This code sends back the error: Parse error: syntax error, unexpected '>' in C:\Inetpub\wwwroot\padgate2\test\TMP1m31wssrf.php on line 42 PHP: but I have no idea what is wrong with it! The line is: print '<p> Could not create user in test because: <b> ".mysql_error()." </b> . The query was $query. </p>"; PHP: The whole code is: $query = "INSERT INTO test (testID, test2, test3) VALUES (0, '{$_POST['test2']}', '{$_POST['test3']}')"; $query2 = "INSERT INTO testtwo (testID, test4) VALUES (0, '{$_POST['test4']}')"; if (@mysql_query ($query)) { if (@mysql_query ($query2)) { print '<p> User Created. </p>'; } else { print '<p> Could not create user in testtwo because: <b>" .mysql_error()."</b>. The query was $query2. </p>"; } } else { print '<p> Could not create user in test because: <b> ".mysql_error()." </b> . The query was $query. </p>"; } ?> PHP: Thanks, Gareth
I would have a look at the contents of $_POST['test2'] and your other posted values. You have not catered for the possibility of the posted values containing invalid data. Use the function mysql_escape_string. Example: $query = "INSERT INTO test (testID, test2, test3) VALUES (0, '" . mysql_escape_string( $_POST['test2'] ) . "', '" . mysql_escape_string( $_POST['test3'] ) . "')"; PHP:
Replace the line: print '<p> Could not create user in test because: <b> ".mysql_error()." </b> . The query was $query. </p>"; with echo "<p> Could not create user in test because: <b> ".mysql_error()." </b> . The query was $query. </p>"; your quotes didn't match
$query = "INSERT INTO test (testID, test2, test3) VALUES (0, '{$_POST['test2']}', '{$_POST['test3']}')"; $query2 = "INSERT INTO testtwo (testID, test4) VALUES (0, '{$_POST['test4']}')"; PHP: I would suggest that you not use $_POST variables directly into the query as you can NEVER rely on what a user is submitting to be 100% what you are expecting. Validate / clean data before placing it into a query. -Bing
What he said. This holds true for ALL data that you personally have not provided. Anything in the GET, POST, COOKIE, or SERVER global variables (sometimes SESSION, depending) simply cannot be trusted and must always, always be properly validated and sanitized before you do anything with it. It's a trivial matter to alter cookies, spoof headers, or post to a remote form, so unless you know exactly what data is contained in a variable, clean it up. Never trust your users. You get points for properly enclosing variables in curly brackets, though.