#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    3
    Rep Power
    0

    Help - mysql error!


    I have a form defined by the following code:

    Code:
    <form name="input" action="insert.php" method="get"> <input type="text" name="meeting"> 
    <input type="Submit" value="Gravar"> 
    </form>

    And, in other file (insert.php), I want to insert in the database the information that the user introduced onto the form with the following code:

    Code:
    <?php session_start(); ?> 
    <html> 
    <body> 
    <?php 
    $link = mysql_connect('localhost', 'root'); 
    if (!$link) { 
    die('connection error: ' . mysql_error()); 
    }else{ 
    echo 'Connection established'; 
    echo "<br />"; 
    } 
    
    mysql_select_db("databasexpto", $link); 
    $appoint = mysql_query("INSERT INTO appointments (`what`, `owner`) VALUES('$_POST['meeting']','$_SESSION['userID']')"); 
    
    if (!mysql_query($link,$sql)) { 
    die('Error: ' . mysql_error()); 
    }else{ 
    echo "1 record added"; } 
    mysql_close($link); 
    ?>
    When I execute the code I receive the following error:

    Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\Program Files\EasyPHP-12.1\www\files\insert.php on line 21

    Can someone help me?
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,112
    Rep Power
    9398
    Right now you're using the mysql extension. It is old, unsupported, and simply not as good as alternatives. Try switching to PDO or mysqli. They both offer prepared statements; when you use them you'll find your problems have gone away.

    Problems. There are two.

    Comments on this post

    • NotionCommotion agrees
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,030
    Rep Power
    535
    I completely agree with requinix's recommendation to use PDO. Google "SQL injection" Prepared statements will protect against it, but you still need to know what it is. Also, I like to set a variable to my SQL query so I may print the query for troubleshooting. For your particular case, it will not help because your quotes in your query are messing you up, but normally it is very helpful.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    3
    Rep Power
    0
    I changed to msqli but the problem remains:

    File insert.php:
    Code:
    <?php session_start(); ?> 
    <html> 
    <body> 
    <?php 
    
    $link = mysqli_connect('localhost', 'root'); 
    if (!$link) { die('Não foi possível conectar: ' . mysqli_error()); }else{ 
    echo 'Conexão bem sucedida'; 
    echo "<br />"; 
    } 
    mysqli_select_db("databasexpto", $link); 
    
    $appoint = mysqli_query("INSERT INTO appointments (`what`, `owner`) VALUES('$_POST['meeting']','$_SESSION['userID']')"); 
    
    if (!mysqli_query($link,$sql)) { 
    die('Error: ' . mysqli_error()); 
    }else{ 
    
    echo "1 record added";
    } 
    
    mysqli_close($link); 
    ?> 
    </body> 
    </html>
    Error message:

    Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\Program Files\EasyPHP-12.1\www\redesocial\insert.php on line 19

    Where line 19 is:

    Code:
    $appoint = mysqli_query("INSERT INTO appointments (`what`, `owner`) VALUES('$_POST['meeting']','$_SESSION['userID']')");
    Help please
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    no, doing a simple search and replace for "mysql_" -> "mysqli_" gets no nowhere. You need to understand how MySQLi works and then use it correctly.

    Unfortunately, you've adapted a lot of unsecure and bad practices, so you'll need to relearn quite a bit. I'd suggest throwing away the code and starting all over, because there's not really much you could keep. Whatever tutorial or book you've learnt from, throw it away as well.

    Check the "security sins" in my signature, especially the first and the third: Do not insert variables into query strings. Use prepared statements instead, as requinix already said. Do not display MySQL errors using die() or echo, not even during development. And I hope the database 'root' is just for testing?

    To give you a rough impression of how the code might look like:
    PHP Code:
    <?php

    session_start
    ();

    // the database connection stuff should be in a separate file

    // configure MySQLi: have it throw exceptions in case of an error
    $mysqli_driver = new mysqli_driver();
    $mysqli_driver->report_mode MYSQLI_REPORT_ERROR MYSQLI_REPORT_STRICT;

    // open database connection; TODO: replace 'root'
    $database = new mysqli('localhost''root''''databasexpto');

    try {
        
    // create prepared statement
        
    $new_appointment_stmt $database->prepare('
            INSERT INTO
                appointments (what, owner)
            VALUES
                (?, ?)
        '
    );
        
    $new_appointment_stmt->bind_param('si'$_POST['meeting'], $_SESSION['userID']);        // what if there is no $_POST or $_SESSION?
        
    $new_appointment_stmt->execute();
        echo 
    'added appointment';
    } catch (
    mysqli_sql_exception $e) {
        echo 
    'Could not add appointment';
        
    trigger_error('Query error:' $e->getMessage(), E_USER_NOTICE);
    }
    This is still far from perfect, but at least it's no longer a gigantic security hole waiting for somebody to exploit it.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    3
    Rep Power
    0
    The database is just for practice dont worry LOL
    Do you recommend any tutorial online about mysqli ?

    Comments on this post

    • requinix disagrees : practice or not doesn't matter. learn to do it right the first time

IMN logo majestic logo threadwatch logo seochat tools logo