PC Nerd Posted July 4, 2006 Share Posted July 4, 2006 im creating a login script but php tells me that there is an error in the sql stringmy code is as follows, can anyone help$User_SQL = "SELECT User_Name, Password FROM General_Stats WHERE User_Name = $_POST['User_Name']";ERROR: Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in FILENAME on line 42all help is much appreciated Quote Link to comment https://forums.phpfreaks.com/topic/13611-sql-error/ Share on other sites More sharing options...
kenrbnsn Posted July 4, 2006 Share Posted July 4, 2006 The error could be in a preceding line.But try this first before show us some of the preceding lines:[code]<?php$User_SQL = "SELECT User_Name, Password FROM General_Stats WHERE User_Name = '" . $_POST['User_Name'] . "'";?>[/code]Ken Quote Link to comment https://forums.phpfreaks.com/topic/13611-sql-error/#findComment-52745 Share on other sites More sharing options...
PC Nerd Posted July 4, 2006 Author Share Posted July 4, 2006 thanks mate, i think that worked Quote Link to comment https://forums.phpfreaks.com/topic/13611-sql-error/#findComment-52753 Share on other sites More sharing options...
.josh Posted July 4, 2006 Share Posted July 4, 2006 the error is because you do not have quotes around the $_POST['User_Name']. [b]kenrbnsn's[/b] method will fix it. However, it is not a good idea to insert posted variables directly into a sql query. You should always sanitize them first. here is an example:[code]function clean_var($value){ if (get_magic_quotes_gpc()) { stripslashes($value); } if (!is_numeric($value)) { mysql_real_escape_string($value); } return $value;}$User_Name = clean_var($_POST['User_Name']);[/code] Quote Link to comment https://forums.phpfreaks.com/topic/13611-sql-error/#findComment-52754 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.