Page 1 of 1
why am I getting a parse error with adding this to mydatabas
Posted: Sun Dec 03, 2006 12:09 am
by Mythic Fr0st
Well, I kinda got it working, im trying to check if the username entered into the box 'login' is in the database if so, let them in, otherwise dont
but I get parse error
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in c:\program files\easyphp1-8\www\test\home.php on line 25
Code: Select all
<html>
<body>
<head>
<style type="text/css">
body
{
background-image:
url('SilverBG.jpg')
}
</style>
</head>
<img src="Mythic Aeons Banner.jpg" width="1009" height="125">
<form action="Youhavebeene-mailed.php" method="post">
<?php
$con = mysql_connect("localhost","Mythic Fr0st","null");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("users", $con);
$result = mysql_query("SELECT * FROM users
WHERE username=$_POST['login']");
while($row = mysql_fetch_array($result))
{
echo $row['username'] . " " . $row['email'];
echo "<br />";
}
?>
</body>
</html>
any idea's ? im stumped O_O
(username and email, are lists in my table 'users' and my database name is also 'users')
the errored line is WHERE username=$_POST['login']");
Re: why am I getting a parse error with adding this to mydat
Posted: Sun Dec 03, 2006 12:40 am
by hrubos
You can try this
Code: Select all
echo '$row['username'] . " " . $row['email']';
Have fun!!!
feyd | How hard is it to not use AOLSPEAK?! I've asked nice, now I'm not.
Posted: Sun Dec 03, 2006 12:44 am
by volka
Has nothing to do with your database, it's a php parse error.
Code: Select all
<?php
$v = $arr['index'];
// but
$v = "... $arr[index] ...";
// or
$v = "... {$arr['index']} ...";
see
http://de2.php.net/language.types.strin ... tax.double
Your script is prone to
sql injections, see
http://de2.php.net/mysql_real_escape_string
Strings have to be marked for mysql as well as for php
SELECT ... WHERE abc=xyz <- selects all records where the field
abc holds the same contents as the field
xyz of the same record.
You want:
SELECT ... WHERE abc='xyz'
try
Code: Select all
$con = mysql_connect("localhost", "Mythic Fr0st", "rainmaker") or die(mysql_error());
mysql_select_db('users', $con) or die(mysql_error());
$username = mysql_real_escape_string($_POST['login'], $con);
$query = "SELECT
username,email
FROM
users
WHERE
username='$username'";
$result = mysql_query($query) or die(mysql_error());
m
Posted: Sun Dec 03, 2006 12:44 am
by Mythic Fr0st
nope thanks anyway
Posted: Sun Dec 03, 2006 1:18 am
by RobertGonzalez
Try this one...
Code: Select all
<?php
ini_set('error_reporting', E_ALL);
ini_set('display_errors', 1);
if (!$con = mysql_connect("localhost","Mythic Fr0st","null"))
{
die('Could not connect: ' . mysql_error());
}
if (!mysql_select_db("users", $con))
{
die('Could not select the database: ' . mysql_error());
}
// Check to see if this var is set
if (isset($_POST['login']))
{
$login = mysql_real_escape_string($_POST['login']);
$sql = "SELECT * FROM `users` WHERE `username` = '$login'";
if (!$result = mysql_query($sql))
{
die('Could not execute the query: ' . mysql_error());
}
while($row = mysql_fetch_array($result))
{
echo $row['username'] . ' ' . $row['email'] . '<br />';
}
}
else
{
echo 'The post var login was not set';
}
?>
Posted: Sun Dec 03, 2006 3:56 am
by dibyendrah
Change
Code: Select all
$result = mysql_query("SELECT * FROM users
WHERE username=$_POST['login']");
To
Code: Select all
$query = "SELECT * FROM users WHERE username=".$_POST['login'];
$result = mysql_query($query);
Posted: Sun Dec 03, 2006 2:10 pm
by RobertGonzalez
If the username is a string you will need quotes around the var...
Code: Select all
$query = "SELECT * FROM users WHERE username='" . $_POST['login'] . "'";
or you will get mysql errors. Of course, doing it this way is still a major security risk, so I would still suggest, at the very least, you run the post var throught
mysql_real_escape_string() before sending it the database.
Posted: Sun Dec 03, 2006 11:25 pm
by dibyendrah
Everah wrote:If the username is a string you will need quotes around the var...
Code: Select all
$query = "SELECT * FROM users WHERE username='" . $_POST['login'] . "'";
or you will get mysql errors. Of course, doing it this way is still a major security risk, so I would still suggest, at the very least, you run the post var throught
mysql_real_escape_string() before sending it the database.
Oh! I'm sorry for the post. Yes, I forgot to put the quotes on that query.