Here's my error:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/dannyf/public_html/secure/processmessage.php on line 4Here's my code (the DB connection is set with $this->connection.
<?
include("include/session.php");
$q = "INSERT INTO ".TBL_MESSAGES." VALUES ('$_POST['to']', '$session->username', '$_POST['message']')";
return mysql_query($q, $this->connection);
?>Thread moved to General Help forum (since it has nothing to do with a database).
Your problem is that you can't use quoted array indexes inside of a double-quoted string (unless you use the "complex syntax" and surround the variable with curly braces). See this manual page for more information about how variable interpolation/parsing is properly done.
Also, user-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks (and/or just plain SQL errors). Instead, it must first be sanitized with a function such as [man]mysql_real_escape_string/man (for string data).
I'm not worried about SQL injection attacks as this is for a personal site accessable to only my friends (who are computer MORONS).
I fixed the code and now it runs without errors (thanks for your help). But now it doesn't enter it into the database. I think it has to do with the TBL_MESSAGES part... Here's the new code if you can help:
<?
include("include/session.php");
$q = "INSERT INTO ".TBL_MESSAGES." VALUES (".$_POST['to'].", ".$session->username.", ".$_POST['message'].")";
return $database->query($q);
?>Oh also there were a few other errors after I fixed the one you helped me with so it is slightly changed.
Danny247 wrote:I'm not worried about SQL injection attacks as this is for a personal site accessable to only my friends (who are computer MORONS).
It's not a matter of whether or not it's a personal website. Not securing your queries against SQL injection attacks is wrong for at least two reasons:
It's a horrible/dangerous coding practice. Even if you don't think it's needed, why do something the wrong way?
Proecting yourself against SQL injection attacks will also prevent SQL error messages since the user-supplied data can't break your SQL query. For example, in your code above, any message that contains an apostrophe or line break will cause SQL errors.
As for your SQL problems, you should be examining the SQL error message any time you're having problems. One problem I can see is that you lost the single quotes around the string data in the query that you had previously. String data must be quoted in SQL queries just like it does in PHP code.
It didn't give me a SQL error message...
Danny247 wrote:It didn't give me a SQL error message...
Well no, it probably wouldn't - you never tried to check for an error and output the SQL error message (something the $database object can do, I would hope).
Your not getting an error for 2 reasons. Either you need to follow your mysql_query() with an or die(mysql_error()); This is what displays the error. And secondly. There is no technical error in the query. The error is that you forgot to quote the strings in your query.
$q = "INSERT INTO ".TBL_MESSAGES." VALUES ('".$_POST['to']."', '".$session->username."', '".$_POST['message']."')";
See the single quotes wrapped around the ".$_POST['whatever']."?