0

Error message i've been recieving

Parse error: syntax error, unexpected 'INTO' (T_STRING) in D:\ServerFolders\Web\tokens\insert.php on line 17

Line 17

$sql= INSERT INTO users(Forename, Surname, Email, Username, Password, DOB)

Full code

    <?php
//Connect to DB
$con=mysql_connect(localhost,root, "",APROJECT) or die (mysql_error());
// Check connection
if (mysql_connect_errno()) {
 echo "Failed to connect to MySQL: " . mysql_connect_error();
}

// escape variables for security
$Forename = mysql_real_escape_string($con, $_POST['Forename']);
$Surname = mysql_real_escape_string($con, $_POST['Surname']);
$Email = mysql_real_escape_string($con, $_POST['Email']);
$Username = mysql_real_escape_string($con, $_POST['Username']);
$Password = mysql_real_escape_string($con, $_POST['Password']);
$DOB = mysql_real_escape_string($con, $_POST['DOB']);
//SQL query to add data to DB
$sql= INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) 
VALUES ($Forename, $Surname, $Email, $Username, $Password, $DOB);

if (!mysql_query($con,$sql)) {
  die('Error: ' . mysql_error($con));
}
echo "1 record added";

mysql_close($con);
?>
zkanoca
  • 9,664
  • 9
  • 50
  • 94
Lee Watson
  • 35
  • 4

4 Answers4

0

Try adding quotes

$sql= "INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) 
VALUES ($Forename, $Surname, $Email, $Username, $Password, $DOB)";
Bram Verstraten
  • 1,414
  • 11
  • 24
0

First of all, mysql_* is not supported anymore and advised to use PDO or mysqli_* instead.

You should put query into quotes;

$sql= "INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) 
VALUES ($Forename, $Surname, $Email, $Username, $Password, $DOB)";

It may not work! Because you have to put values into single quotes. So better approach is using parameterized query.

For this time only I suggest using sprintf() function.

$sql= sprintf("INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) 
VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s')", $Forename, $Surname, $Email, $Username, $Password, $DOB);
zkanoca
  • 9,664
  • 9
  • 50
  • 94
  • Didn't use the sprintf() function. First answer got rid of that error message still battling the rest but I know how to deal with them. Also swapped all mysql_* to mysqli_*. – Lee Watson Jul 16 '14 at 13:14
0
$sql= INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) 
VALUES ($Forename, $Surname, $Email, $Username, $Password, $DOB);

The above line needs to be a string and in one line (variables in strings which start and end in " can be directly written into it):

$sql = "INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) VALUES ($Forename, $Surname, $Email, $Username, $Password, $DOB)";

If you want it to be in multiple lines for better readability, you can use the nowdoc syntax with variables embeded in {}:

$sql <<<'EOD'
    INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) 
    VALUES ({$Forename}, {$Surname}, {$Email}, {$Username}, {$Password}, {$DOB})
EOD;

Last approach would be to concat the string with .:

$sql = "INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) " .
       "VALUES (" . $Forename . ", " . $Surname . ", " . $Email . ", " . $Username . ", " . $Password . ", " . $DOB . ")";

See this reference: http://php.net/manual/de/language.types.string.php

On a side note, don't forget to escape your variables in your mysql query with mysql_real_escape_string to prevent SQL Injection!

$sql = "INSERT INTO users(Forename, Surname, Email, Username, Password, DOB) " .
       "VALUES (" . mysql_real_escape_string($Forename) . ", " . mysql_real_escape_string($Surname) . ", " . mysql_real_escape_string($Email) . ", " . mysql_real_escape_string($Username) . ", " . mysql_real_escape_string($Password) . ", " . mysql_real_escape_string($DOB) . ")";
Ke Vin
  • 2,004
  • 1
  • 18
  • 28
0

It looks like you're just missing some quote around your sql query.

Something like 

$sql= "INSERT INTO `users`(`Forename`, `Surname`, `Email`, `Username`, `Password`, `DOB`) 
VALUES (".$Forename.", ".$Surname.", ".$Email.", ".$Username.", ".$Password.", ".$DOB.")";

Should fix your error.

It's also worth nothing that mysql_query is depreciated and can be pretty unsecure. It might be worth looking at PDO preapred statements if this is something that's going to be used in production. Check out http://php.net/manual/en/ref.pdo-mysql.php and Dream in Code PDO

Kingmook
  • 73
  • 5