9

Full Error: Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING)

It says that the error is on line 12. Here is what I have there:

$introduction="INSERT INTO Introduction (Title, Description)
VALUES ('$_POST[introtitle]','$_POST['introdescription']')";

Any help would be greatly appreciated!

Erman Belegu
  • 3,916
  • 23
  • 39
user1804933
  • 317
  • 1
  • 5
  • 14
  • 2
    See http://stackoverflow.com/questions/12769982/reference-what-does-this-error-mean-in-php/13935532#13935532 It's the quotes in `$_POST['introdescription']` – Michael Berkowski Jul 25 '13 at 20:45
  • 1
    Not onto the more serious issue - this is highly vulnerable to SQL injection. You ought to be using parameterized queries via PDO or MySQLi. [Read over this](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php) question and its answers. – Michael Berkowski Jul 25 '13 at 20:45
  • You need to read up on [SQL injection bugs](http://bobby-tables.com/) and how to [properly escape data](http://bobby-tables.com/php) before you write **any** more SQL code. – tadman Jul 25 '13 at 20:48

1 Answers1

10

You have extra single quotes :

$introduction="INSERT INTO Introduction (Title, Description)
VALUES ('$_POST[introtitle]','$_POST[introdescription]')";
Fabien TheSolution
  • 4,790
  • 1
  • 15
  • 29
  • 2
    Any answer with `$_POST` in the query string is hazardously wrong. This is also incorrect because it won't interpolate correctly. – tadman Jul 25 '13 at 20:47
  • @tadman it's not my code ...so why do you downvote this ? This fix the error...may be he don't care for sql injection. – Fabien TheSolution Jul 25 '13 at 20:48
  • A) Your answer is incorrect. B) If you're posting code, it should be valid for a range of inputs, such as values like `My 'Title'`. Saying "someone doesn't care about SQL injection" is absolutely nuts. – tadman Jul 25 '13 at 20:49
  • 2
    I'm learning PHP and MySQL at the moment and so I'm starting off with the basics. I will look into the SQL injections once I get this to work! :D – user1804933 Jul 25 '13 at 20:49
  • @tadman A) The answer is correct B) If you do a script for yourself, sql injection is not relevant. – Fabien TheSolution Jul 25 '13 at 20:50
  • 1
    @user1804933 That's good to hear. It's extremely important to do this correctly because if you make a mistake the consequences can be catastrophic. This is how companies like Sony get their user databases "hacked" and could completely ruin your day if someone does this to you. – tadman Jul 25 '13 at 20:50
  • @tadman http://stackoverflow.com/questions/12769982/reference-what-does-this-error-mean-in-php/13935532#13935532 - no quote is needed if the whole string is between double quote : "In a double-quoted string, PHP will permit array key strings to be used unquoted, and will not issue an E_NOTICE." – Fabien TheSolution Jul 25 '13 at 20:56
  • @FabienTheSolution Fair enough. In that specific case I stand corrected, but without escaping this is still wrong. – tadman Jul 25 '13 at 20:58
  • 1
    Strange that the selected answer got downvote .... Another "SQL Injection" psycho out there... – Fabien TheSolution Oct 22 '14 at 19:19
  • the answer is relatively correct so i will up vote this. – Syntax Error Jan 27 '15 at 12:48