How do I correct this PHP syntax

Question

I created a Form with inputs named name, and msg;

I have:

$q /* My SQL query */ = "INSERT INTO posts ('NOW(),$_POST['name'],$_POST['msg']')";

in my PHP; after deploying the file I get a 500 error.

I know this code is bugged because after taking it out the page loads fine. How do I fix it, I'm guessing its to do with quotation marks?

I think I could concatenate the posted data - using periods - instead of inputting straight into the string, but isn't it possible to do it in the cleaner, nicer, way?

[This post](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) may be of interest to you — Jack Greenhill, May 25 '16 at 22:12
Use quotes for string value `$q = "INSERT INTO posts (NOW(), '".$_POST["name"]."', '".$_POST["msg"]."')";` — devpro, May 25 '16 at 22:14

Julie Pelletier · Answer 1 · 2016-05-25T22:17:08.430

2

The issue does have to do with quotes. Here is a way to fix it:

$q = "INSERT INTO posts (NOW(), '{$_POST['name']}', '{$_POST['msg']}')";

Note that it is extremely important to use prepared statements when dealing with user input to prevent SQL injections.

The PHP manual includes a great page on prepared statements.

edited May 25 '16 at 22:17

answered May 25 '16 at 22:12

Julie Pelletier

1,740
1
10
18

U have extra single quote at end – devpro May 25 '16 at 22:15
I know this is a separate question but do you know of a quick-fix to "prepare" the statement in this context? – May 25 '16 at 22:15
Looks fine but open for SQL injections – devpro May 25 '16 at 22:16
@devpro, Is the yellow background note too hard to see? – Julie Pelletier May 25 '16 at 22:18
@WorstForum: I included a link to the PHP manual page on prepared statements. – Julie Pelletier May 25 '16 at 22:18
1

Edited just now :p – devpro May 25 '16 at 22:18

How do I correct this PHP syntax

1 Answers1