0

I have create a sign-up form which receives username, email and password. I coded like this: 

include_once 'sqlConnect.php';

$userName = $_POST['userName'];
$eMail = $_POST['eMail'];
$passWord = $_POST['passWord'];
$day = date("d-m-Y");
$time = date("h:i:sa");

$dbINSERTuser = 'INSERT INTO user_info (Username, Email, Password, Time)
        VALUE ('$userName', '$eMail', '$passWord', '$time')';

$result = mysql_query($dbINSERTuser);

if ($result) {
    echo "New record created successfully";
} 
else {
    echo mysql_error($dbINSERTuser);
}

In the end, it gave me this error:

Parse error: syntax error, unexpected '$userName' (T_VARIABLE) in G:\XAMPP\htdocs\Project EVO 1.0\signup.php on line 17

I have been looking at this for hours and still not finding any solution. Please help!

Saty
  • 22,443
  • 7
  • 33
  • 51
Jasper
  • 1
  • 1

5 Answers5

2

PHP will evaluate variables values in the string, only when your string is wrapped with double quotes.

Change this:

$dbINSERTuser = 'INSERT INTO user_info (Username, Email, Password, Time)
        VALUE ('$userName', '$eMail', '$passWord', '$time')';

To this:

$dbINSERTuser = "INSERT INTO user_info (Username, Email, Password, Time)
        VALUE ('$userName', '$eMail', '$passWord', '$time')";

But be aware - this code is vulnerable to SQL injections!

UPDATE: Learn how to use PHP's PDO and prepared statements to make you queries safe.

Ron Dadon
  • 2,666
  • 1
  • 13
  • 27
1

Just replace ' with " in your insert query

$dbINSERTuser = "INSERT INTO user_info (Username, Email, Password, Time)
        VALUE ('$userName', '$eMail', '$passWord', '$time')";

To prevent sql injection use

$dbINSERTuser = "INSERT INTO user_info (Username, Email, Password, Time)
        VALUE ('".$userName."', '".$eMail."', '".$passWord."', '".$time."')";

IN mysqli you can use like that way

<?php

$link = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}
$userName = $_POST['userName'];
$eMail = $_POST['eMail'];
$passWord = $_POST['passWord'];
$day = date("d-m-Y");
$time = date("h:i:sa");

$dbINSERTuser = "INSERT INTO user_info (Username, Email, Password, Time)
        VALUE ('".$userName."', '".$eMail."', '".$passWord."', '".$time."')";
mysqli_query($link, $query);

Read mysqli manual

Saty
  • 22,443
  • 7
  • 33
  • 51
  • I gave me this error when I did what you suggested: **Deprecated: mysql_query(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in G:\XAMPP\htdocs\Project EVO 1.0\signup.php on line 19** – Jasper May 22 '15 at 11:11
  • Yeah use PDO instead. – Vickrant May 22 '15 at 11:15
0

you forgot to concat string change

$dbINSERTuser = 'INSERT INTO user_info (Username, Email, Password, Time)
    VALUE ('$userName', '$eMail', '$passWord', '$time')';

to

$dbINSERTuser = 'INSERT INTO user_info (Username, Email, Password, Time)
    VALUE (' . $userName . ', ' . $eMail . ', ' . $passWord . ', ' . $time .')';
Saty
  • 22,443
  • 7
  • 33
  • 51
aunn
  • 36
  • 3
  • This will cause an error. To insert string values in MySql you need to wrap them with single quote ' - there is not wrapping single quote in your code. – Ron Dadon May 22 '15 at 11:09
0
$dbINSERTuser = 'INSERT INTO user_info (Username, Email, Password, Time)
    VALUE (''.$userName.'', ''.$eMail.'', ''.$passWord.'', ''.$time.'')';

Change as above

Satish
  • 1,012
  • 2
  • 15
  • 32
  • This will cause an error. To insert string values in MySql you need to wrap them with single quote ' - there is not wrapping single quote in your code. – Ron Dadon May 22 '15 at 11:09
0

Try This.

<?php
  $userName = mysql_real_escape_string($_POST['userName']);
  $eMail = mysql_real_escape_string($_POST['eMail']);
  $passWord = mysql_real_escape_string($_POST['passWord']);
  $day = mysql_real_escape_string(date("d-m-Y"));
  $time = mysql_real_escape_string(date("h:i:sa"));

?>
Dev Danidhariya
  • 683
  • 6
  • 16