Sergey  Alekseev Sergey Alekseev - 7 months ago 10
SQL Question

Error with inserting to DB


Parse error: syntax error, unexpected T_VARIABLE in Z:\home\ser.ser\www\sign_up.php on line 19


Also I have error with
$q = mysql_query("SELECT * FROM users WHERE (login="$login")");


Help, please.

<?php
include 'mysql_connect.php';

$login = $_POST['login'];
$password = $_POST['password'];
$b_arr['b_dd'] = $_POST['B_DD'];
$b_arr['b_mm'] = $_POST['B_MM'];
$b_arr['b_yy'] = $_POST['B_YY'];
$b_date = $b_arr['b_yy'].$$b_arr['b_mm'].$b_arr['b_dd'];
if (!isUserExist($login)) {
reg($login, $password, $b_date);
} else {
echo 'This user is exist !';
}
function reg($login, $password, $b_date) {
// NEXT LINE ERROR
$query = mysql_query("INSERT INTO users VALUES ("$login", "$password", "$b_date")");
// END ERROR
}
function isUserExist($login) {
$q = mysql_query("SELECT * FROM users WHERE (login="$login")");
$result = mysql_fetch_array($q);
if ($result) {
return true;
}
}
?>

Answer

Warning: this code is dangerous. Please read about SQL Injection and why your code is extremely problematic. In short, anything that's put into the database must be sanitized.

Now, more to your question:

You aren't handling strings correctly. If you wish to use this dangerous method of querying, you need to concatenate your values into a string. To add variables to a string you use the . operator. So, to fix this line you would need to use something like:

$qry_str = "INSERT INTO users VALUES ('" . $login . "', '" . $password . "', '" . $b_date . "')";
$query = mysql_query($qry_str);

Note: I broke it into two lines for better readability and your isUserExist() function has the same issue.