• 0

[PHP] Parse error


Question

hi, i'm quite new to php and i'm trying to make a registration page for a site, user fills in a html form, this is sent to _POST and a php page is used to put the users details into a database table.

however i'm getting this error: Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING

on this line of code

$sql = "insert into users (username, password, firstname, surname, email, userlevel) values ($_POST['username'], $_POST['password'], $_POST['firstname'], $_POST['surname'], $_POST['email'], 'user')";

i've had a look for solutions and most seem to be things like missing " at the end but i've looked over the code and can't see anything missing.

Thanks for any help

Phil.

Link to comment
Share on other sites

19 answers to this question

Recommended Posts

  • 0

Are the fields correct? Are these fields in the db?

yup, i ran a select * from users; query its just a simple sql query page i have, it shows the fields as an html table and the columns are there with the correct names. so it should be able to put the data in.

Link to comment
Share on other sites

  • 0

I just don't see anything wrong in that line

Other than the 5 unchecked user inputs being used directly in a query, right?!

To use a array like you are doing you need to wrap the variable (+ key) in { } eg:

$str = "User: {$_POST['user']}";

But that still leaves you with the SQL injections, so read this page and you'll see why what you're doing is baaaaad.

Link to comment
Share on other sites

  • 0

Would you need this:

$sql = "insert into users (username, password, firstname, surname, email, userlevel) values (`$_POST['username']`, `$_POST['password']`, `$_POST['firstname']`, `$_POST['surname']`, `$_POST['email']`, 'user')";

Stored procedure would be the better way to go I think...

Link to comment
Share on other sites

  • 0

tried you code antaris, didnt work, exactly the same error.

and mike

i may sound a bit stupid here but why does it need to go into {}

i got the basis for this code from the w3c website so i don't see why it doesn't work as it is.

if you were referencing specifically to the 'user' input, thats something i don't want the user to set them self (therefore it wouldn't be in $_POST), its basically a default value, than can be changed later to admin by other admins to give that user extra functionality

Link to comment
Share on other sites

  • 0

Oh, what about:

$sql = "insert into users (username, password, firstname, surname, email, userlevel) values (`$_POST[username]`, `$_POST[password]`, `$_POST[firstname]`, `$_POST[surname]`, `$_POST[email]`, 'user')";

Link to comment
Share on other sites

  • 0

i may sound a bit stupid here but why does it need to go into {}

i got the basis for this code from the w3c website so i don't see why it doesn't work as it is.

if you were referencing specifically to the 'user' input, thats something i don't want the user to set them self (therefore it wouldn't be in $_POST), its basically a default value, than can be changed later to admin by other admins to give that user extra functionality

The user input was just an example. They all need to go in { } because it tells PHP where the variable names are exactly. You could also what Antaris suggested (removing the single quotes for the array index). You will still need to sort the SQL injections though :p

Link to comment
Share on other sites

  • 0

function cleanString($string){
    htmlentities(mysql_real_escape_string($string));
    return $string;
}

I am pretty new to PHP but that is the function I use to clean all data before it is inserted into a DB.

Highly recommend you do the same.

Link to comment
Share on other sites

  • 0

Oh, what about:

$sql = "insert into users (username, password, firstname, surname, email, userlevel) values (`$_POST[username]`, `$_POST[password]`, `$_POST[firstname]`, `$_POST[surname]`, `$_POST[email]`, 'user')";

The backticks are going to break it, backticks are for identifying your database/table/fieldnames and preventing conflicts with MySQL reserved words. Single quotes are for your values.

Link to comment
Share on other sites

  • 0

The user input was just an example. They all need to go in { } because it tells PHP where the variable names are exactly. You could also what Antaris suggested (removing the single quotes for the array index). You will still need to sort the SQL injections though :p

To be honest, outside of ORM technologies (which generally generate the safe sql behind the scenes), I don't use insert statements directly at all. All goes through Stored Procedures.

Link to comment
Share on other sites

  • 0

function cleanString($string){    
htmlentities(mysql_real_escape_string($string));    
return $string;
}

I am pretty new to PHP but that is the function I use to clean all data before it is inserted into a DB.

Highly recommend you do the same.

htmlentities is something you should be running on data after you retrieve it from the database, not when you are storing it. It cleans the data for presentation, not storage.

Stripping tags, however, is an example of further cleaning you might do before storing it in the database.

Link to comment
Share on other sites

  • 0

Oh, what about:

$sql = "insert into users (username, password, firstname, surname, email, userlevel) values (`$_POST[username]`, `$_POST[password]`, `$_POST[firstname]`, `$_POST[surname]`, `$_POST[email]`, 'user')";

ok that fixed the parse error thanks.

tho still having problems, doesn't actually seem to be putting the data into the database....looks like this is going to be a long day of debugging.

Link to comment
Share on other sites

  • 0

Kudos already pointed out the answer:

$sql = "insert into users (username, password, firstname, surname, email, userlevel) values ({$_POST['username']}, {$_POST['password']}, {$_POST['firstname']}, {$_POST['surname']}, {$_POST['email']}, 'user')";

Also, you're not escaping your data. Assuming you have a database connection established the absolute laziest option is to put this line before the above:

array_map('mysql_real_escape_string', $_POST);

Link to comment
Share on other sites

  • 0

Okay, here is a definitive query string for you. You are not going to get any more semantically correct than this (unless somebody just really wants to show me off and spaces things differently).

$sql = "INSERT INTO `users` (`username`, `password`, `firstname`, `surname`, `email`, `userlevel`) VALUES ('" . mysql_real_escape_string($_POST['username']) . "', '" . mysql_real_escape_string($_POST['password']) . "', '" . mysql_real_escape_string($_POST['firstname']) . "', '" . mysql_real_escape_string($_POST['surname']) . "', '" . mysql_real_escape_string($_POST['email']) . "', 'user');";

If that still does not work, run this code and see what it says.

echo mysql_errno() . ': ' . mysql_error();

Link to comment
Share on other sites

  • 0

The backticks are going to break it, backticks are for identifying your database/table/fieldnames and preventing conflicts with MySQL reserved words. Single quotes are for your values.

I'll get used to the MySql syntax at some point, got a MySql project coming up, so I'll get to spend some time on it then, cheers for the insight :)

Link to comment
Share on other sites

  • 0

thanks all for your help.

yeah the single quotes did the trick, I got rid of the other errors i was getting as well, so all working fine now.

Phil.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.