• PHP Help PHP Newbies

  • Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_

Hey guys.
I'm new to PHP and am getting this error when trying to send data to mysql:

Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in line 58

Here are lines 57-58

(57)//insert data
(58)mysql_query("INSERT INTO subjects (gender, location, subject, age, education, SEusage) VALUES ('$POST["gender"]', '$POST["location"]', '$POST["subject"]', '$POST["age"]', '$POST["education"]', '$POST["SEusage"]')");

Can you help please?
Thanks
Maria

    The quotes in your $POST variables are screwing this up. Try this instead:

    $query = "	INSERT INTO subjects (
			gender, 
			location, 
			subject, 
			age, 
			education, 
			SEusage) 
		VALUES (
			'" . $_POST["gender"] . "', 
			'" . $_POST["location"] . "', 
			'" . $_POST["subject"] . "', 
			'" . $_POST["age"] . "', 
			'" . $_POST["education"] . "', 
			'" . $_POST["SEusage"] . "')";
mysql_query($query);

      Umm... one VERY important thing. I know this might just be a test project that nobody but you will ever see. I know that your first real project might be for a small company who only has two customers a year but...

      The only way to learn security is to do it right from the beginning and learn good habits.

      In the code sample that I gave you above, I was just trying to fix the problem with the quotes. I didn't fix the HUGE security hole in your code.

      You are taking the input from the user and passing it right to MySQL. That is very dangerous. You need to either (A) check to see if the data is acceptable or (😎 sanitize the data.

      There are a million instruction manuals around the Internet that will teach you how to do that so I won't try to provide a comprehensive tutorial here. Google for SQL injection.

      Here's a hint about what the problem is:

      Imagine if you asked me my name and I said:
      eric'); delete from customers;

      You will learn about the mysql_real_escape_string. That will solve HALF the SQL Injection problem. The other half is a little harder to solve and takes about an hour to learn.

        You're absolutely right.
        I wasn't doing much checking because the users chooses the values from a drop-down menu so there's no risk for misspelling.
        But you're still right.

          shanba_kay;10902956 wrote:

          You're absolutely right.
          I wasn't doing much checking because the users chooses the values from a drop-down menu so there's no risk for misspelling.
          But you're still right.

          This is another common mistake and misconception. A decent hacker can use tools like Javascript, GreaseMonkey, or Wireshark to alter the values that appear in your drop down menus. So, for example, if your drop down for gender looks like this:

          <select name="gender">
<option value="m">Male
<option value="f">Female
</select>

          I can change that so that the value for male is:

          m'); delete from customers;

          and your script will happily process my instruction.

            Write a Reply...