The with insert in PHP

Question

$m = clearData($_POST['msg']);
$sql = "INSERT INTO messages(message,message_from)
  VALUES('$m','$_SESSION['id']')";

I get an error on insert and I not found:

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING

See http://stackoverflow.com/a/13935532/541091 for the specific syntax problem. — Michael Berkowski, Nov 05 '13 at 20:20
But much more importantly, read over [How can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Michael Berkowski, Nov 05 '13 at 20:20

Twisty · Answer 1 · 2013-11-05T21:06:33.287

0

You cannot use arrays like that when defining the text. Wrap it in Curly Brackets:

$m = clearData($_POST['msg']);
$sql = "INSERT INTO messages(message,message_from) VALUES( '$m','{$_SESSION['id']}')";

Or:

$sql = sprintf("INSERT INTO messages(message,message_from) VALUES( '%s','%d')",
  mysql_real_escape_string($_POST['msg']),
  $_SESSION['id']
);

edited Nov 05 '13 at 21:06

answered Nov 05 '13 at 20:19

Twisty

27,669
1
25
43

score 0 · Answer 2 · answered Nov 05 '13 at 20:20

0

Try this:

$m = mysqli_real_escape_string(clearData($_POST['msg'])); // escape or whatever.  
$sessionId = mysqli_real_escape_string($_SESSION['id']); // or whatever, just escape the field

$sql = "INSERT INTO messages(message,message_from) VALUES( '{$m}','{$sessionId}')";

answered Nov 05 '13 at 20:20

bear

10,704
25
74
128

Shouldn't need to wrap the strings,only arrays. http://www.tuxradar.com/practicalphp/5/10/0 – Twisty Nov 05 '13 at 20:59
@Twisty though he doesn't need to, it can look cleaner and easier to understand – bear Nov 05 '13 at 21:48

score 0 · Answer 3 · answered Nov 05 '13 at 20:20

0

Your single quotes are nested in :

'$_SESSION['id']'

Replace it with :

"INSERT INTO messages(message,message_from)VALUES('$m','".$_SESSION['id']."')"

answered Nov 05 '13 at 20:20

Madhavan Malolan

709
6
24

The with insert in PHP

3 Answers3