chaddsuk Posted February 22, 2008 Share Posted February 22, 2008 Hey guys im having trouble inserting data into my DB, i get the following error.... Parse error: syntax error, unexpected '=' in /home/phphost/public_html/insert.php on line 15 My insert php code is below <? $username="phphost_chadds"; $password="rotherham"; $database="phphost_djdb"; $field1-name = $_POST['name']; $field2-name = $_POST['email']; $field3-name = $_POST['comments']; $field4-name = $_POST['songs']; $field5-name = $_POST['artists']; mysql_connect(localhost,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO dj VALUES ('','$field1-name','$field2-name','$field3-name','$field4-name','$field5-name')" ;mysql_query($query); mysql_close(); ?> Anyone any idea what the problem might be? cheers chris Quote Link to comment Share on other sites More sharing options...
uniflare Posted February 22, 2008 Share Posted February 22, 2008 hmm, no one seems to care about sql injection nowadays, i could hack that script in a second flat and destroy your entire database. first of all: $field1-name = $_POST['name']; $field2-name = $_POST['email']; $field3-name = $_POST['comments']; $field4-name = $_POST['songs']; $field5-name = $_POST['artists']; should be: $field1-name = $_POST['name']; $field2-name = mysq_escape_string($_POST['email']); $field3-name = mysq_escape_string($_POST['comments']); $field4-name = mysq_escape_string($_POST['songs']); $field5-name = mysq_escape_string($_POST['artists']); ------------ second what is the exact query being passed to mysql_query ? add an "or die()" event to the mysql_query like so: mysql_connect(localhost,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $query = "INSERT INTO dj VALUES ('','$field1-name','$field2-name','$field3-name','$field4-name','$field5-name')" ; mysql_query($query) or die("Query Failed: ".$query."<br>".mysql_error()); mysql_close(); ?> thanks, Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted February 22, 2008 Share Posted February 22, 2008 before you start riding the high and mighty horse uniflare you can not do what you said in that order. mysql_real_escape_string will only function after a mysql connection(s) exist on that document. Otherwise it doesn't know what a valid escape string is as it doesn't know your version of mysql. Secondly this is an insert query and there is no "I can destroy your database cause i'm amazing" to it. Yes you could import unwanted data potentially disturbing flow, but as for utter chaos your way off the map. as for the problem at hand write it a bit neater show what line 15 is exactly and all queries should be in the form <?php $q = "Select this from that"; $r = mysql_query($q) or die(mysql_error()."<br /><br />".$q); ?> for debugging purposes Quote Link to comment Share on other sites More sharing options...
uniflare Posted February 22, 2008 Share Posted February 22, 2008 firstly, i have no horse, secondly im not that amazing (but thanks for thinking so). dunno how that reply came out, i would say sorry but tbh i was trying to help. Secondly this is an insert query and there is no "I can destroy your database cause i'm amazing" to it. Yes you could import unwanted data potentially disturbing flow, but as for utter chaos your way off the map. i was talking in general..... just so you know. ------------ anyway to help the geezer out: try this bud <?php $username="phphost_chadds"; $password="rotherham"; $database="phphost_djdb"; // initiate connection first mysql_connect(localhost,$username,$password); @mysql_select_db($database) or die( "Unable to select database"); $field1-name = mysql_escape_string($_POST['name']); $field2-name = mysql_escape_string($_POST['email']); $field3-name = mysql_escape_string($_POST['comments']); $field4-name = mysql_escape_string($_POST['songs']); $field5-name = mysql_escape_string($_POST['artists']); $query = "INSERT INTO dj VALUES ('','$field1-name','$field2-name','$field3-name','$field4-name','$field5-name')" ; mysql_query($query) or die("ERROR IN QUERY: ".$query."<br>".mysql_error()); mysql_close(); ?> chaddsuk sorry but ive told so many people about sql injection.... should be a sticky or summint i dunno, maybe these php books nowadays are gettin more relaxed. look around for php security. hope this helps, Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted February 22, 2008 Share Posted February 22, 2008 As to the original subject of this thread. The posted code is not the actual, because the line number of the error is not the same. The problem is php variable names can not contain a dash/minus sign - Change the variable names to something permitted by php. Quote Link to comment Share on other sites More sharing options...
uniflare Posted February 22, 2008 Share Posted February 22, 2008 <-- doofus dint read topic properly , oh well my post kinda applies still Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.