• PHP Parse error
    31 replies, posted
Maybe I'm missing this error because it's so late, I'm hoping you guys could help. [code]Parse error: syntax error, unexpected T_VARIABLE in /home/a3212075/public_html/raadsels/user/add.php on line 12[/code] Here's the code: [lua]<? $username = $_POST['username']; $email = $_POST['email']; $password = $_POST['password']; $level = $_POST['level']; $table = "members"; mysql_connect("localhost", "DBusername", "DBpassword") or die ('Error: ' .mysql_error ()); mysql_select_db ("DBname") $query="INSERT INTO $table (ID, username, email, level)VALUES ('NULL','".$username."', '".$email."', '".$password."', '".$level."')"; mysql_query($query) or die ('Error'); echo "Success"; ?>[/lua] Censored all the mysql stuff info.
Oh, by the way, you don't need to concatenate the string like that. You can do it directly. :v: [php] $query="INSERT INTO $table (ID, username, email, level)VALUES ('NULL','$username', '$email', '$password', '$level')"; [/php] Also, sanitize those inputs.
You forgot the semi-colon on" mysql_select_db ("DBname") "
A semicolon is missing at the end of line 10. Also you should mysql_real_escape_string() those passwords or anyone can execute malicious SQL queries. And if you want to output anything from the database, you should htmlentities() or htmlspecialchars() that before, otherwise people can insert malicious HTML code. [editline]09:44PM[/editline] Fffuuu- ninja'd
Nevermind, thank you all. EDIT: So I quickly made a form to send certain values to test it, but I'm getting the ERROR from line 13 (add.php) Here's the form: [lua]<html> <head> <title>Basic formr</title> </head><body> <form method="post" action="add.php"> Gebruikersnaam:<br /><input type="text" name="username" size="30" /><br /> Email:<br /><input type="text" name="email" size="30" /><br /> Wachtwoord:<br /><input type="text" name="password" size="30" /><br /> <input type="hidden" name="level" value="1" /><br /> <input type="submit" value="Registreer" /> </form> </body> </html>[/lua]
I believe it should look something like this, if you want to protect it against SQL injection or malicious HTML: [php] <? $username = htmlspecialchars($_POST['username']); $email = htmlspecialchars($_POST['email']); $password = htmlspecialchars($_POST['password']); $level = htmlspecialchars($_POST['level']); mysql_connect("localhost", "DBusername", "DBpassword") or die ('Error: '. mysql_error ()); mysql_select_db ("DBname") $query="INSERT INTO `members` (`username`, `email`, `level`) VALUES ('". mysql_real_escape_string($username) ."', '". mysql_real_escape_string($email) ."', '". mysql_real_escape_string($password) ."', '". mysql_real_escape_string($level) ."')"; mysql_query($query) or die ('Error'); echo "Success"; ?> [/php] Also, hey cool, you're Dutch! The above assuming you have ID set to auto increment.
Belgian, close enough.
Meh, as long as you speak Dutch (or Flemish) you're Dutch to me. But does it work now?
Yes
Protip : Use PDO
[QUOTE=OrYgin;18232756]Protip : Use PDO[/QUOTE] Why?
Another error in a diffirent script: [code]Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in ****/checklogin.php on line 19[/code] checklogin.php [lua] <?php // Connect to server and select databse. include('dbconnect.php'); // username and password sent from form $myusername = $_POST['myusername']; $mypassword = $_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE myusername='$myusername' and mypassword='$mypassword'"; $result = mysql_query($sql); // Mysql_num_row is counting table row $count = mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php"); } else { echo "Error"; } ?> [/lua] It all went great, but then, for no apparent reason I couldn't log in anymore... just logging in with "user" and "password", they're both in the table. $table is defined in dbconnect.php
[QUOTE=Hufterkruk;18226153]I believe it should look something like this, if you want to protect it against SQL injection or malicious HTML: [php] <? $username = htmlspecialchars($_POST['username']); $email = htmlspecialchars($_POST['email']); $password = htmlspecialchars($_POST['password']); $level = htmlspecialchars($_POST['level']); mysql_connect("localhost", "DBusername", "DBpassword") or die ('Error: '. mysql_error ()); mysql_select_db ("DBname") $query="INSERT INTO `members` (`username`, `email`, `level`) VALUES ('". mysql_real_escape_string($username) ."', '". mysql_real_escape_string($email) ."', '". mysql_real_escape_string($password) ."', '". mysql_real_escape_string($level) ."')"; mysql_query($query) or die ('Error'); echo "Success"; ?> [/php] Also, hey cool, you're Dutch! The above assuming you have ID set to auto increment.[/QUOTE] You should use htmlspecialchars on output, not on input. If you do it on input then you're trusting the data to be safe, which could be bad if your database is compromised or if you accidentally put something in without htmlspecialchars. [editline]12:41PM[/editline] [QUOTE=compwhiziitothemax;18232825]Why?[/QUOTE] Because database abstraction layers make things easier.
[QUOTE=TyPhOn!;18241818]Another error in a diffirent script: [code]Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in ****/checklogin.php on line 19[/code] checklogin.php [lua] <?php // Connect to server and select databse. include('dbconnect.php'); // username and password sent from form $myusername = $_POST['myusername']; $mypassword = $_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE myusername='$myusername' and mypassword='$mypassword'"; $result = mysql_query($sql); // Mysql_num_row is counting table row $count = mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php"); } else { echo "Error"; } ?> [/lua] It all went great, but then, for no apparent reason I couldn't log in anymore... just logging in with "user" and "password", they're both in the table. $table is defined in dbconnect.php[/QUOTE] The query failed. Add an or die(mysql_error()) to your mysql_query to see what it is. session_register is old (very old). Use this: $_SESSION['name'] = $value; Also, I don't see any session_start(), but I assume you have that in your dbconnect.php
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE myusername='admin' and mypassword='admin'' at line 1
My guess it has something to do with $tbl_name. What is it set to?
$tbl_name = 'members', another mistake on my end, I wrote $table_name ...
Hmm, can't see anything wrong with that... Try echo'ing the query before you execute it.
Well it's working now...
Parse error: syntax error, unexpected ';' in x on line 5 I'm not seeing it... [php] $level = 2; include('dbconnect.php'); $query = "INSERT INTO `members` (`level`) WHERE (`username` = '". mysql_real_escape_string($_SESSION['myusername'] ."') VALUES ('". mysql_real_escape_string($level) ."')"; mysql_query($query) OR die('Error:'. mysql_error()); echo 'Succes!'; [/php]
Your whole INSERT query is wrong. Are you inserting or updateing?
Updating
[QUOTE=compwhiziitothemax;18232825]Why?[/QUOTE] Because it's safer from a security standpoint (since you don't have to worry about manually escaping all user input that gets used in a query) and more efficient when a query is run multiple times (since it uses prepared statements).
This is a current UPDATE query: [php]$query = " UPDATE members SET level = '" . mysql_real_escape_string($level) . "' WHERE username = '" . mysql_real_escape_string($_SESSION['myusername']) . "'"; [/php] If you want to update more fields: [php]$query = " UPDATE members SET level = '" . mysql_real_escape_string($level) . "', field2 = 'value', field3 = 'value' WHERE username = '" . mysql_real_escape_string($_SESSION['myusername']) . "'";[/php] More complex WHERE example: [php]$query = " UPDATE members SET level = '" . mysql_real_escape_string($level) . "', field2 = 'value', field3 = 'value' WHERE username = '" . mysql_real_escape_string($_SESSION['myusername']) . "' AND field4 = 'value'";[/php]
I'm using the first piece of code, it's not giving any errors but it's not updating the table.
You're sure the query is executed properly? Have you tried echoing $level and $_SESSION['myusername']?
Yes, and both are returning the correct value. This is a part of the script. [php] include "passwords.php"; include "dbconnect"; if ($_POST['txtPassword1'] != $password1) { ?> <center> <form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <p><label for="txtpassword1">Password:<input type="password" title="Enter the password" name="txtPassword1" /></p> <p><input type="submit" name="submit" value="submit" /></p> </form> </center> <?php } else { //If the password is correct, run this stuff $query = " UPDATE members SET level = '" . mysql_real_escape_string($level) . "' WHERE username = '" . mysql_real_escape_string($_SESSION['myusername']) . "'"; echo = "Password is correct"; exit; } [/php]
Anyone ? The only thing I'm trying to is changing a persons level (collum 5 in table members) to 2, i've got everything else working. I've already included a dbconnect.php wich connects to the database.
Try using mysql_error(); Also, not sure: [php] $query = " UPDATE members SET level=" . mysql_real_escape_string($level) . " WHERE username=\"" . mysql_real_escape_string($_SESSION['myusername'])."\""; [/php]
You're not running the query. Also it's echo 'text'; not echo = 'text';
Sorry, you need to Log In to post a reply to this thread.