Error after selecting data from database [duplicate]

Question

I am currently working on a forum website with an upvote-system. However, there are some annoying, probably syntactic errors that are bugging me. I am talking about this piece of code.

<?php
session_start();

include_once 'dbh_discussion.inc.php';
$conn = db_discussion_connect();

$thread_id = $_POST['upvote'];

$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = '$_SESSION['u_id']' AND thread_id = '$thread_id'");

The things that aren't clear in this piece of code are as follows:

• db_discussion_connect() A function declared in dbh_discussion_connect.inc.php. This funtion returns a new PDO that connects to my database.
• the index 'upvote' is the name of a button in another php file that will call the code above.
• $_SESSION['u_id'] is a session variable that will be assigned when the user logs onto the website.

The error that I'm getting when debugging on the server:

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /var/www/html/includes/thread_upvotes.inc.php on line 9

I feel like I'm missing out on something syntactical. Anyhow, I'd really appreciate someone telling me whats going wrong here.

Thanks

Answer 1

I get triggered so hard by this people who provide answers that are still wide open to Injections. Is it that difficult to change his prepared statement to something safe?!!!

Here a solution with a correct prepared statement. As if it takes that long to rewrite it. That should be against the rules here.

<?php
session_start();

include_once 'dbh_discussion.inc.php';
$conn = db_discussion_connect();

$sql1 = $conn->prepare("SELECT * FROM users WHERE user_id = :uid AND thread_id = :tid");
$sql1->bindParam(':uid', $_SESSION["u_id"]);
$sql1->bindParam(':tid', $_POST['upvote']);
$sql1->execute();