Adam Brave Posted April 23, 2013 Share Posted April 23, 2013 (edited) I have a form defined by the following code: <form name="input" action="insert.php" method="get"> <input type="text" name="meeting"><input type="Submit" value="Gravar"></form> And, in other file (insert.php), I want to insert in the database the information that the user introduced onto the form with the following code: <?php session_start(); ?><html><body><?php $link = mysqli_connect('localhost', 'root');if (!$link) { die('Nao foi possivel conectar: ' . mysqli_error()); }else{echo 'Conexao bem sucedida';echo "<br />";}mysqli_select_db("databasexpto", $link); $appoint = mysqli_query("INSERT INTO appointments (`what`, `owner`) VALUES('$_POST['meeting']','$_SESSION['userID']')"); if (!mysqli_query($link,$sql)) {die('Error: ' . mysqli_error());}else{ echo "1 record added";} mysqli_close($link);?></body></html> When I execute the code I receive the following error: Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\Program Files\EasyPHP-12.1\www\files\insert.php on line 21 Can someone help me? Edited April 23, 2013 by Adam Brave Link to comment Share on other sites More sharing options...
justsomeguy Posted April 23, 2013 Share Posted April 23, 2013 Your query is vulnerable to SQL injection attacks, if you're using mysqli then you should be using parameterized queries to solve that problem and also make sure your data gets inserted correctly. That query would fail if the value in the form has a single quote in it, for example. http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php As far as generally putting variables like arrays into strings, check the Complex Syntax notes here: http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now