This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 10 months ago.
$query = "select * from login details where User_id like '$user_name' and Password '$user_pass'";
I cannot find any error but it showing error.
Please stop execute queries as native call, your query have SQL INJECTION, you can execute queries with PDO like this:
$query = "SELECT * FROM login WHERE User_id LIKE ? AND Password = ?";
$params = array("%$user_name%", "$user_pass");
$stmt = $handle->prepare($query);
$stmt->execute($params);
REF LINK
REF LINK
Also please prevent check UserId column as like on query and Password column without hash value.
Related
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
I am using a script form 2002
can anyone help me whit this code
$add_topic = insert into forum_topics values ('', '$_POST['topic_title']',
It gives me a "Parse error: syntax error, unexpected 'into' (T_STRING)" Please help
Thank you
You need to put quotes around your SQL statement. You also might get some errors with using your variable $_POST['topic_title']. Put double quotes around it like below.
$add_topic = "INSERT INTO forum_topics VALUES('', '".$_POST['topic_title']."')";
It's also a good idea to add parenthesis after "forum_topics" so that you can get an idea of what you are actually inserting.
$add_topic = "INSERT INTO forum_topics(some_value, topic_title) VALUES('', '".$_POST['topic_title']."')";
Also use Prepared Statements so your code is not open to SQL injection. Please search Google first before coming here as there are a lot of resources related to errors. It should look like this:
$add_topic = "INSERT INTO forum_topics(some_value, topic_title) VALUES(?, ?)";
if ($stmt = mysqli_prepare($conn, $add_topic) {
mysqli_stmt_bind_param($stmt, "ss", $some_var, $_POST['topic_title'];
$some_var = ' ';
mysqli_stmt_execute($stmt);
// Execution successful.
} else {
// Error.
}
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 3 years ago.
Im trying to populate a php veriable from a MySql query to use later on when sending an email via php. Please see below below code for populating the veriable. I have not included the mysql_connect and mysql_select_db as this this a live db and i know the connections work. Also before you state that i should be using mysqli or POD i know but the server cannot be updated as there is a large number of pages that rely on the old code.
Error - Parse error: syntax error, unexpected 'echo' (T_ECHO)
$emailaddress = "SELECT e_mail FROM frm_change_approver WHERE user_id LIKE '$approvingmanagername'";
$result = mysql_fetch_array($emailaddress);
$approveremail = echo $result['e_mail'];
I need $approveremail to be populated via the above query as i already have the email address for the user in the database and dont want a user to type the wrong one, i only capture the users user_id in the form as i dont want there to be an email address field at all. I will then use the populated veriable to send the email to that person.
any help will be greatly appreciated.
You cannot assign an echo statement to a variable.
Change this:
$approveremail = echo $result['e_mail'];
To this:
$approveremail = $result['e_mail'];
echo $approveremail;
Or even:
echo $result['e_mail'];
Furthermore, please consider using mysqli or PDO instead of mysql_ functions. mysql_ function are deprecated and no longer supported in PHP 7.0 and above.
Take a look at this page
https://www.php.net/manual/en/function.mysql-fetch-array.php
You need to run the query and then fetch the result
$emailaddress = "SELECT e_mail FROM frm_change_approver WHERE user_id = '$approvingmanagername'";
$result = mysql_query($emailaddress);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$approveremail = $row['e_mail'];
Also, please consider to use mysql_real_escape_string() to sanitize your inputs https://www.php.net/manual/en/function.mysql-real-escape-string.php
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 6 years ago.
How can I select the 'description' row from my 'users' table? I want to just grab the description row depending on what user is logged in.
So far I have this code
$sql = "SELECT description FROM users WHERE uid="$_SESSION['uid']";
but I get this error:
Parse error: syntax error, unexpected '$_SESSION' (T_VARIABLE) in /Applications/XAMPP/xamppfiles/htdocs/login_sys/includes/profile.inc.php on line 19`
That's because your code is syntaxically wrong.
The correct code would be this:
$uid = $_SESSION['uid'];
$sql = "SELECT description FROM users WHERE uid='$uid'";
(I put the $_SESSION['uid'] in a variable to avoid the problem with lots of quotes in the query).
However, this solution is also wrong, in that you should never use a variable directly in the database like this, even when it's a session. You should read up on prepared queries, and make sure you use either mysqli_ or PDO as a database-handler in PHP.
you are getting this error beacause you are missing one " at end of query
$sql = 'SELECT description FROM users WHERE uid="$_SESSION['uid']"';
but always use prepare queries or pdo's as you query this is vulnerable to sql
injection
this should work
$sql = "SELECT description FROM users WHERE uid='$_SESSION[uid]'";
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 7 years ago.
So I am having the $sql variable which is supposed to be a string containing an sql insert statement.Here's the piece of code:
$fields = array('Nume_dep' => $params['Nume_dep'],
'Id_manager' => $params['Id_manager']);
$id = $params['Id_manager'];
$sql = "insert into departament(Nume_dep,Id_manager) values('$params['Nume_dep']', CONVERT($id, UNSIGNED))";
This is the error message that I get:
Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE),
expecting identifier (T_STRING) or variable (T_VARIABLE) or number
(T_NUM_STRING)
The syntax error is in the insert statement, but I don't know how to fix it.
$id = $params['Id_manager'];
$nume_dep=$params['Nume_dep'];
$sql = "INSERT INTO departament(Nume_dep,Id_manager) values('$nume_dep', CONVERT($id, UNSIGNED))";
In strings PHP will only do rather basic automatic variable expansion. The Issue is with the index operator here: $params['Nume_dep']
Consider to use prepared statements in order to prevent SQL injection. If an attacker can make sure, that your function is called with something like "', 43); drop table department; --" as value for $params['Nume_dep'], you're going to be in big trouble.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I need to select a user with a particular name:
mysql_query('select * from user where screen_name='.$userName.'');
Anyone can help me where I'm wrong?
Yes wrong sql :
mysql_query('select * from user where screen_name="'.$userName.'"');
mysql_query("select * from user where screen_name = '".$userName."';");
Better (in my mind)
$sql = "SELECT * FROM `user` WHERE `screen_name` = '".$userName."';";
mysql_query($sql);
Even better - use mysqli....
mysql_query("select * from user where screen_name='$userName'");
try that.....