Adding PHP variables into SQL query statement

Question

0.00/5 (No votes)

See more:

Hi, i need put data from variables into MYSQLI statement but something gone wrong and I keep getting this message:

Parse error: syntax error, unexpected '$nr' (T_VARIABLE) in E:\xampp\htdocs\test3\zgloszenie.php on line 13

My PHP code:

<?php
$host='localhost';
$user='root';
$pass='';
$db='ratownictwo';
$nr = $_POST['nzr'];
$ndz = $_POST['nd'];
$adde = $_POST['add'];
echo $nr;


$conn=mysqli_connect($host,$user,$pass,$db);
$q = 'INSERT INTO `zgloszenia` (ratownicy_id, dyspozytorzy_id, adres, pilne, czas_zgloszenia) VALUES ('$nr','$ndz','$adde', 0, CURRENT_TIME)';
$ress= mysqli_query($conn, $q) or die ('Coś poszło nie tak');
mysqli_close($conn);
?>

AND piece of HTML code:

<div class="glowny">
            <h2>Dodaj nowe zgłoszenie</h2>
            <form action="zgloszenie.php" method="POST">
                <label for="nzr">Numer zespołu ratowniczego</label><br/>
                <input type="number" name='nzr'><br/>
                <label for="nd">Numer dyspozytora</label><br/>
                <input type="number" name='nd'><br/>
                <label for="add">Adres</label><br/>
                <input type="text" name='add' size="100"><br/>

                <input type="reset" value='WYCZYŚĆ'>
                <input type="submit" value='ZGŁOŚ'>
            </form>

        </div>

Data from form section are normally passed into PHP code but my SQLi syntax cant read this things and put into them.

What I have tried:

Hi, i need put data from variables into MYSQLI statement but something gone wrong and I keep getting this message:

Posted 15-Jan-21 4:46am

Member 15046943

Updated 27-May-22 15:35pm

Add a Solution

3 solutions

Solution 3

$q = "INSERT INTO zgloszenia (ratownicy_id, dyspozytorzy_id, adres, pilne, czas_zgloszenia) VALUES (' ".$nzr." ',' ".$nd." ',' ".$add." ', 0, CURRENT_TIME)";

Posted 27-May-22 15:35pm

Member 15653143

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2021-01-15T04:48:00

Solution 1

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]
PHP: Prepared statements and stored procedures - Manual[^]

Fix that vulnerability, and your errors will go away.

Posted 15-Jan-21 4:48am

Richard Deeming

Member 15046943 · Accepted Answer · 2021-01-15T05:13:00

Solution 2

Okay solution of this problem is very easy so i put it under:

$q = "INSERT INTO `zgloszenia` (ratownicy_id, dyspozytorzy_id, adres, pilne, czas_zgloszenia) VALUES ('$nzr','$nd','$add', 0, CURRENT_TIME)";

The problem is my (') and i should change it to (").
Thank for answers!

Posted 15-Jan-21 5:13am

Member 15046943