0

Hey I am new to PHp and I am trying to enter details into my database. I am trying to enter an eventname- which the user enters (POST) and the username of the logged in user.

I have created sessions to store users usernames, the code i have is 

$eventname=$_POST['eventname'];
$myusername = $_SESSION['myusername']

$sql = mysql_query("INSERT INTO $tbl_nameVALUES('','$eventname','$_SESSION['myusername'])");

echo "You have been added to the event";

Its the $sql statement which is giving the error? any help would be much appreciated.

Thanks all!

Improve this question
3
  • 1
    It would be best if you also gave the error message! It looks like a syntax error from where I'm standing. pollirata and Micheal have both answered the question in depth. Commented May 1, 2012 at 19:16
  • 1
    Your SQL query is vulnerable to SQL injection. Commented May 1, 2012 at 19:21
  • 3
    Please stop writing new code with the ancient mysql_* functions. They are no longer maintained and community has begun the deprecation process . Instead you should learn about prepared statements and use either PDO or MySQLi. If you care to learn, here is a quite good PDO-related tutorial. Commented May 1, 2012 at 19:28

5 Answers 5

Reset to default
8

There are several potential problems here.

First, you have not escaped eventname against SQL injection. We assume hopefully that myusername is already safe. If it has not been previously filtered, also use mysql_real_escape_string() on $_SESSION['myusername'].

$eventname = mysql_real_escape_string($_POST['eventname']);

// Then you need space before VALUES and are missing a closing quote on $_SESSION['myusername'], which should be in {}
$sql = mysql_query("INSERT INTO $tbl_name VALUES('','$eventname','{$_SESSION['myusername']}')");

Finally, in order for the statement to work, it assumes you have exactly three columns in $tbl_name. You should be explicit about the columns used. Substitute the correct column names for colname1, event_name, username.

$sql = mysql_query("INSERT INTO $tbl_name (colname1, event_name, username) VALUES('','$eventname','{$_SESSION['myusername']}')");

The exact locations of SQL syntax errors will be revealed to you with some basic error checking via mysql_error().

$sql = mysql_query(<your insert statement>);
if (!$sql) {
  echo mysql_error();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I have made the changes you listed the error message states unexpected T_VARIABLE, i know this is a syntax error.
If you have unexpected T_VARIABLE on the $eventname line, you probably have a syntax error on the line before that, like a missing ;.
1

You're missing a ' on your insert statement. Try this

INSERT INTO $tbl_name VALUES('','$eventname','$_SESSION['myusername']')
Improve this answer

Comments

1

Hope it help you...

$eventname=$_POST['eventname'];
$myusername = $_SESSION['myusername'];

$sql = mysql_query("INSERT INTO tbl_name VALUES('','$eventname','".$_SESSION['myusername'])."'");

echo "You have been added to the event";
Improve this answer

Comments

0

You need a space between $tbl_name and VALUES, and indeed a ' after $_SESSION['myusername'].

And look up SQL injection.

Improve this answer

Comments

0

Remove the single quotes around the key in your $_SESSION array:

$sql = mysql_query("INSERT INTO $tbl_name VALUES('', '$eventname', '$_SESSION[myusername])");
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.