What is wrong with this code:
$q = query("select * from users where email = '$_POST['email']' and name = '$_POST['name']'");
Parse error: parse error, expecting T_STRING' orT_VARIABLE' or `T_NUM_STRING' in C:\wamp\www\conn\index.php on line 16
Thanks in advance.
$q = query("select * from users where email = '{$_POST['email']}' and name = '{$_POST['name']'}");
You missed two quotes. Also:
1) Always escape user input (for security reasons):
$email = mysql_real_escape_string($_POST['email']);
$name = mysql_real_escape_string($_POST['name']);
$q = query("select * from users where email = '{$email}' and name = '{$name}'");
2) Get an editor with code highlighting, so you don't get similar problems in the future. I recommend Notepad++.
You should surround your inline vars with curly braces.
Like this:
$q = query("select * from users where email = '{$_POST['email']}' and name = '{$_POST['name']}'");
You use $_POST directly in the SQL Query which is very bad.
Use:
$email = mysql_real_escape_string($_POST['email']);
$name = mysql_real_escape_string($_POST['name']);
$q = query("SELECT ... $name ... $email");
I'd recommend using string concatenation instead of embedding variables in strings as it is (imho) easier to read
$q = query("SELECT ... " . $name . " ... " . $email);
SELECT * is bad (unless you really, really want all fields)
Try this:
$q = query("select * from users where email = '" . $_POST['email'] . "' and name = '" . $_POST['name'] . "'");
You are using double quoting you put quotes around $_POST['email'] and inside it making it get interpreted the wrong way
This would work the right way:
$q = query('select * from users where email = '.$_POST['email'].' and name = '.$_POST['name']);
But even if it works it is still wrong to pass post variables right into a query. As a developer you need to learn to 'never trust the users'. So the best thing is to clean it by escaping it like this:
$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$q = query("select * from users where email = $email and name = $name");
or this:
$q = query('select * from users where email = '.mysql_real_escape_string($email).' and name = '.mysql_real_escape_string($name));
(what way you prefer)
Pease don't do it that way. It is a perfect example for SQL injections.
A better Version:
$email = mysql_real_escape_string($_POST['email']);
$name = mysql_real_escape_string($_POST['name']);
$q = query("select * from users where email = '$email' and name = '$name'");
Parse error: parse error, expecting T_STRING' orT_VARIABLE' or `T_NUM_STRING'
Get used to this error. Always means there is a quotation problem.
Get familiar w/ using " and '
Related
New to PHP here. I'm working on a basic PHP project for university. I have a page with a list of patients. When you click on the patient it will take you to the patient page with more details of that patient.
I have a main patientDetails.php page which will display the details.
However I am a little puzzled. How do I get the "?Name.." part of the link to work. So how do I get the patientDetails page to load the specific patient details?
I have an index.php page which has the list of patients as below.
<td>Stuart</td></tr><tr> <td>2</td>
<td>Fred</td></tr><tr>
In the PatientDetails page I have a select statement to gather details from the Database but not sure where else to go from here.
$query = sprintf("select * from PHPEnrolment WHERE PatID = '$PatID' AND NAME = '$Name' AND Email = '$Email'");
$result = mysql_query($query, $link);
if ($result) {
while($row = mysql_fetch_array($result)) {
}
As you can see above the database table with patients has the PatID, Name and Email field.
Thanks
PLEASE NOTE: This is a basic project that I am working on, so I am aware some of the features are outdated but I need to get it working with these features if possible.
You can get the url variables using $_GET. I see that you are passing only Name parameter in the url. Use the below code.
$name = $_GET['Name'];
$query = "select * from PHPEnrolment WHERE NAME = '$name'";
$result = mysql_query($query, $link);
if ($result) {
while($row = mysql_fetch_array($result)) {
// display details here
}
}
As per your code there are several errors. and for getting value you can use $_GET['Name']. I am assuming that you have all other variables($Email and $PatID)
$Name = $_GET['Name'];
Your query is not right. Change it from
select * from PHPEnrolment WHERE PatID = '$PatID' AND $NAME = 'Name' AND Email $Email
To
select * from PHPEnrolment WHERE PatID = '$PatID' AND NAME = '$Name' AND Email = '$Email'
So your whole code should look like.
$query = "select * from PHPEnrolment WHERE PatID = '$PatID' AND NAME = '$Name' AND Email = '$Email'";
$result = mysql_query($query, $link);
NOTE : STOP USING MYSQL. It is deprecated now.
In my database I have a column "first_name" and "last_name" (there is more in there but not related to my question)
Here is the code :
//Get variables for email
$qry_get = mysql_query("SELECT * FROM members WHERE id = $id");
while($row_get = mysql_fetch_array($qry_get))
{
$id = $row_get['id'];
$name = $row_get['first_name'];
$email = $row_get['email'];
$password = $row_get['password'];
}
And this works fine. But im trying to get $name to fetch both first_name and last_name. Is it possible?
It is so when the details are inserted into the database it will show both names rather than just the first name.
I have tried to do it like
//Get variables for email
$qry_get = mysql_query("SELECT * FROM members WHERE id = $id");
while($row_get = mysql_fetch_array($qry_get))
{
$id = $row_get['id'];
$name = $row_get['first_name'],['last_name'];
$email = $row_get['email'];
$password = $row_get['password'];
}
But it failed.
You can't get two values at once like you did, you have to concatenate the value of $row_get['first_name'] and the value of $row_get['last_name'] :
//Get variables for email
$qry_get = mysql_query("SELECT * FROM members WHERE id = $id");
while($row_get = mysql_fetch_array($qry_get))
{
$id = $row_get['id'];
$name = $row_get['first_name'] . ' ' .$row_get['last_name'];
$email = $row_get['email'];
$password = $row_get['password'];
}
You shouldn't use SQL, it's open to attack and is deprecated, Look into SQLi or PHP PDO data objects. Why are you selecting all in your query when you only need 2 fields ? I will work with your code though
SELECT first_name,last_name FROM members WHERE id = $id"
I'm trying to select and echo a single field.
This is my code when I'm trying it
session_start();
$query = "select id from user where username = ".$_SESSION['username'];
$result = mysql_query($query);
$admin_id = mysql_fetch_array($result);
echo $admin_id['id'];
When I run that code, this warning text appears
mysql_fetch_array() expects parameter 1 to be resource, boolean given in ......
How should I do it?
You should use quotes when you assign values in sql queries .
$query = "select id from user where username = '{$_SESSION['username']}'";
Or
$query = "select id from user where username = '" . $_SESSION['username'] . "'";
However, it is not a good practice so you better look forward prepared statements to reduce sql injection vulnerability : http://ru2.php.net/pdo.prepared-statements
Try this:
$username = $_SESSION['username'];
$query = "select id from user where username = '$username'";
I Have the following PHP code (which works) for pulling the clients email address from our MySQL DB based on their $_SESSION clientid variable and storing it on $myemail:
mysql_select_db($dn) or die(mysql_error());
$clientid = ($_SESSION['clientid']);
$result = mysql_query("SELECT emailaddress FROM clients WHERE clientid = '" . $clientid . "'");
while ($row = mysql_fetch_array($result)) {
$myemail = $row[0];
}
mysql_close($con);
But was wondering whether or not there was a better way of doing this?
First of all don't use mysql_* functions as they are deprecated. Better to use PDO or mysqli.
And regarding your question i would write
$clientId = $_SESSION['clientid'];
$res = mysql_fetch_object(mysql_query("SELECT emailaddress FROM clients WHERE clientid = '{$clientId}'"));
$email = $res->emailaddress;
One more thing why do you need while loop? While loop is not at all necessary as we are fetching a single record.
It seems your code is vulnerable from sql injection. use prepare statement or use mysql_real_escape_string. here is the code...
mysql_select_db($dn) or die(mysql_error());
$clientid = ($_SESSION['clientid']);
$result = mysql_query("SELECT emailaddress FROM clients WHERE clientid = '" . $clientid . "'");
while ($row = mysql_fetch_array($result)) {
$myemail = mysql_real_escape_string($row['emailaddress']);
}
mysql_close($con);
Replace
$myemail = $row[0];
With
$myemail = $row['emailaddress'];
I'm trying to change a database entry with PHP but is stuck with this error message:
Error: You have an error in your SQL
syntax; check the manual that
corresponds to your MySQL server
version for the right syntax to use
near 'Bjelkholm Lövgren AND adress =
Brinellgatan 14 AND postnummer = 57135
' at line 1
Code:
$namn = sanitize($_GET['namn']);
$adress = sanitize($_GET['adress']);
$postnummer = sanitize($_GET['postnummer']);
$postort = sanitize($_GET['postort']);
$email = sanitize($_GET['email']);
$status = 0;
$sql="UPDATE ordrar SET namn = $namn AND adress = $adress AND postnummer = $postnummer
AND postort = $postort AND email $email AND status = $status WHERE email = $email";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
Thanks for answers.
/Victor
SET statement values delimiter is comma, not AND
string values should be quoted
To make SET statements it would be nice to use a small function
function dbSet($fields) {
$set='';
foreach ($fields as $field) {
if (isset($_POST[$field])) {
$set.="`$field`='".mysql_real_escape_string($_POST[$field])."', ";
}
}
return substr($set, 0, -2);
}
and than just
$table = "ordrar";
$email = mysql_real_escape_string($_POST['email']);
$fields = explode(" ","namn adress postnummer postort email status");
$query = "UPDATE $table SET ".dbSet($fields)." WHERE email='$email'";
will bring you properly formatted query
however, using email for row identification is bad.
I'd suggest to use an auto-increment id field to identify your records instead of email.
quote your variables (i.e. adress = '$adress')
Assuming those values are strings, you should quote them in your query string, plus you are missing the equals sign when comparing the email.
$sql="UPDATE ordrar SET namn = '$namn' AND adress = '$adress' AND postnummer = '$postnummer'
AND postort = '$postort' AND email = '$email' AND status = '$status' WHERE email = '$email'";
Couple things:
Your strings need to be quoted (and escaped).
You are missing an = for the email in the SET clause.
The short answer is that you've got a bunch of syntax errors. First, you'll need to properly quote your column names and values. Column names get a grave (sideways quote) and values get a normal single quote. And secondly you missed an equal sign before the $email variable.
Might I suggest breaking it up into multiple lines as well; this helps make it easier to debug.
$sql="UPDATE `ordrar`
SET `namn` = '$namn' AND
`adress` = '$adress' AND
`postnummer` = '$postnummer' AND
`postort` = '$postort' AND
`email` = '$email' AND
`status` = '$status'
WHERE `email` = '$email'";
One final suggestion, consider binding your parameters using prepared statements as opposed to string interpolation. They are more secure, and I personally find them easier to write.
$namn = sanitize($_GET['namn']);
$adress = sanitize($_GET['adress']);
$postnummer = sanitize($_GET['postnummer']);
$postort = sanitize($_GET['postort']);
$email = sanitize($_GET['email']);
$status = 0;
$sql="UPDATE ordrar SET
namn = '$namn' ,
adress = '$adress' ,
postnummer = '$postnummer' ,
postort = '$postort' ,
email = '$email' ,
status = '$status'
WHERE email = '$email' ";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
Try this. Hope its work well ;-)