COMPLETE FORM BEFORE DOWNLOAD

[justinternet]

Hi everyone, I'm having a syntax error as follows, any help would be much appreciated:PROJECTTo require a user to complete a form before being allowed to download a pdf file. (I have added line numbers for convenience)CODE1. <?php /*download.php*/2. If (!$_POST['file']='example.pdf') {3. 4. /* CONNECT TO SQL DATABASE*/5. $con=mysql_connect("mydatabase","myusername","mypassword");6. if (!$con) { die('Could not connect: '.mysql_error()); }7. 8. mysql_select_db("mytable", $con);9. 10. 11. /* INSERT INFORMATION INTO SQL DATABASE*/12. $sql = "INSERT INTO mytable (firstname, lastname, company, email, telephone, file) VALUES ('$_POST['firstname']', '$_POST['lastname']', '$_POST['company']', '$_POST['email']', '$_POST['telephone']', '$_POST['file'])";13. 14. 15. 16. $path='http://mysecurefolder/'; //full path outside the root to downloadable files17. 18. header("Content-disposition: attachment; filename=['file']");19. header('Content-type: application/pdf;');20. readfile($path['file']); }21. 22. /* PRINT FORM ON SCREEN FOR USER TO FILL OUT */23. else {echo '<form action="'.$_SERVER['php_self'].'" method="post">';24. '<input name="file" type="hidden" value=".$file.">';25. 'firstname ?<input name="firstname" type="text"><br>';26. 'lastname ?<input name="lastname" type="text"><br>';27. 'company ?<input name="company" type="text"><br>';28. 'email ?<input name="email" type="text"><br>';29. 'telephone ?<input name="telephone" type="text"><br>';30. '<input name="go" type="submit" Value="Download File"></form>'; }31. ?>ERROR MESSAGEParse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /mydirectory/download.php on line 12

[Ingolme]

Your initial "If" has a capital I. In PHP commands are case sensitive.

 

Are you sure you want to use an assignment operator in this condition?

If (!$_POST['file']='example.pdf') {

What you're doing is setting the value of $_POST['file'] to "example.pdf" and then essentially passing false to the if statement so that the code inside of it will never execute.

 

 

Your code seems incomplete, you have an SQL string but you're not actually sending it to the MySQL engine, it's just stored in a variable. I'd also check to make sure that the $sql string has what you expected it to. I'm not sure if associative array value can be accessed that way inside a string.

 

The echo statement at the end of your code will only print out the first line. The rest of them are just strings that you're not operating with. You need an echo on each of the lines.

 

Finally, I would suggest moving on from mysql and using either mysqli or PDO. The mysql library is deprecated because it is insecure.

[justinternet]

ok thanks for that foxy mod, i'll look at mysqli and pdo.

Edited March 18, 2015 by justinternet

[justsomeguy]

The error is because of how you're trying to put the values from $_POST into the query string. The correct syntax would look like this:

$sql = "INSERT INTO mytable (firstname, lastname, company, email, telephone, file) VALUES ('{$_POST['firstname']}',...

But you'll definitely want to replace that with a prepared statement in PDO or mysqli to avoid SQL injection attacks. Using things from $_GET, $_POST, etc directly in a query is the #1 attack vector for websites. Using a prepared statement would solve that and also avoid the syntax error.