CODEWITHSUNDEEP
phpmysql
Morgan Green
Morgan Green

Reputation: 996

MySQL and PHP Unexpected T_Variable

Okay, so I have a register.php script written and I get an unexpected T Variable when the command tries to execute. The error lies on line 15 at

('$_Post[username]','$_Post[sha_pass_hash]','$_Post[email]','2')";

I also have a second error in my syntax according to Dreamweaver at line 20 for

    die('Error: ' . mysql_error());

If anyone could help it would be greatly appreciated. Thank you in advance.

Upvotes: 1

Views: 1619

Answers (5)

Ravi Jethva
Ravi Jethva

Reputation: 2031

use this:

('".$_Post[username]."','".$_Post[sha_pass_hash]."','".$_Post[email]."','2')

Upvotes: 1

Allen Chak
Allen Chak

Reputation: 1950

($_Post["username"],$_Post["sha_pass_hash"],$_Post["email"],'2')";

Upvotes: 1

Kinetic
Kinetic

Reputation: 1744

STOP

Inserting into a database directly from post is always a bad idea. This is the reason PHP is currently stuck with the very un-intuitive magic quotes.

You should at the very least be using mysql_real_escape_string() to escape your data. For example:

$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());

$query = "INSERT INTO users VALUES (
    '" . mysql_real_escape_string($_POST["username"]) . "',
    '" . mysql_real_escape_string($_POST["sha_pass_hash"]) . "',
    '" . mysql_real_escape_string($_POST["email"]) . "',
    '2'
)";

mysql_query($query);

The reason you have to do this is security based. For example if some malicious set the username field to '); DROP TABLE users; without first escaping your data. You would end up blindly running the following query:

INSERT INTO users VALUES (''); DROP TABLE users;

Which of course isn't going to end well for your application.

This is the minimum you should be doing.

In reality you should really be moving onto MySQLi Which is a much more modern MySQL interface. Here is an example

$mysqli = new mysqli('mysql_host', 'mysql_user', 'mysql_password', 'mysql_database');

$query = "INSERT INTO users VALUES (
    '" . $mysqli->real_escape_string($_POST["username"]) . "',
    '" . $mysqli->real_escape_string($_POST["sha_pass_hash"]) . "',
    '" . $mysqli->real_escape_string($_POST["email"]) . "',
    '2'
)";

$mysqli->query($query);

You can even use MySQL in a procedural style. So if Object orientated programing isn't with in your reach yet you will have no problems with MySQLi.

Hope that helps.

Upvotes: 3

Vivek Kumar Ray
Vivek Kumar Ray

Reputation: 8581

($_Post["username"],$_Post["sha_pass_hash"],$_Post["email"],'2')";

Remove the quotes..

Upvotes: 2

PoeHaH
PoeHaH

Reputation: 1936

($_POST["username"],$_POST["sha_pass_hash"],$_POST["email"],'2')";

Lose the single quotes around the variables :)

Upvotes: 1

Related Questions