SQL Transactions using PHP failure

Question

This is my code. I know this should be easy, but somehow, SQL returns a parse error. Please Help.

$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD,DB_DATABASE);
if(mysqli_connect_errno()) {
    die('SQL ERROR : ' . mysqli_connect_error());
}
mysqli_autocommit($link, FALSE);

    $query = "INSERT INTO feedbackExit (1a, 2a, 3a, 4a, 5a, 1b, 2b, 3b, 4b, 5b, 6b, 1c, 2c, 3c, 4c, 5c, 6c, 1d, 2d, 3d, 4d, 5d, 6d, 1e, 2e) 
              VALUES (".$_POST['1a'].",".$_POST['2a'].",".$_POST['3a'].",".$_POST['4a'].",".$_POST['5a'].",
                      ".$_POST['1b'].",".$_POST['2b'].",".$_POST['3b'].",".$_POST['4b'].",".$_POST['5b'].",".$_POST['6b'].",
                      ".$_POST['1c'].",".$_POST['2c'].",".$_POST['3c'].",".$_POST['4c'].",".$_POST['5c'].",".$_POST['6c'].",
                      ".$_POST['1d'].",".$_POST['2d'].",".$_POST['3d'].",".$_POST['4d'].",".$_POST['5d'].",".$_POST['6d'].",
                      ".$_POST['1e'].",".$_POST['2e']")"; 
    $q1 = mysqli_query($link,$query);
    $query = "UPDATE ".$_SESSION['SESS_AUTH']." SET  `refExitHash` =  '".md5($_SESSION['SESS_USERNAME'], $raw_output = null)."'"."  WHERE  `index`='".$_SESSION['SESS_USERNAME']."'";
    $q2 = mysqli_query($link,$query);
    if (!($q1 and $q2) )
    {
     die('Error: ' . mysqli_errno($link));
     mysqli_rollback($link);
    }
    else 
    {
 header("location: FormExitPostSuccess.php");
 mysqli_commit($link);
    }
    mysqli_close($link);

SQL throws the following parse error :
Parse error: syntax error, unexpected ')', expecting ',' or ';' in opt/lampp/htdocs/New/feedback/WebsiteRoot/FormExitPostSuccess.php on line 20

Line 20 in my code is : $q1 = mysqli_query($link,$query);

Edit: all valuse in array _POST are from radio buttons. Is validation still required??

You've got SQL injection holes galore. Fix your query generation log with proper injection mitigation techniques BEFORE you start worrying about anything else. Beyond that, echo out the query after you finish building it. You'll find you've got an unbalanced `'` somewhere, causing the syntax error. That construct is hideously ugly enough that I won't read through it to figure out where it is. — Marc B, Mar 20 '12 at 18:40
Seriously consider using prepared statements via something like PDO (http://php.net/manual/en/book.pdo.php) - you're likely to expose SQL injection vulnerabilities otherwise (as this code probably does) — Kristian Glass, Mar 20 '12 at 18:40
I don't think you even have the right script FormExitPostSuccess.php can not include header("location: FormExitPostSuccess.php"); you would make php crash ..... a lot of things are wrong here ... — Baba, Mar 20 '12 at 18:49
Are you sure you don't want to rethink your DB structure first? — AndrewR, Mar 20 '12 at 18:54
Except for the $_POST['comment'], every other entry is a value of a radio button or a session value which is a value from a qb query. Do I still need to validate the input from radio buttons? — Anudeep Bulla, Mar 20 '12 at 19:10
You know, your radio button can become a text input with a bit of magic (and firebug for firefox or similar other tools that ship with other browsers) and then, a malicious user can input whatever injection he wants... — Eineki, Mar 20 '12 at 20:18
For the same reason you need to do the check server side. The browser visiting your page IS NOT a reliable source of data — Eineki, Mar 20 '12 at 20:23

score 1 · Accepted Answer · answered Mar 20 '12 at 19:39

All the comments are correct in my opinion, so don't ignore them, but the error appears to be on the last line of your SQL:

".$_POST['1e'].",".$_POST['2e']")";

should be

".$_POST['1e'].",".$_POST['2e'] . ")";

(Note the addition of the dot towards the end.

SQL Transactions using PHP failure

1 Answers1