This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 6 years ago.
How can I select the 'description' row from my 'users' table? I want to just grab the description row depending on what user is logged in.
So far I have this code
$sql = "SELECT description FROM users WHERE uid="$_SESSION['uid']";
but I get this error:
Parse error: syntax error, unexpected '$_SESSION' (T_VARIABLE) in /Applications/XAMPP/xamppfiles/htdocs/login_sys/includes/profile.inc.php on line 19`
That's because your code is syntaxically wrong.
The correct code would be this:
$uid = $_SESSION['uid'];
$sql = "SELECT description FROM users WHERE uid='$uid'";
(I put the $_SESSION['uid'] in a variable to avoid the problem with lots of quotes in the query).
However, this solution is also wrong, in that you should never use a variable directly in the database like this, even when it's a session. You should read up on prepared queries, and make sure you use either mysqli_ or PDO as a database-handler in PHP.
you are getting this error beacause you are missing one " at end of query
$sql = 'SELECT description FROM users WHERE uid="$_SESSION['uid']"';
but always use prepare queries or pdo's as you query this is vulnerable to sql
injection
this should work
$sql = "SELECT description FROM users WHERE uid='$_SESSION[uid]'";
Related
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 10 months ago.
$query = "select * from login details where User_id like '$user_name' and Password '$user_pass'";
I cannot find any error but it showing error.
Please stop execute queries as native call, your query have SQL INJECTION, you can execute queries with PDO like this:
$query = "SELECT * FROM login WHERE User_id LIKE ? AND Password = ?";
$params = array("%$user_name%", "$user_pass");
$stmt = $handle->prepare($query);
$stmt->execute($params);
REF LINK
REF LINK
Also please prevent check UserId column as like on query and Password column without hash value.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
I'm working on a website, and I have encountered with an strange MySQL behaviour. I'm trying to use an MySQL Update Query with multiple WHERE Clauses.
$name = $_POST['username'];
$updatequery1 = "UPDATE OTP SET 'Project' = 'ANETSignupUsed' WHERE Name = '$name' AND HashedOTP = '$hashedotp' ";
$sqlconnection->query($updatequery1);
die("DONE");
Note that I've already defined $hashedotp.
When I try doing the same thing in MySQL Console it works pretty well, and I've made sure that the user used to define $sqlconnection has Update rights.
I've tried solutions DESCRIBED
HERE
HERE
I've spent hours searching about it, but to no avail.
Thanks a lot in advance!
Try this Remove single quote from your query
$updatequery1 = "UPDATE OTP SET Project = 'ANETSignupUsed' WHERE Name = '$name' AND HashedOTP = '$hashedotp' ";
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 3 years ago.
Im trying to populate a php veriable from a MySql query to use later on when sending an email via php. Please see below below code for populating the veriable. I have not included the mysql_connect and mysql_select_db as this this a live db and i know the connections work. Also before you state that i should be using mysqli or POD i know but the server cannot be updated as there is a large number of pages that rely on the old code.
Error - Parse error: syntax error, unexpected 'echo' (T_ECHO)
$emailaddress = "SELECT e_mail FROM frm_change_approver WHERE user_id LIKE '$approvingmanagername'";
$result = mysql_fetch_array($emailaddress);
$approveremail = echo $result['e_mail'];
I need $approveremail to be populated via the above query as i already have the email address for the user in the database and dont want a user to type the wrong one, i only capture the users user_id in the form as i dont want there to be an email address field at all. I will then use the populated veriable to send the email to that person.
any help will be greatly appreciated.
You cannot assign an echo statement to a variable.
Change this:
$approveremail = echo $result['e_mail'];
To this:
$approveremail = $result['e_mail'];
echo $approveremail;
Or even:
echo $result['e_mail'];
Furthermore, please consider using mysqli or PDO instead of mysql_ functions. mysql_ function are deprecated and no longer supported in PHP 7.0 and above.
Take a look at this page
https://www.php.net/manual/en/function.mysql-fetch-array.php
You need to run the query and then fetch the result
$emailaddress = "SELECT e_mail FROM frm_change_approver WHERE user_id = '$approvingmanagername'";
$result = mysql_query($emailaddress);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$approveremail = $row['e_mail'];
Also, please consider to use mysql_real_escape_string() to sanitize your inputs https://www.php.net/manual/en/function.mysql-real-escape-string.php
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
I have the following line of PHP which has connections set up and everything. It gives me the following error:
( ! ) Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\UwAmp\www\dxlphin\index.php on line 174
Here's the code:
$sql = "SELECT id, name, price, location FROM products WHERE name LIKE '%'.$_POST['search'].'%'";
Any guidance? This syntax is far too complicated for me, despite my best efforts...
Thanks,
This is the better option:
$sql = "SELECT id, name, price, location FROM products WHERE name LIKE ?";
Then prepare that statement and bind the value with the wildcards appended ("%$_POST[search]%").
If you're going to put an array with a string key inside a string like that, (which is fine, but not for inserting user data into SQL strings, as others have also pointed out) you need to omit the quotes on the key, unless you have bracketed the variable. That's why you're getting the syntax error. And the concatenation operators (.) aren't necessary because the variable is already in the string.
$string = "some text '$array[key]' and so on";
OR
$string = "some text '{$array['key']}' and so on";
But really, this is not the way to go for SQL regardless, just FYI on how to use strings.
You are mixing quotes and double quotes
$sql = "SELECT id, name, price, location FROM products WHERE name LIKE '%".$_POST['search']."%'";
However, your code is very insecure. As it has been suggested in the comments, you should use Prepared Statements to avoid SQL Injections.
For example, using PDO (http://php.net/manual/en/class.pdo.php):
$pdo = new PDO(<dsn>); // Check the manual to see how to build your dsn
$query = $pdo->prepare("SELECT id, name, price, location FROM products WHERE name LIKE :searchTerm");
$query->execute([':searchTerm' => "%" . $_POST['search'] . "%"]);
You have to end the quotes with whatever you started with before concatenating. So since you started your string with ", you should end it with " before concatenating .$_P.... Your line should be:
$sql = "SELECT id, name, price, location FROM products WHERE name LIKE '%".$_POST['search']."%'";
Note that its wrong to pass a variable from $_POST directly to the db to avoid SQL injection.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I'm adding some html code to a database through a mysql_query. So, a basic query looks like this $qry = "UPDATE Pages SET ".$column."='$value' WHERE id='$id'";
If this is called, an actual query might look like this: $qry = "UPDATE Pages SET content_en='<h1>This is a title</h1>' WHERE id='12'"; However, if the HTML code looks like this: <h1 style='color:red;'>This is a title</h1>, it'll break the query because of the semi-colon. Is there any way to solve this?
Use mysql escaping function over your content, like that :
$value = mysqli_real_escape_string($value);