This question already has an answer here:
I'm trying to solve this issue for an hour and i have no more solutions. I need to form a sql statement using some variables and i think i need to escape the quotes inside $_POST because i get an error (Parse error: syntax error, unexpected '"')
Help!! Thanks
$counter=$_POST["counter"];
$x=1;
$p="('','$code','$procedure0','$check0')";
while($x<$counter)
{
$p.=",('','$code','$_POST["check".$x]','$_POST["procedure".$x]')";
$x++;
};
...
$sql="INSERT INTO `proceduri` VALUES $p;";
</div>
Please notice that your $_POST array is inside the query. Correct syntax:
for ($x = 0; $x < $counter; $x++) {
if ($x)
$p .= ',';
$p.="('','$code','" . htmlspecialchars($_POST["check".$x], ENT_QUOTES) . "','" . htmlspecialchars($_POST["procedure".$x], ENT_QUOTES) . "')";
}
I have added htmlspecialchars func to sanitize variables before sending them to SQL server - this will prevent some possible SQL injection. Please read this to do it best way:
$counter = $_POST["counter"];
$x = 1;
$p = "('','$code','$procedure0','$check0')";
while($x<$counter) {
$p.= ",('','$code','{$_POST["check".$x]}','{$_POST["procedure".$x]}')";
$x++;
};
...
$sql="INSERT INTO `proceduri` VALUES $p;";
While this might work, please consider using a parameterized approach.