$_COOKIE[user]."'";
            if (!mysqli_query($con,$sql))
            {   
                die('Error: ' . mysqli_error($con));
            }
        echo "<p class=\"red\">Informasjonen er oppdatert!</p>";
        mysqli_close($con); }       

    else {
        echo "<a href=\"user.php?edit\">Oppdater bruker info</a>";
    }  

?>

FYI, you are wide open to [SQL injections](http://stackoverflow.com/q/60174) — John Conde, Apr 17 '14 at 01:11
Look at the html source code in your blank page. It may yield some clues. — Dan Bracuk, Apr 17 '14 at 01:13
how would I use PDO on this form to prevent sql injections ? I'm checking the link you gave me, but not sure if I understand correctly — Roger Andersen, Apr 17 '14 at 01:29

score 1 · Answer 1 · answered Apr 17 '14 at 01:19

You should put your array keys between quotes:

$_COOKIE['userid']

Secondly, don't use them directly in your SQL code. It's easier to find bugs in your code when you write your queries like this:

$name = $_POST['name'];
$mobil = $_POST['mobil'];
$bilnr = $_POST['bilnr'];
$regnr = $_POST['regnr'];


$sql="UPDATE members 
      SET name='$name', mobil='$mobil', bilnr='$bilnr',
      regnr='$regnr' etc.

score 0 · Answer 2 · answered Apr 17 '14 at 01:14

0

You forgot to close the bracket for the first mysqli_query at line 6. Just add a closing bracket before the semicolon on that line and php will parse this once again.

ie:

$userinfo = mysqli_query($con,"SNIPPETY SNIP SNIP"."'";

to:

$userinfo = mysqli_query($con,"SNIPPETY SNIP SNIP"."'");

Don't change the actual query to SNIPPETY SNIP SNIP unless you want an SQL error.

Do adjust your code to protect from sql injections as per John Conde's comment.

answered Apr 17 '14 at 01:14

sfyn

686
8
14

fyi, I used php -l filename.php at the command line to find the syntax error on line 6. – sfyn Apr 17 '14 at 01:17
You don't. But syntax errors should be output to your error log or to the webpage or both, depending on PHP configuration. You can find out about the level of error reporting and where errors are logged by calling [phpinfo()](http://php.net/phpinfo) on a webpage. – sfyn Apr 17 '14 at 01:26
It may be helpful for you to take a look at [this](http://www.electrictoolbox.com/php-command-line-syntax-checking/) and look at [this tool](http://phpcodechecker.com/). – sfyn Apr 17 '14 at 01:32

PHP syntax error in this query

2 Answers2