-1

I'm new to php and to MySQL. I have checked other examples here but I am not able to understand where I went wrong. I am trying to write user data into a table called enrolled on the MySQL database. However I keep getting this error 

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING)

and this is my code that is creating the error

 $enroll = "INSERT INTO enrollment VALUES($srow['family'] $srow['uid'] $course)";
bldb
  • 21
  • 1
  • 6
  • 1
    read up on complex (curly) syntax, when using array values in double quotes http://php.net/manual/en/language.types.string.php#language.types.string.parsing.complex – Sean Dec 06 '17 at 01:49
  • **WARNING**: This has some severe [SQL injection bugs](http://bobby-tables.com/) because user data is used inside the query. Whenever possible use **prepared statements**. These are quite straightforward to do in [`mysqli`](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [PDO](http://php.net/manual/en/pdo.prepared-statements.php) where any user-supplied data is specified with a `?` or `:name` indicator that’s later populated using `bind_param` or `execute` depending on which one you’re using. **NEVER** put `$_POST`, `$_GET` or any user data directly in your query. – tadman Dec 06 '17 at 02:12

1 Answers1

-2

As stated already, you can access the values inside the array this way:

"values({$arr['key']})"

Also, are you properly escaping all input before inserting it? How are you executing that query?

Using SQL APIs would be the proper way to do this (and way safer). Take a look at this page on PHP manual: http://php.net/manual/en/mysqlinfo.api.choosing.php, it should help you out understanding the proper way to manage interactions with your databases.

Antonio Hernández
  • 466
  • 2
  • 10
  • to your 1st point, the php docs offer how to access arrays inside double quotes http://php.net/manual/en/language.types.string.php#language.types.string.parsing.complex – Sean Dec 06 '17 at 01:52
  • Yeah I just saw your comment on that, honestly I was unaware of this feature until now :p – Antonio Hernández Dec 06 '17 at 01:53
  • Are you talking about escaping as in Sanitizing? Similar to this: mysqli_real_escape_string? – bldb Dec 06 '17 at 01:54
  • Yes, you should sanitize all input before it even touches your DB, otherwise you are exposing yourself to SQL injections like " 'admin' or '1'='1' " and such dangerous stuff that will break your site up. Take a look at how prepared statements and their parametized values work. – Antonio Hernández Dec 06 '17 at 01:56
  • 1
    @AntonioHernández Prepared statements and placeholder (parameterized) values are the answer here. What you've done is weaponize otherwise non-functional code. – tadman Dec 06 '17 at 02:12