i am getting this ( T_CONSTANT_ENCAPSED_STRING ) syntax error in php

Question

I am getting this error

(syntax error, unexpected '","' (T_CONSTANT_ENCAPSED_STRING), expecting ',' or ')' in C:\xampp\htdocs\offline Storage\online form.php on line 14)

My code is...

<?php

if(isset($_POST['first'],$_POST['last'],$_POST['email'],$_POST['fdback']))
{
    $conn=mysql_connect("localhost","root","root@localhost");

    mysql_select_db("feedback");
    $fname=$_POST['first'];
    $lname=$_POST['last'];
    $eml=$_POST['email'];
    $fdb=$_POST['fdback'];

    $result=mysql_query("insert into data values(".$fname",".$lname",".$eml",".$fdb")");

    if($result)
    {
        echo "Data Inserted";
    }
    else
    {
        echo "Error"
    }
};

?>

Also missing semicolon after `echo "Error"`. The missing dots mentioned are like `$fname . "," . $lname . ","...` but much more importantly, the `mysql_*()` functions were removed from new PHP versions 2 years ago and this code is vulnerable to SQL injection. Using `prepare()/bindParam()/execute()` in PDO would have avoided the syntax problem while also producing safe code. See [How can I prevent SQL injection in php](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Michael Berkowski, Feb 04 '18 at 14:12

score 0 · Answer 1 · answered Feb 04 '18 at 14:11

You missed the dot after the vars for concat

$result=mysql_query("insert into data values(".$fname. ",".$lname. ",".$eml. ",".$fdb. ")");

But you should not use php var in sql code .. you are at risk for sqlinjection .. you should take a look at your mysql driver for binding param

i am getting this ( T_CONSTANT_ENCAPSED_STRING ) syntax error in php

1 Answers1