-2

Here is the error:

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\xampp\htdocs\new-training-site\config\info.php on line 4;

Here is line 4:

$link = mysql_query("SELECT * FROM users WHERE id='$_SESSION['MM_Username']' AND password='$_SESSION['MM_PASSWORD']'");
halfer
  • 19,824
  • 17
  • 99
  • 186
Leon Wright
  • 401
  • 4
  • 12
  • 2
    How about: `$link = mysql_query("SELECT * FROM users WHERE id='" . $_SESSION['MM_Username'] . "' AND password='" . $_SESSION['MM_PASSWORD'] . "'");` Some clear concatenation? Does that do the trick for you? – Rizier123 Jan 04 '15 at 18:13
  • 2
    [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**pink box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). You should also be aware that pasting variables into queries can open up for SQL injection. – h2ooooooo Jan 04 '15 at 18:14
  • Here is `line 4`: $link = mysql_query("SELECT * FROM users WHERE id='.$_SESSION['MM_Username'].' AND password='.$_SESSION['MM_PASSWORD'].'"); – Amit Verma Jan 04 '15 at 18:20
  • @AmitThakur I think you didn't figured out how concatenation works yet! – Rizier123 Jan 04 '15 at 18:23
  • Please use descriptive titles to help people help you. – pixeline Jan 04 '15 at 18:25
  • the one who mixes external data with SQL query in a single string should be taught the hard way – let4be May 27 '16 at 10:17

2 Answers2

2
$link = mysql_query("SELECT * FROM users WHERE id='{$_SESSION['MM_Username']}' AND password='{$_SESSION['MM_PASSWORD']}'");
quickshiftin
  • 66,362
  • 10
  • 68
  • 89
1

Try this one

$link = mysql_query(sprintf(
    "SELECT * FROM users WHERE id='%s' AND password='%s'", 
    mysql_real_escape_string($_SESSION['MM_Username']),
    mysql_real_escape_string($_SESSION['MM_PASSWORD']),
));

It will help you to avoid sql-injection. And please don't use mysql_ functions as it were mentioned in comments

Community
  • 1
  • 1
Ziumin
  • 4,800
  • 1
  • 27
  • 34