0

i have tried this sql statement in php 

$update = "UPDATE `etudiant` SET `login` = 'POST["login"]',`email` = '$POST["email"]', `password` = '$POST["password"]', `nom` = '$POST["nom"]', `prenom` = '$POST["prenom"]', `numtel` = '$POST["numtel"]', `faculte` = '$POST["faculte"]', `filiere` = '$POST["filiere"]' WHERE `id_etudiant` = '$id_etud'" ;

and wampserver show me this error

( ! ) Parse error: syntax error, unexpected '"', expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\wamp\www\karya\pages\espaceetudiant.php on line 102

hassan
  • 7,812
  • 2
  • 25
  • 36
Farouk Douglas
  • 55
  • 10

2 Answers2

0

It's insecure to do it that way, you should read a book about PHP security it's called Essential PHP Security By Chris Shiflett.He explains that different problems can occure while doing it that way.

I would go with this way:

if(isset($_POST['..']...){
$var = trim($_POST['']);

do some other validation if you have 

$sql = "UPDATE table_name SET column1=value WHERE some_column=some_value"
and do it in PDO 

}

You haven't posted enough code so it's a bit unclear what's your goal.And also they have mentioned that $_POST is not wrriten as $POST. Read MySql Cookbook by Paul DuBois you will get a better undarstanding of whats happening.

DaAmidza
  • 336
  • 2
  • 7
  • 25
0

correct " \"

POST["login"] and $_POST["login"]

$update = "UPDATE `etudiant` SET `login` = '".$_POST["login"]."',`email` = '".$POST["email"]."', `password` = '".$POST["password"]."', `nom` = '".$POST["nom"]."', `prenom` = '".$POST["prenom"]."', `numtel` = '".$POST["numtel"]."', `faculte` = '".$POST["faculte"]."', `filiere` = '".$POST["filiere"]."' WHERE `id_etudiant` = '$id_etud'" ;
user3126867
  • 610
  • 5
  • 8