PHP MySQL Query php parse error

Question

I have this mysql query:

$sql = "INSERT INTO lijsten(naam, niveau, nederlands, duits, frans, grieks,
engels, latijn, spaans, wiskunde, natuurkunde, scheikunde, geschiedenis,
economie, aardrijkskunde, ANW, godsdienst)
VALUES(\$_POST["naam"]\,\$_POST["niveau"]\,\$_POST["nederlands"]\,\$_POST["duits"]\,\$_POST["frans"]\,\$_POST["grieks"],\$_POST["engels"]\,\$_POST["latijn"]\,\$_POST["spaans"]\,\$_POST["wiskunde"]\,\$_POST["natuurkunde"]\,\$_POST["scheikunde"]\,\$_POST["geschiedenis"]\,\$_POST["economie"]\,\$_POST["aardrijkskunde"]\,\$_POST["ANW"]\,\$_POST["godsdienst"]\)";

It is sent to the database with this function:

function connectDB($sql) {
$DBcon = mysql_connect(host, user, pass) or die(mysql_error());
mysql_select_db(database);
$result = mysql_query($query) or die(mysql_error());
mysql_close($DBcon);
return $result;

But when i try to run it, it gives me a php parse error:

PHP Parse error:  syntax error, unexpected 'naam' (T_STRING) in /media/usbdisk/website/www/boeken/naardb.php on line 11

Could somebody tell me what mistake i am making? I already have tried many ways of putting the query, but none of them worked.

Look for MySQL syntax: https://dev.mysql.com/doc/refman/5.0/en/insert.html — RNK, Dec 28 '15 at 21:51
You are making many, many mistakes when building that SQL query. Look into using prepared statements. Not only is it safer, but will render moot the string concatenation problems you're creating. — David, Dec 28 '15 at 21:52
The quotes you are trying to escape aren't present. But don't even bother fixing that use parameterized queries as noted above. This current code would be open to SQL injections. The `naam` error is because the`"` is closing the string encapsulation in PHP for the `$sql` variable. — chris85, Dec 28 '15 at 21:57

meda · Answer 1 · 2015-12-28T22:14:51.777

1

You should never build queries like this.
This is not how you escape values
mysql_ is deprecated and you should be using prepared statements

Example in PDO:

$sql = "INSERT INTO lijsten(naam, niveau, nederlands, duits, frans, grieks,
engels, latijn, spaans, wiskunde, natuurkunde, scheikunde, geschiedenis,
economie, aardrijkskunde, ANW, godsdienst)
VALUES(:naam,:niveau .......)";

if($stmt = $pdo->prepare($sql)){
    $stmt->bindValue(:naam, $_POST["naam"]);
    .....
    $stmt->execute();
}

edited Dec 28 '15 at 22:14

answered Dec 28 '15 at 22:01

meda

45,103
14
92
122

I completely agree, but just showing to use PDO without linking to docs or a tut isn't all that helpful when the guy(or girl) is obviously a noob... – Jacques ジャック Dec 28 '15 at 22:11
@Jacques sorry I had to do something, I updated my post – meda Dec 28 '15 at 22:15
Upvoted for the edit :) – Jacques ジャック Dec 28 '15 at 22:16
1

@Jacques thanks man :) – meda Dec 28 '15 at 23:27

score 0 · Answer 2 · edited May 23 '17 at 11:44

There are several mistakes, but I'll start with the issue.

unexpected 'naam' (T_STRING)...

Is caused because PHP was not expecting a string there. You're escaping parts of the query, but you really just need to concatenate the $_POST variables.

I would advise setting the posts variables to their own variables to simplify your query and format the query like this answer outlines: Using php variables inside MySQL insert statement

IE: $naam = $_POST["naam"]; etc...

The biggest issue is that you're using a deprecated method, you should use PDO (Prepared) queries

PHP deprecated methods.

You should definitely look into using PDO and preparing your statement.

A couple quick reference for PDO:

Good luck!

score 0 · Answer 3 · edited May 23 '17 at 12:15

Try to concat the variables in your query like this:

"INSERT INTO lijsten(naam, niveau, nederlands, duits, frans, grieks,
engels, latijn, spaans, wiskunde, natuurkunde, scheikunde, geschiedenis,
economie, aardrijkskunde, ANW, godsdienst)
VALUES("
.mysql_escape_string($_POST['naam']).
")";

and to read about sql injections too.

The @meda answer is the correct example of how to create SQL calls, using PDO.

PHP MySQL Query php parse error

3 Answers3