why am I getting a parse error with adding this to mydatabas

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Mythic Fr0st
Forum Contributor
Posts: 137
Joined: Sat Dec 02, 2006 3:23 am
Contact:

why am I getting a parse error with adding this to mydatabas

Post by Mythic Fr0st »

Well, I kinda got it working, im trying to check if the username entered into the box 'login' is in the database if so, let them in, otherwise dont

but I get parse error

Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in c:\program files\easyphp1-8\www\test\home.php on line 25

Code: Select all

<html>
<body>
<head>
<style type="text/css">
body 
{
background-image:
url('SilverBG.jpg')
}
</style>
</head>
<img src="Mythic Aeons Banner.jpg" width="1009" height="125">
<form action="Youhavebeene-mailed.php" method="post">

<?php
$con = mysql_connect("localhost","Mythic Fr0st","null");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("users", $con);

$result = mysql_query("SELECT * FROM users
WHERE username=$_POST['login']");

while($row = mysql_fetch_array($result))
  {
  echo $row['username'] . " " . $row['email'];
  echo "<br />";
  }

?>
</body>
</html>
any idea's ? im stumped O_O

(username and email, are lists in my table 'users' and my database name is also 'users')

the errored line is WHERE username=$_POST['login']");
Last edited by Mythic Fr0st on Sun Dec 03, 2006 12:43 am, edited 1 time in total.
hrubos
Forum Contributor
Posts: 172
Joined: Sat Oct 07, 2006 3:44 pm

Re: why am I getting a parse error with adding this to mydat

Post by hrubos »

You can try this

Code: Select all

echo '$row['username'] . " " . $row['email']';
Have fun!!!


feyd | How hard is it to not use AOLSPEAK?! I've asked nice, now I'm not.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Has nothing to do with your database, it's a php parse error.

Code: Select all

<?php
$v = $arr['index'];
// but
$v = "... $arr[index] ...";
// or 
$v = "... {$arr['index']} ...";
see http://de2.php.net/language.types.strin ... tax.double

Your script is prone to sql injections, see http://de2.php.net/mysql_real_escape_string
Strings have to be marked for mysql as well as for php
SELECT ... WHERE abc=xyz <- selects all records where the field abc holds the same contents as the field xyz of the same record.
You want: SELECT ... WHERE abc='xyz'

try

Code: Select all

$con = mysql_connect("localhost", "Mythic Fr0st", "rainmaker") or die(mysql_error());
mysql_select_db('users', $con) or die(mysql_error());

$username = mysql_real_escape_string($_POST['login'], $con);
$query = "SELECT
		username,email
	FROM
		users
	WHERE
		username='$username'";
$result = mysql_query($query) or die(mysql_error());
Last edited by volka on Sun Dec 03, 2006 12:44 am, edited 1 time in total.
Mythic Fr0st
Forum Contributor
Posts: 137
Joined: Sat Dec 02, 2006 3:23 am
Contact:

m

Post by Mythic Fr0st »

nope thanks anyway
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Try this one...

Code: Select all

<?php
ini_set('error_reporting', E_ALL);
ini_set('display_errors', 1);

if (!$con = mysql_connect("localhost","Mythic Fr0st","null"))
{
  die('Could not connect: ' . mysql_error());
}

if (!mysql_select_db("users", $con))
{
  die('Could not select the database: ' . mysql_error());
}

// Check to see if this var is set
if (isset($_POST['login']))
{
  $login = mysql_real_escape_string($_POST['login']);
  $sql = "SELECT * FROM `users` WHERE `username` = '$login'";

  if (!$result = mysql_query($sql))
  {
    die('Could not execute the query: ' . mysql_error());
  }

  while($row = mysql_fetch_array($result))
  {
    echo $row['username'] . ' ' . $row['email'] . '<br />';
  }
}
else
{
  echo 'The post var login was not set';
}
?>
User avatar
dibyendrah
Forum Contributor
Posts: 491
Joined: Wed Oct 19, 2005 5:14 am
Location: Nepal
Contact:

Post by dibyendrah »

Change

Code: Select all

$result = mysql_query("SELECT * FROM users
WHERE username=$_POST['login']");
To

Code: Select all

$query = "SELECT * FROM users WHERE username=".$_POST['login'];
$result = mysql_query($query);
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

If the username is a string you will need quotes around the var...

Code: Select all

$query = "SELECT * FROM users WHERE username='" . $_POST['login'] . "'";
or you will get mysql errors. Of course, doing it this way is still a major security risk, so I would still suggest, at the very least, you run the post var throught mysql_real_escape_string() before sending it the database.
User avatar
dibyendrah
Forum Contributor
Posts: 491
Joined: Wed Oct 19, 2005 5:14 am
Location: Nepal
Contact:

Post by dibyendrah »

Everah wrote:If the username is a string you will need quotes around the var...

Code: Select all

$query = "SELECT * FROM users WHERE username='" . $_POST['login'] . "'";
or you will get mysql errors. Of course, doing it this way is still a major security risk, so I would still suggest, at the very least, you run the post var throught mysql_real_escape_string() before sending it the database.
Oh! I'm sorry for the post. Yes, I forgot to put the quotes on that query.
Post Reply