Click here to Skip to main content
15,029,433 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi, i need put data from variables into MYSQLI statement but something gone wrong and I keep getting this message:
Parse error: syntax error, unexpected '$nr' (T_VARIABLE) in E:\xampp\htdocs\test3\zgloszenie.php on line 13


My PHP code:
<?php
$host='localhost';
$user='root';
$pass='';
$db='ratownictwo';
$nr = $_POST['nzr'];
$ndz = $_POST['nd'];
$adde = $_POST['add'];
echo $nr;


$conn=mysqli_connect($host,$user,$pass,$db);
$q = 'INSERT INTO `zgloszenia` (ratownicy_id, dyspozytorzy_id, adres, pilne, czas_zgloszenia) VALUES ('$nr','$ndz','$adde', 0, CURRENT_TIME)';
$ress= mysqli_query($conn, $q) or die ('Coś poszło nie tak');
mysqli_close($conn);
?>


AND piece of HTML code:

<div class="glowny">
            <h2>Dodaj nowe zgłoszenie</h2>
            <form action="zgloszenie.php" method="POST">
                <label for="nzr">Numer zespołu ratowniczego</label><br/>
                <input type="number" name='nzr'><br/>
                <label for="nd">Numer dyspozytora</label><br/>
                <input type="number" name='nd'><br/>
                <label for="add">Adres</label><br/>
                <input type="text" name='add' size="100"><br/>

                <input type="reset" value='WYCZYŚĆ'>
                <input type="submit" value='ZGŁOŚ'>
            </form>

        </div>


Data from form section are normally passed into PHP code but my SQLi syntax cant read this things and put into them.

What I have tried:

Hi, i need put data from variables into MYSQLI statement but something gone wrong and I keep getting this message:
Posted
Updated 15-Jan-21 5:13am

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]
PHP: Prepared statements and stored procedures - Manual[^]

Fix that vulnerability, and your errors will go away.
   
Okay solution of this problem is very easy so i put it under:
$q = "INSERT INTO `zgloszenia` (ratownicy_id, dyspozytorzy_id, adres, pilne, czas_zgloszenia) VALUES ('$nzr','$nd','$add', 0, CURRENT_TIME)";

The problem is my (') and i should change it to (").
Thank for answers!
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900