-2

Not really sure where I went wrong. I'm trying to create a forum and I keep receiving this error message.

"Parse error: syntax error, unexpected '[', expecting identifier (T_STRING) or variable (T_VARIABLE) or '{' or '$' in C:\xampp\htdocs\project\includes\User.php on line 17"

What I have so far:

User.php page:

<?php
class User {
private $user;
private $con;

public function __construct($con, $user){
    $this->con = $con;
    $user_details_query = mysqli_query($con, "SELECT * FROM users WHERE user_name='$user'");
    $this->user = mysqli_fetch_array($user_details_query);
}

public function getUsername() {
    return $this->user['user_name'];
}

public function getNumPosts() {
    $username = $this->['user_name'];
    $query = mysqli_query($this->con, "SELECT num_posts FROM users WHERE user_name='$username'");
    $row = mysqli_fetch_array($query);
    return $row['num_posts'];
}

}

?>

Post.php page:

<?php
class Post {
private $user_obj;
private $con;

public function __construct($con, $user){
    $this->con = $con;
    $this->user_obj = new User($con, $user);
}

public function submitPost($topic, $title, $body, $user_to){
    $topic = strip_tags($title);
    $topic = mysqli_real_escape_string($this->con, $title);
    $title = strip_tags($title);
    $title = mysqli_real_escape_string($this->con, $title);
    $body = strip_tags($body);
    $body = mysqli_real_escape_string($this->con, $body);
    $check_empty = preg_replace('/\s+/', '', $body, $title);

    if(isset($_POST['postbtn'])){
        $title = $_POST['post_title'];
        $body = $_POST['post_text'];
        $topic = $_POST['topic'];
    }

    if($check_empty != "") {


        $date_added = date("Y-m-d H:i:s");

        $added_by = $this->user_obj->getUsername();


        if($user_to == $added_by) {
            $user_to = "none";
        }


        $query = mysqli_query($this->con, "INSERT INTO posts (post_id, topic_id, post_title, post_body, added_by, user_to, date_added, user_closed, deleted, likes) VALUES('', '$topic', '$title', '$body', '$added_by', '$user_to', '$date_added', 'no', 'no', '0')");
        $returned_id = mysqli_insert_id($this->con);


        $num_posts = $this->user_obj->getNumPosts();
        $num_posts++;
        $update_query = mysqli_query($this->con, "UPDATE users SET num_posts='$num_posts' WHERE user_name='$added_by'");
    }
}

}

?>
crumb on the floor
  • 21
  • 7
  • `$this->['user_name'];` is not proper syntax. – aynber Mar 04 '19 at 19:14
  • **Warning:** You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) and should really use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](http://php.net/manual/en/pdo.prepared-statements.php) or by [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). – Dharman Mar 04 '19 at 19:16
  • `$this->['user_name'];` was meant to be `$this->user['user_name'];` – Dharman Mar 04 '19 at 19:17

1 Answers1

0

First of all, as stated in the comments, you should use prepared statements. You are open to SQL injections.

Secondly, for the error you are receiving, In your class You are setting your $user variable as the resulting array from your query. To access that array you you should do something similar in your getNumPosts() function:

$usernamearray = $this->user;
$username = $usernamearray['user_name'];
Kevin
  • 22
  • 4