POSTing Data into database using PHP and mysql

Question

I'm attempting to POST data into a table using PHP and mysql. I have followed numerous guides and the following code has been suggested however it does not appear to be working.

<?php
    $connectionInfo = array("Database"=>"rde_487633");  

    if(isset($_POST['Submitted']))
    {
        $query =  sqlsrv_query "INSERT INTO $location2 (UserID, Name, Surname, Location, Date) VALUES ('$_POST[UserID]', '$_POST[Name]', '$_POST[Surname]', '$_POST[Location]', '$_POST[Date]')";
         $stmt = sqlsrv_query( $conn, $sql );
         $result = sqlsrv_query($conn, $query);
   }
?>

Are there any suggestions as to how this can be improved, and to not get this message;

Parse error: syntax error.

[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, May 16 '16 at 21:28
Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php). [It's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, May 16 '16 at 21:29
Your identifiers in the `$_POST` array should be quoted, i.e. `$_POST['identifier']` — Jay Blanchard, May 16 '16 at 21:29

POSTing Data into database using PHP and mysql

0 Answers0