0

Hi every one i am getting this error
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING

on this statement
i tried so many time but no help is there anyone who can fix it

$sql="INSERT INTO donors(donor_id, name, gender, dob, weight, height, conid, statid, cityid, bloodid, email, phone, mobile, address, privacy) VALUES ('.mysql_real_escape_string($_SESSION['donorid']).', '.mysql_real_escape_string($_SESSION['dname']).', '.mysql_real_escape_string($_SESSION['gender']).', '.mysql_real_escape_string($_SESSION['dobbirth']).', '.mysql_real_escape_string($_SESSION['weight']).', '.mysql_real_escape_string($_SESSION['height']).', '.mysql_real_escape_string($_SESSION['country']).', '.mysql_real_escape_string($_SESSION['state']).', '.mysql_real_escape_string($_SESSION['city']).', '.mysql_real_escape_string($_SESSION['bloodgrps']).', '.mysql_real_escape_string($_SESSION['email']).', '.mysql_real_escape_string($_SESSION['phone']).','.mysql_real_escape_string($_SESSION['mobile']).', '.mysql_real_escape_string($_SESSION['address']).', '.mysql_real_escape_string($_SESSION['privacy']).')";

$result=mysql_query($sql);
3
Contributors
2
Replies
24
Views
4 Years
Discussion Span
Last Post by diafol
0

It's a bit difficult to see with all the escaping and no layout.

Try this instead:-

I've assumed your donor_id is an integer, you'll need to sort the rest. I use '%s' for strings %d for integers and %.2f for decimals.

sprintf syntax

$sql = sprintf("
    INSERT INTO donors (
        donor_id, name, gender, dob, weight, height, conid, statid, cityid, bloodid, email, phone, mobile, address, privacy
    ) values (
        %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s'
    )
    ",
    mysql_real_escape_string($_SESSION['donorid']),
    mysql_real_escape_string($_SESSION['dname']),
    mysql_real_escape_string($_SESSION['gender']),
    mysql_real_escape_string($_SESSION['dobbirth']),
    mysql_real_escape_string($_SESSION['weight']),
    mysql_real_escape_string($_SESSION['height']),
    mysql_real_escape_string($_SESSION['country']),
    mysql_real_escape_string($_SESSION['state']),
    mysql_real_escape_string($_SESSION['city']),
    mysql_real_escape_string($_SESSION['bloodgrps']),
    mysql_real_escape_string($_SESSION['email']),
    mysql_real_escape_string($_SESSION['phone']),
    mysql_real_escape_string($_SESSION['mobile']),
    mysql_real_escape_string($_SESSION['address']),
    mysql_real_escape_string($_SESSION['privacy'])
);

$result = mysql_query($sql);
0

I'd recommend moving to mysqli or PDO. It does away with the manual escaping if you use parameterized queries, e.g. via mysqli: ...prepare().

Edited by diafol

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.