mysqlquery Parsing error

Beginners - Learning PHP
#1

[ul]ive been trying to get the sql query to work for a while now and Im pretty sure I need some help.
[php]<?php
$host=“localhost”; // Host name
$username=“root”; // Mysql username
$password=“password”; // Mysql password
$db_name=“CorviTesting”; // Database name
$tbl_name=“guestbook”; // Table name
$tbl_users=“users”;//table users

// Connect to server and select database.
mysql_connect("$host", “$username”, “$password”)or die(“cannot connect server “);
mysql_select_db(”$db_name”)or die(“cannot select DB”);

/Request session variable/
session_start();
echo "Username: “. $_SESSION[‘username’];
$sql= (“SELECT email FROM users WHERE username=’”.$_SESSION[‘username’].”’; ");
echo $sql;
$result= mysqlquery($sql);
echo "result= " ($result);
?>[/php][/ul]

I’m aiming to get it to return the email where the username is equal to the username of the person using that session.
when I echo the query and run it returns with the users email but i cant get the php to work with it.
the error message i’m getting is

[Tue Dec 18 12:09:49 2012] [error] [client 127.0.0.1] PHP Parse error: syntax error, unexpected ‘(’, expecting ‘,’ or ‘;’ in /var/www/CorviTestingVuln/CorviTesting/testemail.php on line 19

So it must be something to do with the variable $result.

#2

First of all you should be using PDO to prevent sql injection. In addition to that remove ‘;’ from within your sql query.

#3

You are putting parentheses around a string:

[php]$sql= (“SELECT email FROM users WHERE username=’”.$_SESSION[‘username’]."’; ");[/php]

Should be

[php]$sql= “SELECT email FROM users WHERE username=’”.$_SESSION[‘username’]."’";[/php]

Also, this function is invalid:

[php]$result= mysqlquery($sql);[/php]

Should be

[php]$result= mysql_query($sql);[/php]

#4

thanks m@tt & copper seed.
yeah sql injection is one of the things i want the site to be vulnerable to. Its part of a project i’m working on its gonna be hosted locally in a wm and compare the code between sites that are vulnerable and how to protect them.

ill try using a PDO at some point in the future i’m trying to show how to secure a database.

I wrote up a mock code but im not a machine with php on it atm so im just gonna save it and ill see how it goes at a later point.

#5

I just ran
[php]<?php
$host=“localhost”; // Host name
$username=“root”; // Mysql username
$password=“password”; // Mysql password
$db_name=“CorviTesting”; // Database name
$tbl_name=“guestbook”; // Table name
$tbl_users=“users”;//table users

// Connect to server and select database.
mysql_connect("$host", “$username”, “$password”)or die(“cannot connect server “);
mysql_select_db(”$db_name”)or die(“cannot select DB”);

/Request session variable/
session_start();

/Request session variable/
session_start();
echo "Username: ". $_SESSION[‘username’];

/Request session variable/
session_start();
echo “Username: “. $_SESSION[‘username’];
$sql= “SELECT email FROM users WHERE username=’”.$_SESSION[‘username’].”’”;
echo $sql;
$result= mysql_query($sql);
echo "result= " ($result);

[/php]

again it said error on line 26

[php]echo "result= " ($result);[/php]

[Wed Dec 19 10:25:54 2012] [error] [client 127.0.0.1] PHP Parse error: syntax error, unexpected ‘(’, expecting ‘,’ or ‘;’ in /var/www/CorviTestingVuln/CorviTesting/login_msgboard.php on line 26

?>

#6

Because this is a syntax error

[php]echo "result= " ($result);[/php]

I don’t know what you are trying to accomplish with parentheses around $result. You demonstrated earlier in the code that you understand string syntax so I’m confused. If you want to echo $result (which will only be a mysql resource # not the results of the query)

[php]echo "result= " . $result;[/php]

#7

sorry m@tt,

yeah I can see the way i did the syntax there was stupid as ive got it printing the sessions erlear in the code,
how would I get it to print the result of that query?

#8

Got it
Sorry for making so many posts.
[php]$result= mysql_query(“SELECT email FROM users WHERE username=’”.$_SESSION[‘username’]."’; ");
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
($emailr=$row[“email”]);
}
mysql_free_result($result)
?>[/php]

#9

Make as many posts as you need. :slight_smile: Sorry I am on vacation and wasn’t able to respond quickly.

Sponsor our Newsletter | Privacy Policy | Terms of Service