-1

I am trying to create a form to submit data into a MySQL database but it is not working. At the moment I have the following error for my INSERT query:

PHP Syntax Check: Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in your code

at the moment I have the following php 

<?php 

 $mysqli = new mysqli("localhost", "root", "", "etrading");

 /* check connection */
 if ($mysqli->connect_errno) {
    printf("Connect failed: %s\n", $mysqli->connect_error);
     exit();
   }

 //Query
  $query = "INSERT INTO item (Name, Description, img_path, Quantity, Category, Location, Sale_Type, Price,  Duration, Payment) VALUES
 ($_POST['name'], $_POST['description'], $_POST['photo'], $_POST['quantity'], $_POST['category'], $_POST['location'], $_POST['Sale_Type'], $_POST['price'], $_POST['duration'], $_POST['payment'])";

    $result = mysql_query($query);
    if($result){
       echo("<br>Input data is succeed");
} else{
    echo("<br>Input data is fail");
 }

  /* close connection */
  $mysqli->close();

 ?>

This is currently what I have for my form. I am yet to still write code in for uploading an image. I am currently trying to get the form to work with no errors before I attempt the image upload.

<form id="sellitem" action="sellitem.php" method="POST" onsubmit="return checkForm(this);" >
        <fieldset>
            <h4>Sell Your Item</h4>
            <p><label class="title" for="name">Name:</label>
            <input type="text" placeholder="Enter item name" name="name" id="name" title="Please enter item name" ><br />

            <label class="title" for="text">Description:</label>
            <textarea name="description" rows="5" cols="33" type="text" placeholder="Please describe your item"  id="description" title="Please describe your item" ></textarea><br />

            <label class="title" for="category">Category:</label>
            <select name="category" id="category" >
                <option value="clothes">Clothes</option>
                <option value="books">Books</option>
                <option value="electronics">Electronics</option>
                <option value="sport">Sport</option>
            </select></p>

            <label class="title" for="location">Location:</label>
            <input type="text" placeholder="Item Location" name="location" id="location" title="Enter item location" ><br />

            <label class="title" for="name">Sale Type:</label>
            <select name="Sale_Type" id="Sale_Type" >
                <option value="Auction">Auction</option>
                <option value="BuyNow">Buy Now</option>
            </select>

            <label class="title" for="price">Price: $</label>
            <input type="text" placeholder="00.00" name="price" id="name" title="Please enter your name" ><br />

            <label class="title" for="name">Quantity:</label>
            <input type="text" placeholder="Number of items" name="quantity" id="name" title="Number of items" ><br />

            <label class="title" for="name">Duration:</label>
            <input type="text" placeholder="End date" name="duration" id="duration" title="End Date" ><br />

            <label class="title" for="name">Payment Type:</label>
            <select name="payment" id="payment" >
                <option value="PayPal">PayPal</option>
                <option value="Bank Deposit">Bank Deposit</option>
                 <option value="Card">Credit Card</option>
            </select><br>
            Select image to upload:
             <input type="file" name="img_path" id="img_path" >


            <div class="submit"><input type="submit" value="Submit" /></div>
            <div class="reset"><input type="reset" value="Reset" /></div>

            </fieldset>

            </form>

If I could please get some help as to why this error is appearing. Also a useful link/site to creating a simple upload photo to the MySQL database would also be helpful.

Nicola Court
  • 41
  • 3
  • 9
  • I think you are using `mysqli` instead of `mysql`. `$result = mysql_query($query);`. Change it to `$result = mysqli_query($mysqli ,$query);` – urfusion Jul 15 '17 at 07:47
  • 1
    Also a general remark: your code is _wide open_ to sql injection attacks. Please read about the security benefits of using the combination of "prepared statements" and "parameter binding" to prevent this. – arkascha Jul 15 '17 at 07:49
  • And the `echo` statement is a language construct, not a function. You do not need brackets: `echo "
    Input data is succeed";`     – arkascha Jul 15 '17 at 07:50
  • 1
    About that specific error message: it appears to be not complete. Please add the _full_ error message to the question and tell us which line exactly it refers to. Note: do not post additional details into comments here. There is an `edit` link below your question. _Use it_. – arkascha Jul 15 '17 at 07:52
  • Hint to prevent future issues: Do not use the php closing tag at the end of files (`?>`). It is not required there and can actually cause confusing issues. – arkascha Jul 15 '17 at 07:53
  • also use `extract($_POST);` then `$query = "INSERT INTO item (Name, Description, img_path, Quantity, Category, Location, Sale_Type, Price, Duration, Payment) VALUES ('$name',.....)` – urfusion Jul 15 '17 at 07:54
  • Error is in your $query. you're not escaping ' and passing it in $query=" " but that doen't end here you're using mysqli_api for connection and performing query through mysql_ so that will be an another error. If eventually you solve your all errors then you'll be trapped in sql injection. so better to start learning some safe code – Saad Suri Jul 15 '17 at 07:55
  • 1
    @urfusion Nooooooo! 1. this cements the sql injection vulnerability 2.it risks naming collisions with the current scope and 3. it make things only more confusing! – arkascha Jul 15 '17 at 07:55
  • @arkascha : yes, there are chance for sql injection. but this can be a solution. – urfusion Jul 15 '17 at 07:57
  • 1
    @urfusion _Please_... your advice to use `extract()` really is a bad thing. I suggest you remove it. It does not change a thing here, it should only be used inside functions if at all, preferably only inside small, anonymous functions. Best is not to use it at all. – arkascha Jul 15 '17 at 08:01

2 Answers2

0

You are using the mysqli object, therefore the query should be run with

$result=$mysqli->query($query);

Php doc

adman9000
  • 51
  • 1
  • 5
-1

The code just declares a string variable that contains a MySQL query: It does not execute the query. here is the solution 

<?php 
    $servername = "localhost";
    $username = "root";
    $password = "";
    $dbname = "yourdb";

  // Create connection
  $conn = new mysqli($servername, $username, $password, $dbname);
 // Check connection
 if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

 $sql = "INSERT INTO table_name (name) VALUES 
      ('".$_POST["name"]."')";

  if ($conn->query($sql) === TRUE) {
     echo "New record created successfully";
  } else {
    echo "Error: " . $sql . "<br>" . $conn->error;
 }

$conn->close();

?>

here

Md.Shahjalal
  • 393
  • 1
  • 6
  • 21