Weird Syntax Error in MySQL function in PHP

Question

I am getting a really weird error in the following piece of code:

mysqli_query($database,"INSERT INTO userdetails (username,email_id)VALUES ($_POST['username'],$_POST['email_id'])";

Error:

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in E:\Xampp\htdocs\newsreg.php on line 19

Line 19 is the code I have mentioned above. I have been trying to crack this but to no use. It works if the ' is removed from [] . According to me, $_POST['username'] and $_POST[username] both are valid.

username is the name attribute of a text box in HTML form.

What is wrong with the above code?

If you were using bind variables with your queries, then this wouldn't even be an issue — Mark Baker, Feb 09 '16 at 16:38
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — Jay Blanchard, Feb 09 '16 at 16:55

score 0 · Answer 1 · answered Feb 09 '16 at 16:33

0

You should wrap your values in simple quote since its varchar.

mysqli_query($database,"INSERT INTO userdetails (username,email_id)VALUES ('{$_POST['username']}','{$_POST['email_id']}')";

answered Feb 09 '16 at 16:33

olibiaz

2,551
4
29
31

score 0 · Answer 2 · answered Feb 09 '16 at 16:33

0

update your query to be, you must put your string value between 2 quota ' also concat your $_POST val by this way:

mysqli_query($database,"INSERT INTO userdetails (username,email_id)
VALUES ('".$_POST['username']."','".$_POST['email_id']."')";

answered Feb 09 '16 at 16:33

Gouda Elalfy

6,888
1
26
38

score 0 · Answer 3 · answered Feb 09 '16 at 16:34

0

1) It's not parsing the $_POST variables properly, so it's getting confused 2) You're not putting quotes around your variables

mysqli_query($database,"INSERT INTO userdetails (username,email_id)VALUES ('{$_POST['username']}','{$_POST['email_id']}')";

You really ought to use parameterization here, which will encapsulate it for you.

answered Feb 09 '16 at 16:34

aynber

22,380
8
50
63

It gives the same error with `('$_POST['username']','$_POST['email_id']')` – Mathews Mathai Feb 09 '16 at 16:36
You're missing the brackets around the variables – aynber Feb 09 '16 at 16:37
What difference is the brackets making? Can you explain a bit? And even `mysqli_query($database,"INSERT INTO user (username)"."VALUES('$_POST[username]')");` this works. – Mathews Mathai Feb 09 '16 at 16:38
The brackets tells PHP interpreter that the whole $_POST['username'] within the string is a variable, not just $_POST. – aynber Feb 09 '16 at 16:39
why is `mysqli_query($database,"INSERT INTO user (username)"."VALUES('$_POST[username]')");` working without brackets? – Mathews Mathai Feb 09 '16 at 16:59
Got me. I'd really recommend using bind parameters, however, since doing it this way is a huge security risk. – aynber Feb 09 '16 at 17:13

Weird Syntax Error in MySQL function in PHP

3 Answers3