发表新帖
发表新帖

Does anyone know the meaning behind this php error message?

后端 未结
关注
6 1952
别跟我提以往
别跟我提以往 2021-01-22 20:47

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING is the message. It came up from this line of code:

<
相关标签:
6条回答
  • 野的像风
    2021-01-22 21:16

    I'd also suggesting reading the manual a bit: http://us.php.net/manual/de/language.types.string.php#language.types.string.parsing. That link will explain to you how PHP parses variables in strings.

    0 讨论(0)
  • 再見小時候
    2021-01-22 21:18 
    $username = mysql_real_escape_string($_POST["user_username"]);
$password = mysql_real_escape_string($_POST["user_password"]);
$type = mysql_real_escape_string($_POST["user_type"]);

mysql_query("SELECT * FROM users WHERE user_name='$username' AND user_password='$password' AND user_type='$type' LIMIT 1");
    0 讨论(0)
  • 南方客
    2021-01-22 21:19

    Make sure to account for SQL injection.

    Try:

    $username = mysql_real_escape_string($_POST["user_username"]);
$password = mysql_real_escape_string($_POST["user_password"]);
$type = mysql_real_escape_string($_POST["uesr_type"]);
$query = "SELECT * FROM users WHERE user_name='$username' AND password='$password' AND 
 user_type='$type'";

$result = mysql_query($query);
    0 讨论(0)
  • 星月不相逢
    2021-01-22 21:27

    Use:

    $query = sprintf("SELECT u.* 
                    FROM USERS u
                   WHERE u.user_name = '%s' 
                     AND u.password = '%s' 
                     AND u.user_type = '%s' ",
                   mysql_real_escape_string($_POST['user_name']),
                   mysql_real_escape_string($_POST['password']),
                   mysql_real_escape_string($_POST['user_type']) );

$result = mysql_query($query);

    Reference

    • sprintf
    0 讨论(0)
  • 太阳男子
    2021-01-22 21:33

    You can't interpolate a $_POST like that. You need to wrap them with braces ({ and }). You also don't need to quote the key names when already in a string like that.

    You should also quote those values, and swap & with AND.

    You also need a ; at the end.

    You also don't need to wrap it in parenthesis.

    $query = "SELECT * 
         FROM users 
        WHERE user_name = '{$_POST[user_name]}' 
          AND password = '{$_POST[password]}' 
          AND user_type = '{$_POST[user_type]}'";

    But...

    ...don't interpolate user input directly like that. Use a escaping mechanism.

    $username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$user_type = mysql_real_escape_string($_POST['user_type']);


$query = "SELECT * 
         FROM users 
        WHERE user_name = '$username' 
          AND password = '$password' 
          AND user_type = '$user_type'";

    I would recommend using PDO and binding parameters instead of building the SQL yourself.

    Also, it would appear you your passwords that are user inputted are being directly used to compare in the database. Use some form of one way message digest, such as bcrypt.

    0 讨论(0)
  • 北恋
    2021-01-22 21:33

    For interpolation of one-dimensional array values into strings, use this syntax:

    "foo = $_POST[bar]"

    Notice no quotes.

    For interpolating nested arrays or generally using the normal syntax, use braces:

    "foo = {$_POST['bar']}"

    In no case though do any of this with SQL queries, you need to escape values before plugging them into queries. So, do this:

    $query = sprintf('SELECT foo FROM bar WHERE baz = "%s"',
                 mysql_real_escape_string($_POST['baz']));
    0 讨论(0)
 看不清?
提交回复
热议问题