PC Nerd Posted July 4, 2006 Share Posted July 4, 2006 im creating a login script but php tells me that there is an error in the sql stringmy code is as follows, can anyone help$User_SQL = "SELECT User_Name, Password FROM General_Stats WHERE User_Name = $_POST['User_Name']";ERROR: Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in FILENAME on line 42all help is much appreciated Link to comment https://forums.phpfreaks.com/topic/13611-sql-error/ Share on other sites More sharing options...
kenrbnsn Posted July 4, 2006 Share Posted July 4, 2006 The error could be in a preceding line.But try this first before show us some of the preceding lines:[code]<?php$User_SQL = "SELECT User_Name, Password FROM General_Stats WHERE User_Name = '" . $_POST['User_Name'] . "'";?>[/code]Ken Link to comment https://forums.phpfreaks.com/topic/13611-sql-error/#findComment-52745 Share on other sites More sharing options...
PC Nerd Posted July 4, 2006 Author Share Posted July 4, 2006 thanks mate, i think that worked Link to comment https://forums.phpfreaks.com/topic/13611-sql-error/#findComment-52753 Share on other sites More sharing options...
.josh Posted July 4, 2006 Share Posted July 4, 2006 the error is because you do not have quotes around the $_POST['User_Name']. [b]kenrbnsn's[/b] method will fix it. However, it is not a good idea to insert posted variables directly into a sql query. You should always sanitize them first. here is an example:[code]function clean_var($value){ if (get_magic_quotes_gpc()) { stripslashes($value); } if (!is_numeric($value)) { mysql_real_escape_string($value); } return $value;}$User_Name = clean_var($_POST['User_Name']);[/code] Link to comment https://forums.phpfreaks.com/topic/13611-sql-error/#findComment-52754 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.