PHP MySQL Database backend

Can someone please tell me what is wrong with this line?

VALUES('$_POST[POS]','$_POST[GP]','$_POST[Goals]','$_POST[Assists]','$_POST[Points]','$_POST[Polarity]','$_POST[PPG]','$_POST[SHG]','$_POST[PIM]','$_POST[Hits]','$_POST[Shots]','$_POST[Shots %]')";

It's in context with:

<?php
 $con = mysql_connect("localhost","ernie","gomes");
 if (!$con)
   {
   die('开发者_Go百科Could not connect: ' . mysql_error());
   }

mysql_select_db("ernie", $con);

$sql="INSERT INTO statplayer (POS, GP, Goals, Assists, Points, Polarity, PPG, SHG, PIM, Hits, Shots, Shot %)
VALUES('$_POST[POS]','$_POST[GP]','$_POST[Goals]','$_POST[Assists]','$_POST[Points]','$_POST[Polarity]','$_POST[PPG]','$_POST[SHG]','$_POST[PIM]','$_POST[Hits]','$_POST[Shots]','$_POST[Shots %]')";

if (!mysql_query($sql,$con))
   {
   die('Error: ' . mysql_error());
   }
 echo "1 record added";

mysql_close($con)
 ?> 

---

As the comments to the question have been suggesting, it seems to be due to the space in Shots %. This needs to be quoted, in both SQL and PHP. Your error is a PHP error, but I think you'll get an SQL error once you fix it.

See below for how to put quotes around that name.

$sql="INSERT INTO statplayer (POS, GP, Goals, Assists, Points, Polarity, PPG, SHG, PIM, Hits, Shots, `Shot %`)
VALUES('$_POST[POS]','$_POST[GP]','$_POST[Goals]','$_POST[Assists]','$_POST[Points]','$_POST[Polarity]','$_POST[PPG]','$_POST[SHG]','$_POST[PIM]','$_POST[Hits]','$_POST[Shots]','."$_POST['Shots %']."')";

or

$sql="INSERT INTO statplayer (POS, GP, Goals, Assists, Points, Polarity, PPG, SHG, PIM, Hits, Shots, `Shot %`)
VALUES('$_POST[POS]','$_POST[GP]','$_POST[Goals]','$_POST[Assists]','$_POST[Points]','$_POST[Polarity]','$_POST[PPG]','$_POST[SHG]','$_POST[PIM]','$_POST[Hits]','$_POST[Shots]','{$_POST['Shots %']}')";

But please read about SQL Injection and how to prevent it. Your code is completely vulnerable.

---

It looks like there are many problems with your code, but we all have to start somewhere. At the top of your script, put the following to turn on error reporting:

error_reporting(-1);

You should do this for every file you have in order to produce better code. To answer your question, the reason it's failing is because you need to put curly braces around your array variables, like this:

$string = "Some text with a {$array['var']} variable";

Also, notice that 'var' has quotes around it. You cannot do $array[var] (without quoting 'var' or else you're going to get a notice that var has not been defined. Also, it is not recommended to use spaces or characters like '%' in your variable names. I have therefore changed it in the example below to 'ShotPercent' instead.

As many other people have mentioned, your script is vulnerable to SQL injection, so I would highly recommend you ditch the mysql_* functions completely. They are outdated. Instead, use PDO. Something like this should work:

<?php

$host = 'localhost';
$dbname = 'ernie';
$user = 'ernie';
$pass = 'gomes';

try {
    $dbh = new LoggedPDO("mysql:host=$host;dbname=$dbname", $user, $pass);
    $dbh->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
    $dbh->setAttribute( PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC );
} catch(PDOException $e) {
    die("DB connection error: ".$e->getMessage());
}

$sql="INSERT INTO statplayer (POS, GP, Goals, Assists, Points, Polarity, PPG, SHG, PIM, Hits, Shots, ShotPercent)
    VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )";
$sth = $dbh->prepare($sql);

try {
    $sth->execute(array($_POST['POS'], $_POST['GP'], $_POST['Goals'], $_POST['Assists'], $_POST['Points'], $_POST['Polarity'], $_POST['PPG'] , $_POST['SHG'], $_POST['PIM'], $_POST['Hits'], $_POST['Shots'],$_POST['ShotPercent']));
} catch(PDOException $e) {
    die(echo $e->getMessage());
}

echo $sth->rowCount() .' record(s) added';