Hi every one i am getting this error
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING

on this statement
i tried so many time but no help is there anyone who can fix it

$sql="INSERT INTO donors(donor_id, name, gender, dob, weight, height, conid, statid, cityid, bloodid, email, phone, mobile, address, privacy) VALUES ('.mysql_real_escape_string($_SESSION['donorid']).', '.mysql_real_escape_string($_SESSION['dname']).', '.mysql_real_escape_string($_SESSION['gender']).', '.mysql_real_escape_string($_SESSION['dobbirth']).', '.mysql_real_escape_string($_SESSION['weight']).', '.mysql_real_escape_string($_SESSION['height']).', '.mysql_real_escape_string($_SESSION['country']).', '.mysql_real_escape_string($_SESSION['state']).', '.mysql_real_escape_string($_SESSION['city']).', '.mysql_real_escape_string($_SESSION['bloodgrps']).', '.mysql_real_escape_string($_SESSION['email']).', '.mysql_real_escape_string($_SESSION['phone']).','.mysql_real_escape_string($_SESSION['mobile']).', '.mysql_real_escape_string($_SESSION['address']).', '.mysql_real_escape_string($_SESSION['privacy']).')";

$result=mysql_query($sql);

Recommended Answers

All 2 Replies

It's a bit difficult to see with all the escaping and no layout.

Try this instead:-

I've assumed your donor_id is an integer, you'll need to sort the rest. I use '%s' for strings %d for integers and %.2f for decimals.

sprintf syntax

$sql = sprintf("
    INSERT INTO donors (
        donor_id, name, gender, dob, weight, height, conid, statid, cityid, bloodid, email, phone, mobile, address, privacy
    ) values (
        %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s'
    )
    ",
    mysql_real_escape_string($_SESSION['donorid']),
    mysql_real_escape_string($_SESSION['dname']),
    mysql_real_escape_string($_SESSION['gender']),
    mysql_real_escape_string($_SESSION['dobbirth']),
    mysql_real_escape_string($_SESSION['weight']),
    mysql_real_escape_string($_SESSION['height']),
    mysql_real_escape_string($_SESSION['country']),
    mysql_real_escape_string($_SESSION['state']),
    mysql_real_escape_string($_SESSION['city']),
    mysql_real_escape_string($_SESSION['bloodgrps']),
    mysql_real_escape_string($_SESSION['email']),
    mysql_real_escape_string($_SESSION['phone']),
    mysql_real_escape_string($_SESSION['mobile']),
    mysql_real_escape_string($_SESSION['address']),
    mysql_real_escape_string($_SESSION['privacy'])
);

$result = mysql_query($sql);
Member Avatar for diafol

I'd recommend moving to mysqli or PDO. It does away with the manual escaping if you use parameterized queries, e.g. via mysqli: ...prepare().

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.