-1

I have the following line of PHP which has connections set up and everything. It gives me the following error:

( ! ) Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\UwAmp\www\dxlphin\index.php on line 174

Here's the code:

$sql = "SELECT id, name, price, location FROM products WHERE name LIKE '%'.$_POST['search'].'%'";

Any guidance? This syntax is far too complicated for me, despite my best efforts...

Thanks,

  • It looks like you're doing PHP-type concatenation with `.` inside the SQL string, that won't work. – Don't Panic Oct 18 '18 at 18:57
  • 2
    Your code is open to [SQL injection](https://stackoverflow.com/q/332365/2469308) related attacks. Please learn to use [Prepared Statements](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Madhur Bhaiya Oct 18 '18 at 18:58
  • 1
    Using Prepared Statements (parametric queries) will also help you get rid of figuring out which quotes to use ! – Madhur Bhaiya Oct 18 '18 at 18:58
  • and/or https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – user3783243 Oct 18 '18 at 19:03

3 Answers3

2

This is the better option:

$sql = "SELECT id, name, price, location FROM products WHERE name LIKE ?";

Then prepare that statement and bind the value with the wildcards appended ("%$_POST[search]%").

If you're going to put an array with a string key inside a string like that, (which is fine, but not for inserting user data into SQL strings, as others have also pointed out) you need to omit the quotes on the key, unless you have bracketed the variable. That's why you're getting the syntax error. And the concatenation operators (.) aren't necessary because the variable is already in the string.

$string = "some text '$array[key]' and so on";

OR

$string = "some text '{$array['key']}' and so on";

But really, this is not the way to go for SQL regardless, just FYI on how to use strings.

Don't Panic
  • 41,125
  • 10
  • 61
  • 80
  • Please put the placeholder version first. The others are completely, dangerously unsafe and should only be discussed from a security perspective. "Fixing" them only creates problems. – tadman Oct 18 '18 at 19:23
  • 1
    @tadman Good point. I decided to make the examples not SQL as well just for good measure. – Don't Panic Oct 18 '18 at 19:26
  • Thanks for that. People usually latch on to the first thing that appears to work, so putting the best code first matters. – tadman Oct 18 '18 at 19:27
1

You are mixing quotes and double quotes

$sql = "SELECT id, name, price, location FROM products WHERE name LIKE '%".$_POST['search']."%'";

However, your code is very insecure. As it has been suggested in the comments, you should use Prepared Statements to avoid SQL Injections.

For example, using PDO (http://php.net/manual/en/class.pdo.php):

$pdo = new PDO(<dsn>); // Check the manual to see how to build your dsn
$query = $pdo->prepare("SELECT id, name, price, location FROM products WHERE name LIKE :searchTerm");
$query->execute([':searchTerm' => "%" . $_POST['search'] . "%"]);
Salvatore Q Zeroastro
  • 758
  • 1
  • 8
  • 17
0

You have to end the quotes with whatever you started with before concatenating. So since you started your string with ", you should end it with " before concatenating .$_P.... Your line should be:

$sql = "SELECT id, name, price, location FROM products WHERE name LIKE '%".$_POST['search']."%'";

Note that its wrong to pass a variable from $_POST directly to the db to avoid SQL injection.

Overcomer
  • 434
  • 5
  • 11
  • It's not just wrong, it's dangerous, so this quick-fix actually creates more problems than it solves. – tadman Oct 18 '18 at 19:24