unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) error

Question

In a registration script, an error keeps popping up. The code is as such:

try {

 $dbh = new PDO("mysql:host=$hostname;dbname=booter", $username, $password);

    echo 'Connected to database<br />';

/*** INSERT data ***/
$count = $dbh->exec("INSERT INTO members(username, password, email) VALUES ('$_POST['username']', '$hashedpassword', '$_POST['email']')");


/*** close the database connection ***/
$dbh = null;
}
catch(PDOException $e)
{
echo $e->getMessage();
}

Any fixes for this (as well as any tips to help with security) would be very much appreciated.

Answer 1

The problem is with this line:

('$_POST['username']', '$hashedpassword', '$_POST['email']')

which are the quotes inside the POST arrays which need to be removed.

However, this isn't safe at all and you should be using prepared statements, as it leaves you open to SQL injection.

First assign variable to POST arrays:

$username = $_POST['username'];
$hashedpassword = "The way you're getting this from";
$email = $_POST['email'];

Then using prepared statements using ? for placeholders:

$query= "INSERT INTO members (username, password, email) VALUES (?, ?, ?)";
$result = $dbh->prepare($query);
$count = $result->execute(array($username, $hashedpassword, $email));

---

More on PDO prepared statements can be seen by visiting:

• http://php.net/pdo.prepared-statements

---

Footnotes:

I noticed in another question you posted https://stackoverflow.com/q/29177454/ that you are using mysqli_ functions.

If you are still using mysqli_ to connect with or mysqli_ functions exist elsewhere in your code, you cannot mix MySQL APIs.