unexpected T_VARIABLE

steaky

Data removed.

NogDog

I copied and pasted your code and got no parse errors. Are you sure that was the /homepages/30/d194422486/htdocs/index.php file cited in the error message?

waptech

Just an observation here, is the following snippit generally accepted syntax with mysql queries

WHERE (user_id = \'$userId\')

Am just wondering if those backslashes might be causing some problems?
Sorry its just the first time ive seen some1 use them in a mysql query.
Ide usually do that query as follows

     $sql = 'SELECT user_id FROM tbl_auth_user WHERE user_id ='.$userId.'  AND user_password = '.PASSWORD('$password').' LIMIT 0, 30 ';

NogDog

@: No, that's just part of PHP escaping syntax for including single quotes within a single-quoted string literal.

echo 'You must escape \'single quotes\' within a single-quoted string.';
echo "You must escape \"double quotes\" withing a double-quoted string.";
echo "You do not have to escape 'single quotes' within a double-quoted string (or vice versa).";

waptech

NogDog wrote:
@: No, that's just part of PHP escaping syntax for including single quotes within a single-quoted string literal.
echo 'You must escape \'single quotes\' within a single-quoted string.';
echo "You must escape \"double quotes\" withing a double-quoted string.";
echo "You do not have to escape 'single quotes' within a double-quoted string (or vice versa).";

Ahh thanks.

laserlight

Well, that is a problem, but it has to do with SQL, not PHP, though it is due to the PHP code. steaky is using variables in single quote delimited strings. Consequently, the variables are not interpolated and so the SQL statement does not have the intended values, but the strings '$userId' and '$password'. By using concatenation as you have described, this problem would be fixed.

On the other hand, another problem would appear: since $userId and $password are from incoming variables, they need to be escaped, but have not been escaped. As such, the script is vulnerable to SQL injection.