Help - mysql error!

[Adam Brave 0]

I have a form defined by the following code:

<form name="input" action="insert.php" method="get"> <input type="text" name="meeting"><input type="Submit" value="Gravar"></form>

And, in other file (insert.php), I want to insert in the database the information that the user introduced onto the form with the following code:

 <?php session_start(); ?><html><body><?php $link = mysqli_connect('localhost', 'root');if (!$link) { die('Nao foi possivel conectar: ' . mysqli_error()); }else{echo 'Conexao bem sucedida';echo "<br />";}mysqli_select_db("databasexpto", $link); $appoint = mysqli_query("INSERT INTO appointments (`what`, `owner`) VALUES('$_POST['meeting']','$_SESSION['userID']')"); if (!mysqli_query($link,$sql)) {die('Error: ' . mysqli_error());}else{ echo "1 record added";} mysqli_close($link);?></body></html>

When I execute the code I receive the following error: Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\Program Files\EasyPHP-12.1\www\files\insert.php on line 21 Can someone help me?

Edited April 23, 2013 by Adam Brave

[justsomeguy 1,135]

Your query is vulnerable to SQL injection attacks, if you're using mysqli then you should be using parameterized queries to solve that problem and also make sure your data gets inserted correctly. That query would fail if the value in the form has a single quote in it, for example. http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php As far as generally putting variables like arrays into strings, check the Complex Syntax notes here: http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing