Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

HarryWorksInc

macrumors regular
Original poster
Feb 21, 2010
179
0
I am working on a website in which the user can set their own status I am trying to load a web page from a mobile device to set the user status. This is my code
PHP:
$sql=mysql_query("UPDATE Character_Stats SET Status = '$_GET['status']' WHERE Username = '$_GET['username']' AND Location = '$_GET['location']', Coins = '$_GET['coins']'");

But it doesn't seem to be working i get this error:
HTML:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/harrywo2/public_html/SNACPF/UpdateStatus.php on line 14

Line 14 is the mysql_query I posted above.
 
Remove the single quotes around the $_GET arguments. That is,
PHP:
$sql=mysql_query("UPDATE Character_Stats SET Status = '$_GET[status]' WHERE Username = '$_GET[username]' AND Location = '$_GET[location]', Coins = '$_GET[coins]'");
 
It's pretty unsafe to upload/update anything using raw $_GET. I could simply change the URL and upload/update any information to your site. Very very easy to hack!
 
That query is very, very susceptible to SQL injection.

Put those GET's into variables and run mysql_real_escape_string on them at the least.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.