[RESOLVED] unexpected T_ENCAPSED_AND_WHITESPACE error!

nobackseat88

<?php
$mysite_username = $HTTP_COOKIE_VARS["mysite_username"]; 
$con = mysql_connect("localhost","database","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }mysql_select_db("database", $con);
mysql_query("UPDATE users SET profile = '$_REQUEST['pcoding']'");
echo "Success!";
?>

Can anyone please find the error?

rsmith

Try is this way

$query = "UPDATE users SET profile = '".$_REQUEST['pcoding']."'";
$result = mysql_query($query);

laserlight

Of course, remember to use [man]mysql_real_escape_string/man on $_REQUEST['pcoding'] to avoid SQL injection.

bradgrafelman

In addition, not that using the $HTTP*VARS is also deprecated; instead, use one of the superglobal variables (e.g. $_COOKIE) as defined on this manual page: [man]variables.predefined[/man].

Also, when posting PHP code, please use the board's [PHP][/PHP] bbcode tags - they make the code much, much easier to read (as well as aiding the diagnosis of syntax errors). You should edit your post now and add these bbcode tags to help others in reading/analyzing your code.

nobackseat88

So, this would be my end result from what you guys said, right?

<?php 
$mysite_username = $_COOKIE["mysite_username"]; 
$con = mysql_connect("localhost","database","password"); 
if (!$con) 
  { 
  die('Could not connect: ' . mysql_error()); 
  }mysql_select_db("database", $con); 
$query = "UPDATE users SET profile = '".$_REQUEST['pcoding']."'"; 
$result = mysql_query($query); 
echo "Success!"; 
?>

But one more question, how would I integrate mysql_real_escape_string into this?
Should I make $_REQUEST['pcoding'] a variable $code and do mysql_real_escape_string($code),???

bradgrafelman

There's no need to add an additional variable; instead of concatenating the variable itself, you simply need to concatenate the result of mysql_real_escape_string().

Also note that your SQL query will update every user in your database and that $mysite_username is never used (in the code snippet provided).

Speaking of $mysite_username, note that if the cookie is not present then your code will generate an error message. The way I usually set variables when they're coming from one of the superglobals is:

$mysite_username = (isset($_COOKIE['mysite_username']) ? $_COOKIE['mysite_username'] : '');

nobackseat88

I realize that it's not used, im still working on that, it shoots our more errors when I do. When using update, I put:

UPDATE users SET profile = '$_REQUEST['pcoding']'"); Where username = $mysite_username

nobackseat88

What does the following code do again?

$mysite_username = (isset($COOKIE['mysite_username']) ? $COOKIE['mysite_username'] : '');

bradgrafelman

It uses the ternary operator to check if the 'mysite_username' index is set before trying to use it, thus avoiding the errors about an "undefined index".

I'm not sure what you mean by "it shoots our[sic] more errors when I do"... when you do what? What are the errors?

Also note that the syntax you provided in that post is incorrect - you can't have quoted array indexes inside a string (without using {} braces, that is).

nobackseat88

I meant using the $mysite_username variable in my script just gave me more errors. LIke the following...

UPDATE users SET profile = '$_REQUEST['pcoding']'"); Where username = $mysite_username

nobackseat88

Also note that the syntax you provided in that post is incorrect - you can't have quoted array indexes inside a string (without using {} braces, that is).

You mean I shouldn't put the Request in a variable then.

But how would I use the mysql escape real string in the code?

bradgrafelman

nobackseat88 wrote:
But how would I use the mysql escape real string in the code?

Just concatenate:

$query = 'SELECT foo FROM bar WHERE foo=\'' . mysql_real_escape_string($_POST['myFoo']) . '\'';

nobackseat88 wrote:
UPDATE users SET profile = '$_REQUEST['pcoding']'"); Where username = $mysite_username

Well you've got several problems with that query:

As noted above, you can't use quoted array indexes inside a string; best way to solve it is to concatenate since you'll be using the [man]mysql_real_escape_string/man function as I showed above.
Why is there "); after the profile='' bit?
Just as in PHP, strings in MySQL must be surrounded with quotes. Thus, you need to surround the $mysite_username value with quotes since it is a string.
Don't forget to sanitize (with [man]mysql_real_escape_string/man) the $mysite_username variable since it too is user-supplied data.

nobackseat88

Okay, right.
My bad, I copied it wrong, I meant it the other way. 😉
But it is data from being signed in, nothing really submitted from a form, it's a cookie.

Also, please confirm that this is all correct before I try it:

<?php 
$mysite_username = $_COOKIE["mysite_username"]; 
$con = mysql_connect("localhost","database","password"); 
if (!$con) 
  { 
  die('Could not connect: ' . mysql_error()); 
  }mysql_select_db("database", $con); 
$query = "UPDATE users SET profile =\'' . mysql_real_escape_string($_REQUEST['pcoding']) . '\' Where username=\'' . mysql_real_escape_string($_COOKIE['$mysite_username']) . '\'"; 
$result = mysql_query($query); 
echo "Success!"; 
?>

Do the slashes have to be there in the mysql real escape string part? Im not too good at security fix codes.

bradgrafelman

nobackseat88 wrote:
4. But it is data from being signed in, nothing really submitted from a form, it's a cookie.

Yes, it's not from a form, but it's still data that the user provides, thus it's still a possible source of SQL injections that should be sanitized.

nobackseat88 wrote:
Do the slashes have to be there in the mysql real escape string part?

In your code, no; I had backslashes because I used a single quote as my string delimiter. In your code, however, you used double quotes as your string delimiters, thus you don't need to escape the single quotes in the query (and you need to replace the single quotes I used as string delimiters with double quotes in your code, or else use single quotes as the delimiter in your code).

nobackseat88

Okay, thanks for the fast reply! Here is what I got:

<?php 
$mysite_username = $_COOKIE["mysite_username"]; 
$con = mysql_connect("localhost","database","password"); 
if (!$con) 
  { 
  die('Could not connect: ' . mysql_error()); 
  }mysql_select_db("database", $con); 
$query = "UPDATE users SET profile =" . mysql_real_escape_string($_REQUEST['pcoding']) . " Where username=" . mysql_real_escape_string($_COOKIE['$mysite_username']) . "; 
$result = mysql_query($query); 
echo "Success!";
?>

bradgrafelman

Still missing single quotes inside the query (since strings must be quoted):

$query = "UPDATE users SET profile ='" . mysql_real_escape_string($_REQUEST['pcoding']) . "' Where username='" . mysql_real_escape_string($_COOKIE['mysite_username']) . "'";

nobackseat88

That's not what I had in the code I just posted.

bradgrafelman

Right, I'm saying that's what it should look like. :p

EDIT: Just fixed a typo in my code snippet as well - there shouldn't be a '$' in the $_COOKIE index.

nobackseat88

Ah, that's right, I knew that, shouldn't be a $. Okay, I understand now. Im testing the code...

nobackseat88

Yay! It worked. You were a great help. Thanks