I have been looking for answers everywhere but just can't find out why I keep getting parse error for this line.
$sql = "INSERT INTO NIMET(NIMI) VALUES("$_POST['fname']")";
Can anyone tell me why this line gets a parse error?
Asked
Active
Viewed 1,277 times
-4
-
1I'd suggest reading up on how to use strings in PHP. See http://php.net/manual/en/language.types.string.php – Jonnix Jun 15 '16 at 12:07
-
3Good thing that doesn't work. That is wide open to SQL injections. The error tells you everything you need to know, `$_POST['fname']` is unexpected as is. You take off the `"`s and use it as a complex variable `{}` but you shouldnt do that either. Parameterize the query. – chris85 Jun 15 '16 at 12:10
2 Answers
0
$sql = "INSERT INTO NIMET(NIMI) VALUES(".$_POST['fname'].")";
You need to use . to combine strings.
There is also a fanzy way, but for that you need a new enough version from PHP:
$sql = "INSERT INTO NIMET(NIMI) VALUES({$_POST['fname']})";
I think the php-version you need for that is either 5.3 or 5.6. But I'm not shure about that.
Beside that: You shouldn't insert any unvalidated data from $_POST or $_GET into your DB. This could be used to insert malicious code.
DocRattie
- 1,392
- 2
- 13
- 27