0

EDIT: PLEASE stop downvoting. Mind you guys, I am very very very very new at this and I am learning on my own, GOD you are unforgiving and possess a special talent at discouraging me, when I need encouragement and support THE MOST, the only place where I can come to ask these questions kicks me right in the gg-uts.

I am trying to register comments inside MySQL database using this combination of PHP and MySQL Query, but I get an error within the SET VALUE statement on variable $comment.

It reads

"Parse error: syntax error, unexpected '$comment' (T_VARIABLE) in C:\xampp\blablabla..."

 if (empty($_POST['comment']) === true ) { 
   echo 'ERGHH ! You cannot do this.';
    }  

    else
//this immediate curly brace ends after the HTML form at the end:
    { 
        if (isset($_POST['comment'])) {
            $comment = $_POST['comment'];
            $comment = mysql_real_escape_string($comment);

    $sql_register_hangout = mysqli_query($conn, "UPDATE hangout_comments SET
    (comment, comment_corresponding_hangout_id, comment_corresponding_user_id) 

    SET VALUES 
    ("$comment", "$hangout_id", "$user_data['user_id']") 
    WHERE comment_id=".$_POST['comment']);
 } 
    /* 
       then there's the HTML form with a 
       input type ="textarea" name="comment" 
       and a submit button input
       followed by a closing }
    */

Q1: Anybody know what am I not doing right?

Q2: Any security holes here or best practice not included in the code? (mind you, I'm still learning through practice, thanks in advance overflowers)

J. Doe
  • 143
  • 3
  • 12
  • 3
    Escape the double quotes around your variables, since the entire SQL string has double quotes: `\"$comment\"`. That, or use single quotes. – jszobody Feb 23 '16 at 21:17
  • You're mixing `mysql_*` and `mysqli_*` functions. That won't work. – Jay Blanchard Feb 23 '16 at 21:17
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Feb 23 '16 at 21:18
  • 1
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Feb 23 '16 at 21:18
  • 2
    Thank you very much Jay. I know what I am doing tomorrow then, I am reading up on prepared statements and parameterized queries. You said I should use single quotes, how should I go about "$user_data['user_id']" inside the query in this case? – J. Doe Feb 23 '16 at 21:21
  • That isn't how UPDATE works. http://dev.mysql.com/doc/refman/5.7/en/update.html far as I remember. Check for errors http://php.net/manual/en/mysqli.error.php `or die(mysqli_error($con))` to `mysqli_query()` and error reporting http://php.net/manual/en/function.error-reporting.php – Funk Forty Niner Feb 23 '16 at 21:22
  • 1
    You're also using `mysqli_` to query with, yet `mysql_real_escape_string()` and that doesn't intermix with it. If you are indeed using the mysqli_ API to connect with also which is unknownst to us. – Funk Forty Niner Feb 23 '16 at 21:25
  • `or die(mysqli_error($con))` made a typo. Missed an `n` - `or die(mysqli_error($conn))` but am sure you knew that ;-) – Funk Forty Niner Feb 23 '16 at 21:30
  • 1
    Don't worry about the DV's (as a matter of course if you ask people not to DV they will do it because you asked them not to) as they are not an indictment. They're just saying that your question doesn't appear to be well researched or may provide to be of little value to others on Stack. Don't take them personally. As a new developer you will have to learn to grow a thick skin because the DV's are just the start of things that people will do or say *only* because they do not understand what you and those like you do. ¯\\_(ツ)_/¯ – Jay Blanchard Feb 23 '16 at 21:36
  • 1
    If you're getting a lot of downvotes it's not because of you, it's because of your question. Don't take it so personally. Stack Overflow can be a cruel, uncaring beast at times because it's more concerned with curating good questions and answers than mentoring people through the early stages of learning something. I think it's great that you're learning, but I also think this question isn't going to help a whole lot of people other than yourself. Don't complain, just listen, learn, and absorb what people have to say. We're all trying to help even if it seems overly critical. – tadman Feb 23 '16 at 21:41
  • 1
    Remember that modern PHP development encourages the use of a [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) that gives you a solid foundation for building your application. Find one that suits your style and needs and follow the examples and documentation. Most have a large library of community code you can add in with little effort, avoiding the need to reinvent the wheel and have to learn every little thing from the bottom up. Focus on getting things done first, stick to the basics, then pick up the theory later. – tadman Feb 23 '16 at 21:42
  • So, what I am getting from the comments (thank you both for answering) is this: 1. I should use mysqli_real_escape_string instead. 2. I should use an INSERT statement rather than update, which would indeed make more sense now that I think of it and possibly stop people from hating me so much as not being well researched. 3. Still, asked above, how do I go about "$user_data['user_id']" if I shouldn't use double quotes. would this work: \"$user_data['user_id']\" – J. Doe Feb 23 '16 at 21:45
  • 1
    Almost. You should be using **prepared statements** at the very least, something `mysqli` does a pretty good job of supporting. Your query should not have string interpolation, instead you use `?` as a placeholder and bind later with [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php). PDO makes this less messy, you can name your placeholders which makes more complicated queries less confusing, so that's worth considering as well. Don't take people correcting your mistakes as "hating you". You're trying to learn and we all respect that. – tadman Feb 23 '16 at 21:46
  • 4. I should read those endless documentation pages on preventing injection and the three links provided by Fred. BUT I reaaaaally doubt I can understand half of the documentation, let alone remember it. How can that be useful as opposed to frustrating? 5. UHM... how do I know if I am using mysqli_ API ? Is it this by any chance?: $conn = mysqli_connect('localhost', 'root', '', 'temahangout'); if($conn === false) { die("ERROR: Could not connect. " .mysqli_connect_error()); } – J. Doe Feb 23 '16 at 21:48
  • 1
    Like a jigsaw puzzle, none of this will make much sense until you fit a few pieces together. As you start to do that, filling in the blanks gets a lot easier. What are your goals here? What type of project are you trying to build? – tadman Feb 23 '16 at 21:51
  • Trying to build a forum like website, with users that can post topics, edit them, users that can post comments, edit them, vote, and each user could edit their profile. It is not for any real world purpose, barely for learning coding logic, file structure and all that. I want to build something that simply works, not more and obviously not optimized. – J. Doe Feb 23 '16 at 21:54

0 Answers0