Jump to content

[SOLVED] What is wrong with this line of code?


Potatis

Recommended Posts

This is killing me. I am trying to submit info to the database via a form.

 

The error message is:

 

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/..(etc) on line 12

 

This is the code it is giving me grief about:

 

// Insert a row of information into the table "games"
mysql_query("INSERT INTO games 
(username, email, round, game1, game2, game3, game4, game5, game6, game7, game8) VALUES('$_POST['username']', '$_POST['email']', '$_POST['round']', '$_POST['game1']', '$_POST['game2']', '$_POST['game3']', '$_POST['game4']', '$_POST['game5']', '$_POST['game6']', '$_POST['game7']', '$_POST['game8']') ") 
or die(mysql_error());    

echo "Data Inserted!";

 

What am I missing?

Thanks, this is the whole page (not much more) with database info removed.

 

<?php
$con = mysql_connect("***", "***", "***");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
  
  mysql_select_db("***db", $con);
  
// Insert a row of information into the table "games"
mysql_query("INSERT INTO games 
(username, email, round, game1, game2, game3, game4, game5, game6, game7, game8) VALUES('$_POST['username']', '$_POST['email']', '$_POST['round']', '$_POST['game1']', '$_POST['game2']', '$_POST['game3']', '$_POST['game4']', '$_POST['game5']', '$_POST['game6']', '$_POST['game7']', '$_POST['game8']') ")
or die(mysql_error());    

echo "Data Inserted!";

mysql_close($con)
?>

You can't have single quoted strings inside single quotes:

<?php
mysql_query("INSERT INTO games 
(username, email, round, game1, game2, game3, game4, game5, game6, game7, game8) VALUES('$_POST['username']', '$_POST['email']', '$_POST['round']', '$_POST['game1']', '$_POST['game2']', '$_POST['game3']', '$_POST['game4']', '$_POST['game5']', '$_POST['game6']', '$_POST['game7']', '$_POST['game8']') ") 
or die(mysql_error()); 
?>

Change it  to:

<?php
mysql_query("INSERT INTO games 
(username, email, round, game1, game2, game3, game4, game5, game6, game7, game8) VALUES('{$_POST['username']}', '{$_POST['email']}', '{$_POST['round']}', '{$_POST['game1']}', '{$_POST['game2']}', '{$_POST['game3']}', '{$_POST['game4']}', '{$_POST['game5']}', '{$_POST['game6']}', '{$_POST['game7']}', '{$_POST['game8']}') ") 
or die(mysql_error()); 
?>

 

You realize that inserting POSTed values directly into a database without some sanitizing is inviting trouble?

 

Here's what I would do:

<?php
$flds = array('username', 'email', 'round', 'game1', 'game2', 'game3', 'game4', 'game5', 'game6', 'game7', 'game8');
$qtmp = array();
foreach ($flds as $fld)
     $qtmp[] = $fld . " = '" . mysql_real_escape_string($_POST[$fld]) . "'";
$q = "insert into games set " . implode(', ',$qtmp);
$rs = mysql_query($q) or die("Problem with the query: $q <br />" . mysql_error());
?>

 

Note: this use the alternate form of "Insert".

 

Ken

 

 

mysql_query("INSERT INTO games

(username, email, round, game1, game2, game3, game4, game5, game6, game7, game8)

VALUES('{$_POST['username']}', '{$_POST['email']}', '{$_POST['round']}', '{$_POST['game1']}', '{$_POST['game2']}', '{$_POST['game3']}', '{$_POST['game4']}', '{$_POST['game5']}', '{$_POST['game6']}', '{$_POST['game7']}', '{$_POST['game8']}') ")

or die(mysql_error());   

 

By the way, you might want to verify/validate the input. That's just a giant, gaping "please, feel free to SQL Inject me!" hole.

 

and as usual, I post it 2 tenths of a second to slow :)

Thanks so much Ken, your solution worked perfectly.

 

I didn't realised there was a problem with the way I was submitting the data, I was following a web tutorial. I want to learn more about the way you did it, I will devote time today to learn and understand the way your code works.

 

Thanks again, my form works fine now. :)

mysql_query("INSERT INTO games

(username, email, round, game1, game2, game3, game4, game5, game6, game7, game8)

VALUES('{$_POST['username']}', '{$_POST['email']}', '{$_POST['round']}', '{$_POST['game1']}', '{$_POST['game2']}', '{$_POST['game3']}', '{$_POST['game4']}', '{$_POST['game5']}', '{$_POST['game6']}', '{$_POST['game7']}', '{$_POST['game8']}') ")

or die(mysql_error());   

 

By the way, you might want to verify/validate the input. That's just a giant, gaping "please, feel free to SQL Inject me!" hole.

 

and as usual, I post it 2 tenths of a second to slow :)

 

Thanks so much, lol, I will study more about that security issue. As I said in my last reply, I was following a web tutorial, which apparently is a very bad one! :)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.