Does anyone know the meaning behind this php error message?

Question

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING is the message. It came up from this line of code:

$query = ("SELECT * 
             FROM users 
            WHERE user_name = $_POST['user_name'] 
                & password = $_POST['password'] 
                & user_type = $_POST['user_type']");

Does anyone out there know the meaning of all this? If so, does anyone know how to deal with this?

Answer 1

$username = mysql_real_escape_string($_POST["user_username"]);
$password = mysql_real_escape_string($_POST["user_password"]);
$type = mysql_real_escape_string($_POST["user_type"]);

mysql_query("SELECT * FROM users WHERE user_name='$username' AND user_password='$password' AND user_type='$type' LIMIT 1");

Answer 2

I'd also suggesting reading the manual a bit: http://us.php.net/manual/de/language.types.string.php#language.types.string.parsing. That link will explain to you how PHP parses variables in strings.

Answer 3

You can't interpolate a $_POST like that. You need to wrap them with braces ({ and }). You also don't need to quote the key names when already in a string like that.

You should also quote those values, and swap & with AND.

You also need a ; at the end.

You also don't need to wrap it in parenthesis.

$query = "SELECT * 
         FROM users 
        WHERE user_name = '{$_POST[user_name]}' 
          AND password = '{$_POST[password]}' 
          AND user_type = '{$_POST[user_type]}'";

---

But...

...don't interpolate user input directly like that. Use a escaping mechanism.

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$user_type = mysql_real_escape_string($_POST['user_type']);


$query = "SELECT * 
         FROM users 
        WHERE user_name = '$username' 
          AND password = '$password' 
          AND user_type = '$user_type'";

I would recommend using PDO and binding parameters instead of building the SQL yourself.

Also, it would appear you your passwords that are user inputted are being directly used to compare in the database. Use some form of one way message digest, such as bcrypt.

Answer 4

Make sure to account for SQL injection.

Try:

$username = mysql_real_escape_string($_POST["user_username"]);
$password = mysql_real_escape_string($_POST["user_password"]);
$type = mysql_real_escape_string($_POST["uesr_type"]);
$query = "SELECT * FROM users WHERE user_name='$username' AND password='$password' AND 
 user_type='$type'";

$result = mysql_query($query);

Answer 5

For interpolation of one-dimensional array values into strings, use this syntax:

"foo = $_POST[bar]"

Notice no quotes.

For interpolating nested arrays or generally using the normal syntax, use braces:

"foo = {$_POST['bar']}"

In no case though do any of this with SQL queries, you need to escape values before plugging them into queries. So, do this:

$query = sprintf('SELECT foo FROM bar WHERE baz = "%s"',
                 mysql_real_escape_string($_POST['baz']));

Answer 6

Use:

$query = sprintf("SELECT u.* 
                    FROM USERS u
                   WHERE u.user_name = '%s' 
                     AND u.password = '%s' 
                     AND u.user_type = '%s' ",
                   mysql_real_escape_string($_POST['user_name']),
                   mysql_real_escape_string($_POST['password']),
                   mysql_real_escape_string($_POST['user_type']) );

$result = mysql_query($query);

Reference

• sprintf