please help with parse error

Mister B. · #1 (**permalink**) 09-05-04, 11:14 PM

Parse error: parse error in /home/chaotice/public_html/signupresponse.php on line 6

PHP Code:


			
mysql_query("INSERT INTO structure (usanameish, usapassish, usaemailish, usamsnish, usaaimish, usahooish, usaallowemailish) VALUES ({$_POST['usernamer']},{$_POST['userpasser']},{$_POST['useremailer']},{$_POST['usermsner']},{$_POST['useraimer']},{$_POST['useryahooer']},{$_POST['allow']})";

Brain explode

<?Wille?> · #2 (**permalink**) 09-06-04, 02:26 AM

try this.. with quotes around the values

PHP Code:


			
mysql_query("INSERT INTO structure (usanameish, usapassish, usaemailish, usamsnish, usaaimish, usahooish, usaallowemailish) VALUES ('{$_POST['usernamer']}', '{$_POST['userpasser']}', '{$_POST['useremailer']}', '{$_POST['usermsner']}', '{$_POST['useraimer']}', '{$_POST['useryahooer']}', '{$_POST['allow']}')";

hope it helps
Wille

NeverMind · #3 (**permalink**) 09-06-04, 04:49 AM

what <?Wille?> said and you forgot to close the "(" after the function call ..
so use this:

PHP Code:


			
 mysql_query("INSERT INTO structure (usanameish, usapassish, usaemailish, usamsnish, usaaimish, usahooish, usaallowemailish) VALUES ('{$_POST['usernamer']}', '{$_POST['userpasser']}', '{$_POST['useremailer']}', '{$_POST['usermsner']}', '{$_POST['useraimer']}', '{$_POST['useryahooer']}', '{$_POST['allow']}')");

infinitylimit · #4 (**permalink**) 09-06-04, 11:31 AM

I always have to have single quotes around the fieldnames also, that is how PMA does it.

PHP Code:


			
 mysql_query("INSERT INTO structure ('usanameish', 'usapassish', 'usaemailish', 'usamsnish', 'usaaimish', 'usahooish', 'usaallowemailish') VALUES ('{$_POST['usernamer']}', '{$_POST['userpasser']}', '{$_POST['useremailer']}', '{$_POST['usermsner']}', '{$_POST['useraimer']}', '{$_POST['useryahooer']}', '{$_POST['allow']}')");

weird field names

NeverMind · #5 (**permalink**) 09-08-04, 06:15 AM

Quote:

Originally Posted by infinitylimit

I always have to have single quotes around the fieldnames also, that is how PMA does it.

PHP Code:


			
 mysql_query("INSERT INTO structure ('usanameish', 'usapassish', 'usaemailish', 'usamsnish', 'usaaimish', 'usahooish', 'usaallowemailish') VALUES ('{$_POST['usernamer']}', '{$_POST['userpasser']}', '{$_POST['useremailer']}', '{$_POST['usermsner']}', '{$_POST['useraimer']}', '{$_POST['useryahooer']}', '{$_POST['allow']}')");

weird field names

PMA uses back quotes ` not '
running your query will generate an error ..

Acecool · #6 (**permalink**) 09-08-04, 08:04 AM

Hey, I feel that using the set method is better.

$Query = "INSERT INTO structure SET usanameish='" . $_POST['blah'] . "', usapassish='" . $_POST['blahblahblah'] . "', and='so on'";
mysql_query($Query);

BUT, putting information directly from the form to your database is INSECURE

infinitylimit · #7 (**permalink**) 09-08-04, 10:36 AM

Nevermind, you are correct my mistake. ` backquotes it is.

NeverMind · #8 (**permalink**) 09-08-04, 10:48 AM

we all do mistakes

Mister B. · #9 (**permalink**) 09-08-04, 09:42 PM

How is it insecure? How can I make it more secure?

blaw · #10 (**permalink**) 09-09-04, 02:35 AM

Hello there,

Quote:

How is it insecure?

For one, if a user entered troublesome characters like single quote without escaping, whatever database operation you are trying to do will fail, which could cause unexpected problems.

Another thing is that if this is for something like forum scripts like this one where the user input will be displayed to the public, you should pay attention to malicious codes. For instance, adding <pre> or something would make your site look really ugly. Worse, if someone tries inserting malicious javascript, your site could become a gateway to information theft, etc (you can see <pre>'s < and > got escaped with htmlentities()) or something in here).

Quote:

How can I make it more secure?

At the very least, you should escape the troublesome characters in the data input with addslashes(). If, however, your php's magic_quotes_gpc is true, then GET, POST, and COOKIE will be automatically addslashes()-ed, so do not worry about this or you would be adding two more unnecessary slashes. Nevertheless, just because it is true today doesn't mean it will stay the same tomorrow - especially if you are staying with a shared host, so check this value first with get_magic_quotes_gpc().

Simple example would be:

PHP Code:


			
if ($_POST['sbtSubmit']) {

    if (!get_magic_quotes_gpc()) {

        $a_post = array_map('addslashes', $_POST);

    }

    else {

        $a_post = $_POST;

    }

}

The above will get all your POSTed values into $a_post, addslashes()-ed. You can come up with your own, depending on your script's needs.

Good luck!