PHP, database issue

Question

I have this piece of code

<?php


$con = mysql_connect("localhost","root","password");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("tables", $con);
$sql="INSERT INTO customer (Name, Telephone, Email, Address, PostCode, Specialisation )
VALUES
($_POST['firstname'], $_POST['telephone'],$_POST['email'],         $_POST['address'],$_POST['postcode'],$_POST['special'])";

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
} 
echo "Inserted into Worker database";

mysql_close($con);
?>

I keep getting this error- Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in.

I am not sure what else to do. Please help. Thanks

This line--($_POST['firstname'], $_POST['telephone'],$_POST['email'], $_POST['address'],$_POST['postcode'],$_POST['special'])"; — Ester, Apr 03 '12 at 16:51
i Think first you should checkout what query you are executing by printing it. Is it the Query you wanted check it with phpmyadmin & let me know. — Sumant, Apr 03 '12 at 16:55
i hope your username and pass are not actually root and password. i'm just looking at it now — encodes, Apr 03 '12 at 16:55
$sql = "Insert into customer (Name, Telephone, Email, Address, PostCode, Specialisation) values (" .$_POST['firstname'] . "," . $_POST['telephone'] . ",". $_POST['email'] .",". $_POST['address'] .", ". $_POST['postcode'] ."," .$_POST['special'] .")";# — encodes, Apr 03 '12 at 16:56
It looks like some syntax error is there like string value should be within quots **""** — Sumant, Apr 03 '12 at 16:57

score 4 · Accepted Answer · answered Apr 03 '12 at 16:52

You have several issues.

First, string values you're inserting into the database need single quotes around them.

Second, array variables in strings need to be wrapped in {} (i.e. $string = "Something something {$_POST['variable']}..."; to help the PHP parser figure them out.

Third, this code (once working) is massively vulnerable to hacking via SQL injection. Consider using PDO and prepared statements (as the mysql_* functions are being deprecated), or at the very least run user input through mysql_real_escape_string().

$sql="INSERT INTO customer (Name, Telephone, Email, Address, PostCode, Specialisation) VALUES ('" . mysql_real_escape_string($_POST['firstname']) . "', '" . mysql_real_escape_string($_POST['telephone']) . "', '" . mysql_real_escape_string($_POST['email']) . "', '" . mysql_real_escape_string($_POST['address']) . "', '" . mysql_real_escape_string($_POST['postcode']) . "', '" . mysql_real_escape_string($_POST['special']) . "')";

Fourth, you really shouldn't use the database's root user to connect.

score 1 · Answer 2 · edited May 23 '17 at 12:04

1

Change your $sql variable to read on one line and to send the proper format to SQL:

$sql="INSERT INTO customer (Name, Telephone, Email, Address, PostCode, Specialisation ) VALUES ({$_POST['firstname']}, {$_POST['telephone']},{$_POST['email']}, {$_POST['address']},{$_POST['postcode']},{$_POST['special']})";

That should correct the PHP error of unexpected T_ENCAPSED_AND_WHITESPACE but you will need more corrections to fix the SQL Injection possibility.

edited May 23 '17 at 12:04

Community

1
1

answered Apr 03 '12 at 16:56

PenguinCoder

4,335
1
26
37

PHP spans multiple lines in a string just fine. -1. – ceejayoz Apr 03 '12 at 16:57

PHP, database issue

2 Answers2