unexpected T_LNUMBER?

[refuge]

I can't figure this out, I keep getting this error:

Parse error: syntax error, unexpected T_LNUMBER in /home/.zebediah/username/mysite.com/myDIR/install_db.php on line 58

Here's the php file(toned down)... Any ideas on what's wrong?(I got this php file with alot of errors, and I've been debugging it for while now, but I can't figure this one out)

I also highlighted line 58(it's not line 58 in this pasted version)

<?php echo "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?".">"; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>

<body>
<form name="form1" id="form1" method="post" action="">
<p align="center">
<label>Install Password
<input type="password" name="textfield" />
</label>
</p>
<p align="center">
<label>
<input name="submit" type="submit" id=" submit" value="install" />
</label>
</p>
</form>
<p>&nbsp;</p>
</body>
</html>

<?php
include('const.php') or die('damn const.php file is missing, kicking you out of the install process;');

$link = @mysql_connect($dbhost, $dbuser, $dbpass) or die('cannot find the database, captain');
mysql_select_db($dbname) or die('cannot select the database');

//check the password

if ($installpwd == $textfield)
{

mysql_query('CREATE TABLE '.$clanForumdb.' (
num int(11) NOT NULL default '0',
name text NOT NULL,
PRIMARY KEY (num)
)') or die('can forum db error, install aborted');

All of the vars are set in that other php file... Does anyone know what's wrong?

[visualAd]

You need to escape the quotes in your string. There are however more important things you should be worrying about as your script has several security issues. I would strongly advise you do not publish it on the Internet until you have resolved these:

1. You are using register_globals (it makes variables from forms, the url and cookies global variables). First, do not use it as it is deprecated, second it is very easy to fall into the trap of writing code which can be exploited when it is on. Go to your php.ini and change the line register_globals=on to off.
   
   An attacker to use this to poison the data in your script if you leave it on.
   
2. Second you are not escaping variables which are to go into SQL queries. If you do not do this an attacker could inject SQL into those variables and reveal data from other tables or execute code on the server. Have a look at the mysql_escape_string function and ensure that any data from an external source passes through this function before it goes into an SQL query.

[penagate]

Also, look at using PDO (PHP 5) or MDB2 (PHP 4) or at the very least mysqli, all of which provide support for parameterised commands, which are vastly superior to escaping data.