What's wrong with the PHP syntax here?

Question

I'm having hard time to figure out whats wrong in this code. I tried many variations but still getting error in this line:

$query= "INSERT INTO publish (name, email, title, content)" .
    "VALUES ('$row['Name']','$row['Email']',$row['title'],$row['content'])";

What could be wrong?

here's the rest of the code:

<?php


 // connect to the database
 include('config2.php');

 // check if the 'id' variable is set in URL, and check that it is valid
 if (isset($_GET['id']) && is_numeric($_GET['id']))
 {
 // get id value
 $id = $_GET['id'];

 $dbc = mysqli_connect('localhost', 'x', 'x', 'x')
    or die('Error');

    $name = $row['Name'];
    $email = $row['Email'];
    $title = $row['title'];
    $content = $row['content'];


    $result = mysql_query("select *stories WHERE id=$id")
             or die(mysql_error()); 

    $row = mysql_fetch_array( $result );
    $query= "INSERT INTO publish (name, email, title, content)" .
    "VALUES ('$row['Name']','$row['Email']',$row['title'],$row['content'])";

   or die('Error querying database.');

  mysqli_close($dbc);

 }

?>

Error message: "parse error expecting identifier (t_string) ' or variable (t_variable) ' or number (t_num_string) '"

Answer 1

You probably want to use complex string syntax to properly interpolate those variables. For example:

$query= "INSERT INTO publish (name, email, title, content)" .
"VALUES ('{$row['Name']}','{$row['Email']}',{$row['title']},{$row['content']})";

Though that will only fix one of the issues with the code.

Do note there are plenty of other ways to resolve this one too, such as concatenation instead of interpolation, or string replacements, etc etc.

It might also be worth reading the documentation on strings at some point.

Answer 2

You forgot the "." between your variables and your strings. Like so:

$query= "INSERT INTO publish (name, email, title, content)" .
    "VALUES (".$row['Name'].','.$row['Email'].','.$row['title'].','.$row['content'].")";

However, it looks like you may have some additional issues going on there with the actual SQL query.

Answer 3

The best practice in PHP is to use single quote ' for strings. Cos PHP looks for variables inside double quoted strings and keeps on sniffing whether there is a variable (or multiple variables) inside the string.

So for example: "A very very long string... $var1 .. long string .. $var2 string" this will run slower compared to 'A very very long string... ' . $var1 . ' .. long string .. ' . $var2 . ' string'; cos when PHP sees single quote it won't sniff for variables inside it thus it's faster.

From my experience, in my early age I worked on a very large php script and used double quotes everywhere. After the above explanation from an expert I converted the whole script to single quote and the performance was much better.

So for your situation I'd suggest and request to use single quotes and it'll avoid confusions as well. Also using mysql_real_escape_string() is a good practice to avoid SQL Injection .

$query= 'INSERT INTO publish (name, email, title, content) 
VALUES (
\'' . mysql_real_escape_string ($row['Name']) . '\',
\'' . mysql_real_escape_string ($row['Email']) . '\', 
\'' . mysql_real_escape_string ($row['title']) . '\',
\'' . mysql_real_escape_string ($row['content']) . '\')';