Click here to Skip to main content
15,395,181 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi, i need put data from variables into MYSQLI statement but something gone wrong and I keep getting this message:
Parse error: syntax error, unexpected '$nr' (T_VARIABLE) in E:\xampp\htdocs\test3\zgloszenie.php on line 13


My PHP code:
<?php
$host='localhost';
$user='root';
$pass='';
$db='ratownictwo';
$nr = $_POST['nzr'];
$ndz = $_POST['nd'];
$adde = $_POST['add'];
echo $nr;


$conn=mysqli_connect($host,$user,$pass,$db);
$q = 'INSERT INTO `zgloszenia` (ratownicy_id, dyspozytorzy_id, adres, pilne, czas_zgloszenia) VALUES ('$nr','$ndz','$adde', 0, CURRENT_TIME)';
$ress= mysqli_query($conn, $q) or die ('Coś poszło nie tak');
mysqli_close($conn);
?>


AND piece of HTML code:

<div class="glowny">
            <h2>Dodaj nowe zgłoszenie</h2>
            <form action="zgloszenie.php" method="POST">
                <label for="nzr">Numer zespołu ratowniczego</label><br/>
                <input type="number" name='nzr'><br/>
                <label for="nd">Numer dyspozytora</label><br/>
                <input type="number" name='nd'><br/>
                <label for="add">Adres</label><br/>
                <input type="text" name='add' size="100"><br/>

                <input type="reset" value='WYCZYŚĆ'>
                <input type="submit" value='ZGŁOŚ'>
            </form>

        </div>


Data from form section are normally passed into PHP code but my SQLi syntax cant read this things and put into them.

What I have tried:

Hi, i need put data from variables into MYSQLI statement but something gone wrong and I keep getting this message:
Posted
Updated 27-May-22 15:35pm

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]
PHP: Prepared statements and stored procedures - Manual[^]

Fix that vulnerability, and your errors will go away.
   
Okay solution of this problem is very easy so i put it under:
$q = "INSERT INTO `zgloszenia` (ratownicy_id, dyspozytorzy_id, adres, pilne, czas_zgloszenia) VALUES ('$nzr','$nd','$add', 0, CURRENT_TIME)";

The problem is my (') and i should change it to (").
Thank for answers!
   
$q = "INSERT INTO zgloszenia (ratownicy_id, dyspozytorzy_id, adres, pilne, czas_zgloszenia) VALUES (' ".$nzr." ',' ".$nd." ',' ".$add." ', 0, CURRENT_TIME)";
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900