我看不到我的错误来自哪里,我已经检查了分号,看不到任何缺失。我是php的新手,非常感谢您的帮助。实际错误如下:
解析错误:语法错误,意外T_VARIABLE in/home/sam/public_html/query.php第54行
下面是第54行:
$sql = "UPDATE Users SET Datecreated='".$date."' WHERE Username='".$usernamec."'";
这是完整的代码:
<?php session_start();
include 'connect.php';
echo "Hello World!";
echo '$_SESSION[page]';
$_SESSION['loggedon']=12345;
$username=$_POST['username'];
$password=$_POST['password'];
$sql = "SELECT * FROM 'Users' WHERE 'Username'='".$username."'";
$result = @mysql_query( $sql );
while ($row= @mysql_fetch_assoc($result))
{
if (($username=$row['Username'])&&($password=$row['Password']))
{
$_SESSION['loggedon']=$row['AccessLevel'];
$_SESSION['userid']=$row['UserID'];}}
if ($_SESSION['loggedon']==12345)
{
$sql = "SELECT * FROM 'RedundantUsers' WHERE 'Username'='".$username."'";
$result = @mysql_query( $sql );
while ($row= @mysql_fetch_assoc($result))
{
$_SESSION['loggedon']=$row['AccessLevel'];
$_SESSION['userid']=$row['UserID'];
$userid =$row['UserID'];
$forename =$row['Forename'];
$surname =$row['Surname'];
$email =$row['Email'];
$usernamec =$row['Username'];
$access =$row['AccessLevel'];
$sql = "INSERT INTO 'Users' ('UserID', 'Forename', 'Surname', 'Email', 'Username', 'AccessLevel')
VALUES ('$userid', '$forename', '$surname', '$email', '$usernamec', '$access')";
if (!@mysql_query($sql))
{
die('Error: ' . mysql_error());
}
$sql = "DELETE * FROM 'RedundantUsers' WHERE 'Username'='".$usernamec."'"; }}
date_default_timezone_set('UTC');
$date = date("Y-m-d H:i:s");
$sql = "UPDATE 'Users' SET 'Datecreated'='".$date."' WHERE 'Username'='".$usernamec."'";
if (!@mysql_query($sql))
{
die('Error: ' . mysql_error());
}
echo $_SESSION['loggedon'];
header('Location: /'.$_SESSION['page']);
?>
如果有帮助的话,这里是connect.php:
<?php
$dbhost = '*****';
$dbuser = '*****';
$dbpass = '*****';
$conn = @mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to local MySQL')
$dbname = '******';
@mysql_select_db($dbname);
?>
第54行(错误发生的地方)
改变 echo $_SESSION[loggedon];
echo $_SESSION['loggedon'];
意味着您忘记在会话值中包含'。除非该值是一个已定义的常量,否则应该始终包含单引号。
<?php session_start();
include 'connect.php';
echo "Hello World!";
echo $_SESSION['page'];
$_SESSION['loggedon']=12345;
$username=$_POST['username'];
$password=$_POST['password'];
$sql = "SELECT * FROM Users WHERE Username='".$username."'";
$result = mysql_query($sql) or die(mysql_error());
while ($row= mysql_fetch_array($result))
{
if (($username=$row['Username'])&&($password=$row['Password']))
{
$_SESSION['loggedon']=$row['AccessLevel'];
$_SESSION['userid']=$row['UserID'];}}
if ($_SESSION['loggedon']==12345)
{
$sql = "SELECT * FROM RedundantUsers WHERE Username='".$username."'";
$result = mysql_query($sql);
while ($row= mysql_fetch_array($result))
{
$_SESSION['loggedon']=$row['AccessLevel'];
$_SESSION['userid']=$row['UserID'];
$userid =$row['UserID'];
$forename =$row['Forename'];
$surname =$row['Surname'];
$email =$row['Email'];
$usernamec =$row['Username'];
$access =$row['AccessLevel'];
$sql = "INSERT INTO Users (UserID, Forename, Surname, Email, Username, AccessLevel)
VALUES ('$userid', '$forename', '$surname', '$email', '$usernamec', '$access')";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
$sql = "DELETE * FROM RedundantUsers WHERE Username='".$usernamec."'"; }}
date_default_timezone_set('UTC');
$date = date("Y-m-d H:i:s");
global $usernamec;
$sql = "UPDATE Users SET Datecreated='".$date."' WHERE Username='".$usernamec."'";
if (!@mysql_query($sql))
{
die('Error: ' . mysql_error());
}
echo $_SESSION[loggedon];
header('Location: /'.$_SESSION[page]);
?>
这里有几个明显的问题:
- 你正在使用
mysql_*方法,你应该使用MySQLi代替。 - 你不能确保你的SQL查询中包含的字符串是经过消毒的,因此打开你自己的SQL注入。
- 数组的键应该是字符串,这意味着把它们放在单引号里。
- 从
mysql_fetch_array切换到mysql_fetch_assoc将返回一半的数据量,但仍然工作相同-无需无故增加内存使用。 - 使用反引号(')来表示您的表和列名,这有助于保持SQL整洁,但也避免了与保留字等的任何潜在冲突。
所以最终像:
$row[UserID];
应该变成:
$row['UserID'];
同样适用于在代码中使用$_SESSION, $_POST或其他数组的地方。
另外,一定要看一下这个关于mysql的教程,特别是关于转义字符串的部分!
编辑:
你在if语句中使用声明,而不是比较:
if (($username=$row[Username])&&($password=$row[Password]))
应该是:
if (($username==$row[Username])&&($password==$row[Password]))
仔细检查你所有的if语句