$sql variable declaration error

Question

I cannot understand why xampp gives me an error

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\xampp\htdocs\Permanent\edstul.php on line 31

Line 31 is this :

if($_POST){

//update the record if the form was submitted
  $sql="UPDATE users SET pass='$_POST['pass']',fname='$_POST['fname']',lname='$_POST['lname']',mi='$_POST['mi']',age='$_POST['age']',course='$_POST['course']',yearlevel='$_POST['yearlevel']'
    WHERE id=" . mysql_real_escape_string($_POST['id']);

  if(mysql_query($sql)){
    //this will be displayed when the query was successful
    echo "<div>Record was edited.</div>";
  }else{
    die("SQL: " . $sql . " >> ERROR: " . mysql_error());
  }
}

I cannot figure it out.I really hate declaring sql syntax because it doesn't have debugging.

Do not use deprecated `mysql_* API. use `mysqli_*` or pdo. And also use prepared statement. That is safer and much more readable. — Jens, Feb 19 '15 at 14:00
Get rid of the single quotes in your $_POST variables. `$_POST['pass']` => `$_POST[pass]` — John Conde, Feb 19 '15 at 14:00
Better yet; pre-define your variables, sanitize your inputs; use prepared statement. — Funk Forty Niner, Feb 19 '15 at 14:01
@ScapeGoat [PHP Data Objects](http://php.net/manual/de/book.pdo.php) — Jens, Feb 19 '15 at 14:02
If you're going to use `mysql_real_escape_string` on one, do it for all. — Funk Forty Niner, Feb 19 '15 at 14:03
@Fred-ii- If you're going to use mysql_real_escape_string on one, dont do it at all. — Loko, Feb 19 '15 at 14:04
@Fred-ii- Im not using prepared statements myself but yeah I would agree it's probably the best way to go. — Loko, Feb 19 '15 at 14:12
**Building SQL statements with outside variables makes your code vulnerable to SQL injection attacks.** Also, any input data with single quotes in it, like "O'Malley", will blow up your query. Learn about parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174) has many detailed examples. See also http://bobby-tables.com/php for alternatives & explanation of the danger. — Andy Lester, Feb 19 '15 at 15:11

score 1 · Answer 1 · answered Feb 19 '15 at 14:03

1

You have some PHP concatenation errors, try with this :

$sql="UPDATE users SET pass='". $_POST['pass'] . "',
      fname='" .     $_POST['fname'] . "',
      lname='" .     $_POST['lname'] . "',
      mi='" .        $_POST['mi'] . "',
      age='" .       $_POST['age'] . "',
      course='" .    $_POST['course'] . "',
      yearlevel='" . $_POST['yearlevel'] . "'
      WHERE id=" . mysql_real_escape_string($_POST['id']);

answered Feb 19 '15 at 14:03

Halayem Anis

7,654
2
25
45

2

and then you'd still have a problem with sql injections and you'd stil use the deprecated mysql_* extension. But yes, this will fix the _immediate_, the syntax error – VolkerK Feb 19 '15 at 14:07
Right answer but you should mention that OP shouldn't use mysql_* function as it is deprecated +1 – Utkarsh Dixit Feb 19 '15 at 14:36

$sql variable declaration error

1 Answers1