Page 1 of 2
Difficulty posting array data
Posted: Thu Jun 23, 2011 11:20 am
by digdigdig
Hi,
I am getting this error:
Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/sfayc/public_html/Form/updatedb.php on line 22
The code:
Code: Select all
$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES
('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email']'.",'".$_POST['Status']."',Now(),'".$_POST['Source']."')"; // this is line 22
if (isset($POST['Status'] || $Status<>'Other'){
$Status=$POST['Status'];
}
else {
$Status='Other';
The 'Status' field is for radio button responses which offer four radio button options where the last one is "Other". Next to the "Other" radio button is a textbox for users to enter data. The related HTML is:
Code: Select all
<input type=radio name='Status' value='Teacher' />Teacher<br>
<input type=radio name='Status' value='Teacher_Aide'>Teacher Aide<br>
<input type=radio name='Status' value='Administrator'>Administrator<br>
<input type=radio name='Status' value='Parent'>Parent<br>
<input type=radio name='Status' value='Student'>Student<br>
<input type=radio name='Status' value='Other'>Other Other <input type=text name='Other' value='Other'>
I am a newbie at PHP....
Many thanks.
Re: Difficulty posting array data
Posted: Thu Jun 23, 2011 11:28 am
by twinedev
You have an extra single quote after the $_POST['Email']
-Greg
Re: Difficulty posting array data
Posted: Thu Jun 23, 2011 11:30 am
by social_experiment
Also
Code: Select all
if (isset($POST['Status'] || $Status<>'Other'){
// needs to be
if (isset($_POST['Status']) || $Status <> 'Other') {
// rest of your code
And $_POST instead of $POST
Re: Difficulty posting array data
Posted: Thu Jun 23, 2011 11:37 am
by digdigdig
Thanks.
Now i am getting this:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Teacher_Aide',Now(),'Website')' at line 4
any thoughts?
Re: Difficulty posting array data
Posted: Thu Jun 23, 2011 11:46 am
by social_experiment
You have to paste the code you use to create the SQL query

Re: Difficulty posting array data
Posted: Thu Jun 23, 2011 11:49 am
by twinedev
Also, can you past the final $insert value right before you try to execute it.
Re: Difficulty posting array data
Posted: Thu Jun 23, 2011 11:53 am
by digdigdig
This is most of the code:
//inserting records
$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES
('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email'].",'".$_POST['Status']."',Now(),'".$_POST['Source']."')";
if (isset($_POST['Status']) || $Status <> 'Other'){
$Status=$POST['Status'];
}
else {
$Status='Other';
}
if(!mysql_query($Insert,$dbc)){
die('Error: '.mysql_error ());
}
$query=mysql_query("INSERT INTO formdata SET Date=now()");
echo "One Record Added";
mysql_close($dbc)
Re: Difficulty posting array data
Posted: Thu Jun 23, 2011 12:38 pm
by social_experiment
Code: Select all
<?php
$insert = "INSERT INTO formdata (FirstName, LastName, Email, Status, Data, Source) VALUES
('" . $_POST['FirstName'] . "', '" . $_POST['LastName'] . "', '" . $_POST['Email'] . "', '" . $_POST['Status'] . "',
NOW(), '" . $_POST['Source'] . "' )";
?>
You forgot a single quote near $_POST['Email']. Look at using a function that escapes the data you receive, if you are using SQL, use
mysql_real_escape_string()
Re: Difficulty posting array data
Posted: Thu Jun 23, 2011 5:58 pm
by pickle
1) Please post your code in proper [syntax] tags
2) Never, EVER put user data (ie: $_POST) into a query. With one little call of your page I could empty out your database. Always run it through mysql_real_escape_string() like ~social_experiment suggested.
Re: Difficulty posting array data
Posted: Fri Jun 24, 2011 8:05 am
by digdigdig
Thanks Pickle for taking time to give me pointers.
What are the correct tags? I am using a guide by Murach and my code looks like what he has in the book.
Where would be a good place to learn more about mysql_real_escape_string()?
Cheers.
Re: Difficulty posting array data
Posted: Fri Jun 24, 2011 8:27 am
by Idri
I'm guessing Pickle's referring to the Syntax tags on the forum.
Use the tags like this
Code: Select all
[syntax=php] // Your code goes here [/syntax]
You can read more about mysql_real_escape_string (among other functions) in the PHP manual, which can be found at
http://php.net/manual/en/function.mysql ... string.php
Re: Difficulty posting array data
Posted: Fri Jun 24, 2011 9:14 am
by digdigdig
So, am i getting the joke on the tags usage? Or use them every line?
Also did I get the Escape Sequence correct?
I don't think i understand about the "Never, EVER put user data (ie: $_POST) into a query." On the forum?
Code: Select all
//
//inserting records
$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES
('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email']."','".$_POST['Status']."',Now(),'".$_POST['Source']."')";
$error = 0;
if(isset($_POST['Status'])){
if($_POST['Status'] == 'Other'){
if(isset($_POST['Other']) && trim($_POST['Other']) != ''){
$status = $_POST['Other'];
} else {
$error++;
echo "Please fill out the 'Other' box.<br />";
}
} else {
$status = $_POST['Status'];
}
} else {
$error++;
echo "Please select a 'Status'.<br />";
}
if($error){
echo "<br />There were $error error".($error>1?'s':'').".";
} else {
$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES
('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email']."','".$status."',Now(),'".$_POST['Source']."')";
}
if(!mysql_query($Insert,$dbc)){
die('Error: '.mysql_error ());
}
$query=mysql_query("INSERT INTO formdata SET Date=now()"),
mysql_real_escape_string($Date);
echo "One Record Added";
mysql_close($dbc)
Thanks for your time and effort.
Re: Difficulty posting array data
Posted: Fri Jun 24, 2011 9:36 am
by Idri
I think you misinterpreted where to use the mysql_real_escape_string function. You should use it on whatever user-generated input you are going to use in a query.
Take for example your insert query;
Code: Select all
$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES
('".$_POST['FirstName']."','".$_POST['LastName']."','".$_POST['Email']."','".$_POST['Status']."',Now(),'".$_POST['Source']."')";
$error = 0;
All of the $_POST variables are user-generated and could contain malicious input. You'll have to sanitize it before having the database process your query.
Code: Select all
$Insert="INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES
('".mysql_real_escape_string($_POST['FirstName'])."', // etc
Putting it inline can lead to very lengthy lines of code however, which can be tricky to maintain. Which is why I often use the sprintf function to format my queries (
PHP.net - Sprintf). Though obviously you are in no way required to do this
Applying both sprintf and mysql_real_escape_string would lead to something along the lines of
Code: Select all
$Insert= sprintf("INSERT INTO formdata(FirstName, LastName, Email, Status, Date, Source)
VALUES ('%s', '%s', /* more parameters here */ )",
mysql_real_escape_string($_POST['FirstName']),
mysql_real_escape_string($_POST['LastName']),
// repeat for as many you need
);
Re: Difficulty posting array data
Posted: Fri Jun 24, 2011 9:52 am
by pickle
Data from the user should always be escaped so users can't break your query. With your query posted above, I could submit the following as my first name:
','','','',NOW(),'');DELETE FROM formdata;
and POOF - your database is gone. Running user data through mysql_real_escape_string() will escape all the quotes properly so the value of $_POST['first_name'] gets treated as just an ordinary string & not real query stuff.
Re: Difficulty posting array data
Posted: Fri Jun 24, 2011 9:58 am
by digdigdig
Ah ha!
This makes great sense. I will work on this today. Thanks again for your time.....