I am trying to select data from specific user in MySQL database to PHP using my session. Code I have is:
$sql = "SELECT * FROM users WHERE Username = "$_SESSION['sess_user']" LIMIT 1";
I'm currently getting this error
Parse error: syntax error, unexpected '$_SESSION' (T_VARIABLE)
Since we're more than likely dealing with a string, you would need to add quotes to it and concatenate it with dots/periods.
I.e. '".$_SESSION['sess_user']."'
Just to be 100% certain, make sure you have started the session using session_start(); at the top of every page using sessions.
just use ' instead of "
$sql = "SELECT * FROM users WHERE Username = '{$_SESSION['sess_user']}' LIMIT 1";
You are missing the . (DOT) symbol for adding variables to strings. Try this:
$sql = "SELECT * FROM users WHERE Username = " . $_SESSION['sess_user'] . " LIMIT 1";
That's it.
i had the same issue
i just had to give my variable a name and use that
$sessUser = $_SESSION['sess_user'];
then use $sessUser in your sql statement
Related
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 7 years ago.
I want to change the 401 in the code below to a string based on a value from my website like
$sql2 = 'SELECT post_content2 FROM wp_posts WHERE ID = '$jeff''
but I'm getting
Parse error: syntax error, unexpected '$jeff' (T_VARIABLE) in /public_html/wp-content/themes/real-spaces/single-property.php on line 384
Here's the code that works:
if(! $conn2 )
{
die('Could not connect: ' . mysql_error());
}
$sql2 = 'SELECT post_content2 FROM wp_posts WHERE ID = 401' ;
mysql_select_db('fncletvn_wp389');
$retval2 = mysql_query( $sql2, $conn2 );
if(! $retval2 )
{
die('Could not get data: ' . mysql_error());
}
while($row2 = mysql_fetch_array($retval2, MYSQL_ASSOC))
{
echo "{$row2['post_content2']} <br> " ;
}
I'm very new to programming so plase help :D
By the way, what I'm trying to do is pull out the value of post_content2 from the database based on the ID of the current post which is $jeff
Simply use quotes like this:
$sql2 = "SELECT post_content2 FROM wp_posts WHERE ID = '$jeff'";
This will create sql string as:
SELECT post_content2 FROM wp_posts WHERE ID = '401'
When $jeff=401
But as per your question, if you want like this:
SELECT post_content2 FROM wp_posts WHERE ID = 401
Just use:
$sql2 = "SELECT post_content2 FROM wp_posts WHERE ID = $jeff";
FYI: Single quotes will not replace your PHP variable with value, instead it prints the variable as it is. Double quotes will do the replacement.
Either you can use the answer given by #myway or you can use mysql pre pared statements. I will recommend you to use pre-pared statements since they are secure and re usable.
Note that if you use $sql2 = "SELECT post_content2 FROM wp_posts WHERE ID = $jeff";$sql2 = "SELECT post_content2 FROM wp_posts WHERE ID = $jeff"; as indicated by previous commenter, your $jeff must be quoted.
Just be sure to first apply mysql_escape_string($jeff) beforehand.
Also, I now that you did not ask about this, but I absolutely have to warn you that the mysql_* functions are depreciated and you should never use them except when modifying existing code--in which case you should be actively changing your code to the mysqli_* variants.
You're also missing the concatenation operator in your code: $sql2 = 'SELECT post_content2 FROM wp_posts WHERE ID = '$jeff''
PHP's concatenation operator is ..
Use it like this:
$sql2 = 'SELECT post_content2 FROM wp_posts WHERE ID = '.$jeff;
If $jeff is a string, not an int, you will need to encose it in quotes like this:
$sql2 = 'SELECT post_content2 FROM wp_posts WHERE ID = "'.$jeff.'"';
However if $jeff is supplied by the client in any way, you should use prepared statements to protect against mysql injection.
What PHP was trying to tell you with Parse error: syntax error, unexpected '$jeff' (T_VARIABLE), is that it didn't know why there was a variable next to a string in an assignment operation. Nor what you were trying to do with it. The concatenation operator indicates that you want that variable joined to the string next to it as if it were also a string. Which becomes an important distinction in loosely typed languages like PHP.
Help me getting login_name from database stored in table named users m working in ci
And applying this query and its giving a error in it
$sql = mysql_query("SELECT login_name FROM users WHERE email='".$_POST['email']."')"";
$row = mysql_fetch_array($sql);
echo $row['login_name'] ;
I'm getting this error
Parse error: syntax error, unexpected '"' in
K:\xampp\htdocs\codeigniter\application\controllers\users\users.php on
line 56
You have your quotes mixed up, try this
$sql = mysql_query("SELECT login_name FROM users WHERE email='".$_POST['email']."'");
$sql = mysql_query("SELECT login_name FROM users WHERE email='" . $_POST['email'] . "'");
Replace to this.
$sql = mysql_query("SELECT login_name FROM users WHERE email='".$_POST['email']."'");
It looks like you have an issue with your quotes.
Try something like this:
$sql = mysql_query("SELECT login_name FROM users WHERE email='" . $_POST['email'] . "'");
It has extra double quotes at the end of the line.
While this isn't directly an answer to your question, I strongly suggest you check out http://bobby-tables.com/php.html. It shows the correct syntax for what you're trying to do, as well as showing how to prevent sql injection, which the code you've shown is vulnerably to.
Whats wrong with my code?
Basically what I'm trying to do is add a number and update a field in the sql with what is connected to the variable. But since steamids look like this STEAM_0:0:123123123 or STEAM_0:1:123123123 I get this
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':0:14166834' at line 1
This is just for learning, so I know my code has useless echos, but its just to see it being added and making sure i was doing it correctly anyways
addmoney.php
<?php
include("inc/config.php");
$mysteamid=mysql_real_escape_string($_POST['mysteamid']);
$sql = "SELECT * FROM $tbl_name WHERE steamid='$mysteamid'";
$result=mysql_query($sql);
$cash=mysql_result($result, 0, 'cash'); // outputs 7th
echo $cash;
$newcash= $cash + "10000";
echo "\n";
echo $newcash;
mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = $mysteamid") or die(mysql_error());
?>
index.php contains a working formdata its not really required with the error in my code.
my main problem is this line from addmoney.php which is
$mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = $mysteamid") or die(mysql_error());
As your steamid field in your DB is a string (it seems to be, as possible values are STEAM_0:0:123123123 and STEAM_0:1:123123123), you must use quotes arround the value :
mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = '$mysteamid'");
Using mysql_real_escape_string() is necessary, as it escapes quotes inside the variable you pass it as a parameter -- but you still have to put quotes arround the string, in your SQL queries.
In the first query you surrounded your $mysteamid value with simple quotes, and in the second query you didn't. If the steamid is a string type, you need to surround the value with quotes, like
"UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` =' $mysteamid'"
i have a little problem with a very simple query ,
when i hard code the values in the query its working , but when i use a PHP variable nothing is retrieved , i over check a lot of things including the query , the database
it worth saying that i'm getting the variable from a form by POST and also checked that i'm getting them but when i use them in a query they jst dont work :S
here's my code ..PLZ what am i doing wrong ?!!!!!!!!!!!
<?php
$email = $_POST ['emailEnter'] ;
$password = $_POST ['passwordEnter'];
$connection = mysql_connect('localhost','root','') ;
$db_selected = mysql_select_db("lab5" , $connection) ;
$query = 'select * From user where email="$email" and password="$password" ' ;
$result = mysql_query ($query , $connection);
while($row=mysql_fetch_array($result))
{
echo $row['name'];
}
mysql_close($connection);
?>
You use single quotes in the query variable. Single quotes does not substitute variables - so it looks for literal string $email not the variable email. Either use double quotes or even better use something like PDO which would do the work for you.
You should also sanitize your inputs from SQL/XSS vulnerabilities.
The basic debugging steps are 1. adding
if (!$result) echo "Error: ".mysql_error();
to see any errors from the SQL query and 2. outputting
echo "Query: $query";
to see what the variables contain. One of these will point you to the problem.
Also, your query is vulnerable to SQL injection. You should add a
$email = mysql_real_escape_string($email);
$password = mysql_real_escape_string($password );
after fetching the values from the POST array.
Your error probably resides in the fact that you don’t escape your parameters.
While you are at it, use MySQLi or PDO (maybe even some prepared statements)
Someone mentioned your use of single-quotes, that’s the real error, my bad.
But my advice still stands. Having used prepared statements, you wouldn’t have fell for that mistake
try
$query = 'select * From user where email="' . $email . '" and password="'. $password . '" ' ;
or
$query = "select * From user where email='$email' and password='$password'" ;
Try this instead:
$query = "select * From user where email='" . $email . "' and password='" . $password . "';
Then immediately change that to this instead:
$query = "select * From user where email='" . mysql_real_escape_string($email) . "' and password='" . mysql_real_escape_string($password) . "';
Try
$query = "SELECT * FROM user WHERE email = '".$email."' AND password = '".$password."'";
You've confused the single and double quotes
You have:
$query = 'select * From user where email="$email" and password="$password" ' ;
You want:
$query = "select * From user where email='$email' and password='$password' " ;
Single quotes evaluate to whats literally inside. Double quotes will parse for variables inside. Theres also a curly brace {$variable} syntax you can use.
Suggestions from other posters for using mysql_real_escape or using newer mysqli or PDO are important as well. At the very least use mysql_real_escape on parameters that come from user input.
the problem is the way you are quoting the variables. Suppose that $email= 'some#gmail.com' and $password= 'securenot'.
what we want is the final interpreted string to be the following
select * from user where email='some#gmail.com' and password='securenot'
to achieve this we simply replace the some#gmail.com for $email and securenot for $password and get the following:
select * from user where email='$email' and password='$password'.
and then in php code ...
$query = "select * from user where email='$email' and password='$password'";
hope that is of some help
mysql_fetch_assoc() for associative array. You cannot use normal array as assoc array.
while($row=mysql_fetch_assoc($result))
{
echo $row['name'];
}
After I upload a photo to a server, I want to save it in the user's database in MySQL, but for some reason, it is not working. Below is the code for uploader.php:
session_start();
if(!$_SESSION['userid']) {
header("Location: index.php");
exit;
}
$con = mysql_connect("host","db","pw");
if (!$con)
{
die('Could not connect: ' .mysql_error());
}
mysql_select_db("db", $con);
$sess_userid = mysql_real_escape_string($_SESSION['userid']);
$query = "SELECT * FROM Members WHERE fldID='$sess_userid' UPDATE Members SET PortraitPath = 'profileportraits/' . '$_FILES[file][name]'");
$result = mysql_query($query) or trigger_error(mysql_error().$query);
$row = mysql_fetch_assoc($result);
I'm sure there is something very wrong with my query, but I can't figure out what it is. The photo is definitely being saved into the folder. But I simply want to update its path in the user database for later use. Thank you!
as it was mentioned already, you cannot use these two queries at once.
but there is also weird syntax: you're trying to use PHP's concatenation operator inside of mysql query.
And you did not escape a string parameter - very bad!
So, looks like you need something like
$sess_userid = mysql_real_escape_string($_SESSION['userid']);
$PortraitPath = mysql_real_escape_string('profileportraits/' . $_FILES['file']['name']);
$query = "UPDATE Members SET PortraitPath = '$PortraitPath' WHERE fldID='$sess_userid'";
You can do two separate queries:
UPDATE Members SET PortraitPath = 'profileportraits/' . '$_FILES[file][name]'
WHERE fldID='$sess_userid';
And:
SELECT * FROM Members WHERE fldID='$sess_userid'
It seems you tried to put two queries(SELECT and UPDATE) into one query which will result in invalid query error.
Just wondering why you need two queries since you already know the userid and all you want is to update. All you need is to update the file path
UPDATE Members SET PortraitPath = 'profileportraits/' . '$_FILES[file][name]' WHERE fldID='$sess_userid';