problem
-
Parse error: syntax error, unexpected variable "$query" in C:\xampp\htdocs\sys\functions.php on line 10 here is the code -
$query = "select * from users where user_id = '$id' limit 1";
$result = mysqli\_query($con,$query); if($result && mysqli\_num\_rows($result) > 0) { $user\_data = mysqli\_fetch\_assoc($result); return $user\_data; } } //header('Location: loginsys.php'); //die;}
-
Parse error: syntax error, unexpected variable "$query" in C:\xampp\htdocs\sys\functions.php on line 10 here is the code -
$query = "select * from users where user_id = '$id' limit 1";
$result = mysqli\_query($con,$query); if($result && mysqli\_num\_rows($result) > 0) { $user\_data = mysqli\_fetch\_assoc($result); return $user\_data; } } //header('Location: loginsys.php'); //die;}
-
Parse error: syntax error, unexpected variable "$query" in C:\xampp\htdocs\sys\functions.php on line 10 here is the code -
$query = "select * from users where user_id = '$id' limit 1";
$result = mysqli\_query($con,$query); if($result && mysqli\_num\_rows($result) > 0) { $user\_data = mysqli\_fetch\_assoc($result); return $user\_data; } } //header('Location: loginsys.php'); //die;}
This forum is the wrong place to post this, as it says at the top of the page. The right place is here: Ask a Question[^] And don't do SQL like that: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead. When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
--'
And everything else is a comment. So it does: selects any matching rows, deletes the table from the DB, and ignores anything else. So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you? But to be honest, the problem you have noticed is pretty trivial to fix: what should a line end with in PHP?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony "Common sense is so rare these days, it should be classified as a super power" - Random T-shirt AntiTwitter: @DalekDave is now a follower!
-
This forum is the wrong place to post this, as it says at the top of the page. The right place is here: Ask a Question[^] And don't do SQL like that: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead. When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
--'
And everything else is a comment. So it does: selects any matching rows, deletes the table from the DB, and ignores anything else. So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you? But to be honest, the problem you have noticed is pretty trivial to fix: what should a line end with in PHP?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony "Common sense is so rare these days, it should be classified as a super power" - Random T-shirt AntiTwitter: @DalekDave is now a follower!
-
You should read the posting rules, the top entry in this list. You could read there that this is the wrong place for your question.
-
This forum is the wrong place to post this, as it says at the top of the page. The right place is here: Ask a Question[^] And don't do SQL like that: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead. When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
--'
And everything else is a comment. So it does: selects any matching rows, deletes the table from the DB, and ignores anything else. So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you? But to be honest, the problem you have noticed is pretty trivial to fix: what should a line end with in PHP?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony "Common sense is so rare these days, it should be classified as a super power" - Random T-shirt AntiTwitter: @DalekDave is now a follower!
-
How is it possible to discuss such matters without a link to Bobby Tables[^]? Sure, it has been referenced in numerous earlier threads. That is because it has been equally relevant to numerous earlier threads. As well as to this one.
While XKCD is right, and spot on (and generally Randal is very good at science stuff) it is a cartoon. So those who have never explored the internet other than FarceBook and Twatter - which includes most students - can easily assume that it's a joke. Which it is, but they don't see the levels of reality behind the joke. Omitting Bobby Tables was a deliberate choice to not have the "less experienced" reader disregard it as humour. Since most of 'em don't read past the first sentence of any reply that doesn't start with "here's code you can hand in as your own homework" anyway, it's probably a moot point. But still, we try ... :laugh:
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony "Common sense is so rare these days, it should be classified as a super power" - Random T-shirt AntiTwitter: @DalekDave is now a follower!
-
This forum is the wrong place to post this, as it says at the top of the page. The right place is here: Ask a Question[^] And don't do SQL like that: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead. When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
--'
And everything else is a comment. So it does: selects any matching rows, deletes the table from the DB, and ignores anything else. So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you? But to be honest, the problem you have noticed is pretty trivial to fix: what should a line end with in PHP?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony "Common sense is so rare these days, it should be classified as a super power" - Random T-shirt AntiTwitter: @DalekDave is now a follower!
-
Obligatory [xkcd: Exploits of a Mom](https://xkcd.com/327/)
Ref: The Lounge[^] And: The Lounge[^]
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony "Common sense is so rare these days, it should be classified as a super power" - Random T-shirt AntiTwitter: @DalekDave is now a follower!
-
Parse error: syntax error, unexpected variable "$query" in C:\xampp\htdocs\sys\functions.php on line 10 here is the code -
$query = "select * from users where user_id = '$id' limit 1";
$result = mysqli\_query($con,$query); if($result && mysqli\_num\_rows($result) > 0) { $user\_data = mysqli\_fetch\_assoc($result); return $user\_data; } } //header('Location: loginsys.php'); //die;}
