Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING is the message. It came up from this line of code:
$query = ("SELECT *
FROM users
WHERE user_name = $_POST['user_name']
& password = $_POST['password']
& user_type = $_POST['user_type']");
Does anyone out there know the meaning of all this? If so, does anyone know how to deal with this?
Use:
$query = sprintf("SELECT u.*
FROM USERS u
WHERE u.user_name = '%s'
AND u.password = '%s'
AND u.user_type = '%s' ",
mysql_real_escape_string($_POST['user_name']),
mysql_real_escape_string($_POST['password']),
mysql_real_escape_string($_POST['user_type']) );
$result = mysql_query($query);
Reference
sprintf
You can't interpolate a $_POST like that. You need to wrap them with braces ({ and }). You also don't need to quote the key names when already in a string like that.
You should also quote those values, and swap & with AND.
You also need a ; at the end.
You also don't need to wrap it in parenthesis.
$query = "SELECT *
FROM users
WHERE user_name = '{$_POST[user_name]}'
AND password = '{$_POST[password]}'
AND user_type = '{$_POST[user_type]}'";
But...
...don't interpolate user input directly like that. Use a escaping mechanism.
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$user_type = mysql_real_escape_string($_POST['user_type']);
$query = "SELECT *
FROM users
WHERE user_name = '$username'
AND password = '$password'
AND user_type = '$user_type'";
I would recommend using PDO and binding parameters instead of building the SQL yourself.
Also, it would appear you your passwords that are user inputted are being directly used to compare in the database. Use some form of one way message digest, such as bcrypt.
For interpolation of one-dimensional array values into strings, use this syntax:
"foo = $_POST[bar]"
Notice no quotes.
For interpolating nested arrays or generally using the normal syntax, use braces:
"foo = {$_POST['bar']}"
In no case though do any of this with SQL queries, you need to escape values before plugging them into queries. So, do this:
$query = sprintf('SELECT foo FROM bar WHERE baz = "%s"',
mysql_real_escape_string($_POST['baz']));
Make sure to account for SQL injection.
Try:
$username = mysql_real_escape_string($_POST["user_username"]);
$password = mysql_real_escape_string($_POST["user_password"]);
$type = mysql_real_escape_string($_POST["uesr_type"]);
$query = "SELECT * FROM users WHERE user_name='$username' AND password='$password' AND
user_type='$type'";
$result = mysql_query($query);
I'd also suggesting reading the manual a bit: http://us.php.net/manual/de/language.types.string.php#language.types.string.parsing. That link will explain to you how PHP parses variables in strings.
$username = mysql_real_escape_string($_POST["user_username"]);
$password = mysql_real_escape_string($_POST["user_password"]);
$type = mysql_real_escape_string($_POST["user_type"]);
mysql_query("SELECT * FROM users WHERE user_name='$username' AND user_password='$password' AND user_type='$type' LIMIT 1");
Related
I ever see some article that use this { ... } brackets to insert their variable
EX:
$query = $this->pdo->prepare("SELECT * FROM administrator WHERE username = '{$ins}'");
Is it doesn't matter? or what is the difference with this one ?
$query = $this->pdo->prepare("SELECT * FROM administrator WHERE username = '$ins'");
Which is the best way to write the PDO SQL queries?
Neither.
Your SQL code should never contain variable input. You should use parameter binding.
$query = $this->pdo->prepare('SELECT * FROM administrator WHERE username = ?');
$query->execute([$ins]);
To be safe I recommend using single quotes ' ', because string interpolation works only with double quotes.
There might be situations when you would like to use a PHP constant as part of the SQL. In this case you can use simple concatenation.
define('ADMIN_TABLE', 'administrator');
$query = $this->pdo->prepare('SELECT * FROM '.ADMIN_TABLE.' WHERE username = ?');
$query->execute([$ins]);
Example: The follwing query give me Quotes error in the field -> GET['email']
mysql_query(" select * from user_info where user_mail = '$_GET['email']' ")
You might want to escape the string first:
$_GET['email'] = mysql_real_escape_string($_GET['email']);
And then:
mysql_query(" select * from user_info where user_mail = '" . $_GET['email'] . "' ");
The dots put the strings together.
Use accolades like this.
mysql_query(" select * from user_info where user_mail = '{$_GET['email']}' ")
Also, make sure to escape your user input. Your current setup looks like it is vulnerable to SQL injection. Use http://php.net/manual/en/function.mysql-real-escape-string.php to clean up your user input (like $_GET values)
It's not really an answer to your question, but I'd strongly advise you to use PDO or mysqli prepared statements. Thus, your original problem -- the escaping parameter strings -- will be automatically taken care of.
If you do not want to follow this advice, do this:
$email = mysql_real_escape_string($_GET['email']);
mysql_query("select * from user_info where user_mail = '$email';");
You don't need quotation marks for associative array field names if you are already inside a doubly-quoted string:
$str = "Hello $_GET[email].";
Use it this way:
$SQL = "SELECT * FROM user_info WHERE user_mail = '".$_GET['email']."'";
mysql_query($SQL);
But I strongly advice to take some security actions with $_GET['email'], like this:
$email = mysql_real_escape_string($_GET['email']);
$SQL = "SELECT * FROM user_info WHERE user_mail = '".$email."'";
mysql_query($SQL);
Should numbers from user input be quoted in MySQL queries to help avoid SQL injection attacks?
Say i have a form on a page asking for someone's age. They enter their age and hit submit. The following php code deals with the form submission: (age is an int field in the db table.)
$Number = mysqli_real_escape_string($dbc, $_POST["age"]);
$Query = "INSERT INTO details (age) VALUES ($Number)";
$Result = mysqli_query($dbc, $Query);
Instead of this, is there anything to be gained to enclosing the user input in single quotes, even though it is not a string? Like this:
...
$Query = "INSERT INTO details (age) VALUES ('$Number')"; <-- quotes
...
What about performing a SELECT? Is this:
$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = '$ID'";
$Result = mysqli_query($dbc, $Query);
better than:
$ID = mysqli_real_escape_string($dbc, $_POST["id"]);
$Query = "SELECT * FROM users WHERE id = $ID"; <-- no quotes
$Result = mysqli_query($dbc, $Query);
NOTE: I am aware of prepared statements and usually use them over string concatenation but this is legacy code i'm dealing with. I want to secure it as best as i can.
If you add numbers, use the intval/floatval functions, don't use mysql_real_escape_string for those.
For everything you use mysql_real_escape_string for, you must use quotes, example:
$input = "foo'bar";
$input = mysql_real_escape_string($input);
//foo\'bar
mysql_query("SELECT $input");
//SELECT foo\'bar
//which is still an SQL syntax error.
You really shoud use sprintf, even if in legacy code it takes 2 mins to modify and is in my opinion totally worth the time.
Shamelessly ripped from php.net:
// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
// Perform Query
$result = mysql_query($query);
Your query is now pretty much safe from being passed the wrong types to it's fields and unescaped caracters.
You SHOULD use the PHP filters, and filter for numbers - even for ranges, regular expressions; with default values, NULL on failure, etc.
http://hu.php.net/manual/en/ref.filter.php
if the values come from a request variable, e.g. $_POST, see:
http://hu.php.net/manual/en/function.filter-input.php
Is this the right way to use mysql_real_escape_string? I was using $GET but a friend told me to make it safer with real_escape_string:
$id = intval($_GET['id']);
$result = mysql_query("SELECT *
FROM products
WHERE id = $id") or die("err0r");
if(!$result) mysql_real_escape_string($id); {
No, you normally use mysql_real_escape_string to prepare variables for use in a query, but in your case:
you already use intval;
you use it in the wrong place.
You don't need it in your example.
No. That is entirely wrong, and I can't quite understand what you're intending the call to do.
The purpose of mysql_real_escape_string is to avoid SQL injection, which is one of the biggest security risks in a website. It stops your users giving input that manipulates the SQL in evil ways. For instance:
$sql = "SELECT FROM users WHERE username = '" . $_GET['username'] . "'";
If I put lonesomeday' or 'a' = 'a into $_GET['username'], your query becomes
SELECT FROM users WHERE username = 'lonesomeday' or 'a' = 'a'
and obviously arbitrary SQL could then be executed. mysql_real_escape_string escapes unsafe characters (such as ' in that example), so that they can't be used in this way.
$sql = "SELECT FROM users WHERE username = '" . mysql_real_escape_string($_GET['username']) . "'";
// SELECT FROM users WHERE username = 'lonesomeday\' or \'a\' = \'a'
The quotes are now escaped. so the query can't be manipulated into doing evil things.
With all that said, in this case, intval does all you need. It also ensures that nothing that is not an integer can be in $id, so your code is safe here from SQL injection.
NO, you need to escape before quering
$id = intval($_GET['id']);
$result = mysql_query("SELECT *
FROM products
WHERE id = '" . mysql_real_escape_string($id) . "'") or die("err0r");
if(!$result) {
}
Use:
$query = sprintf("SELECT *
FROM products
WHERE id = %d",
intval($_GET['id']));
$result = mysql_query($query) or die("err0r");
You use mysql_real_escape_string before the value is used in the query, otherwise you're not handling the SQL injection attack.
you want to escape it before you stick it in a query (Before it interacts with DB so you don't get injections).
// check if your $_GET is not empty otherwise you
// will run into "undefined variable"
if(!empty($_GET['id'])){
$id = intval($_GET['id']);
// to simplify you can escape here,
// or to be a bit more complex, you can escape in the query line.
$id = mysql_real_escape_string($id);
$result = mysql_query("SELECT *
FROM products
WHERE id = '$id'") or die("err0r");
}
else
print 'No ID';
I have the following code. I would like username to take the value of the getUserName function however I am fighting with syntax. Can anybody tell me what should be the correct one?
$query = "SELECT user FROM users_entity WHERE username = getUserName()";
You can use concatenation with the period:
$query = "SELECT user FROM users_entity WHERE username = '".mysql_real_escape_string(getUserName())."'";
Make sure to escape your data!
You can't embed the result of a function directly into a string. However you can store the contents of a variable:
$username = mysql_real_escape_string(getUserName());
$query = "SELECT user FROM users_entity WHERE username = '$username'";
Or, you could concatenate your string like this:
$query = 'SELECT user FROM users_entity WHERE username = \'' . mysql_real_escape_string(getUserName()) . '\'';
You cannot interpolate (internally string-replace) PHP function names into strings.
You probably want something more like this:
$query = sprintf("SELECT user FROM users_entity WHERE username = '%s'"
mysql_real_escape_string(getUserName())
);
$query = "SELECT user FROM users_entity WHERE username = '".getUserName()."'";