Nested if and while statments?

move3rd

I'm getting a parse error when I run the script below:

Parse error: parse error in /home/junglej/public_html/artists/post_login.php on line 47

<?php 
// start the session 
session_start(); 
header("Cache-control: private"); //IE 6 Fix 

// Get the user's input from the form 
   $name = $_POST['username']; 
   $pass = $_POST['password']; 

// Register session key with the value 
 $_SESSION['username'] = $name; 

// Set variables
   $try_again = "Incorrect \"username\" or \"password\"";
   $members_area = "members_area.php";

include "db.php";

$sql = "SELECT * FROM `users` WHERE `user` = '$name'";

$result = mysql_query($sql);

if (!$result) {
   echo "Could not successfully run query ($sql) from DB: " . mysql_error();
   exit;
}

if (mysql_num_rows($result) == 0) {
   echo "<h4 align=center>$try_again</h4>";
   exit;
}

while ($row = mysql_fetch_array($result)){
extract($row);

 ?>
<?

if (!isset($_POST['submit'])) 
{ 
    echo "<h4 align=center>There is a problem 1234</h4>";
} 
  //check if username and passwords are correct 
  else { 
   if ($name == $user && $pass == $password)
       include ($members_area);   

      }      

//This is line 48
   //wrong username and password 
   else { 
    echo "<h4 align=center>$try_again</h4>"; 
   } 
}


mysql_free_result($result);
?>

I think the problem is related to the nested if and while statments though I'm having trouble finding the problem.

Thanks

psikic

There is no closing curly brace on the while statement:

while ($row = mysql_fetch_array($result)) {
  extract($row);
}

Psikic

move3rd

Thanks

I noticed I also had a couple closing curly braces at the end that where not needed.

I'm now getting a parse error at line 49.

<?php 
// start the session 
session_start(); 
header("Cache-control: private"); //IE 6 Fix 

// Get the user's input from the form 
   $name = $_POST['username']; 
   $pass = $_POST['password']; 

// Register session key with the value 
 $_SESSION['username'] = $name; 

// Set variables
   $try_again = "Incorrect \"username\" or \"password\"";
   $members_area = "members_area.php";

include "db.php";

$sql = "SELECT * FROM `users` WHERE `user` = '$name'";

$result = mysql_query($sql);

if (!$result) {
   echo "Could not successfully run query ($sql) from DB: " . mysql_error();
   exit;
              }

if (mysql_num_rows($result) == 0) {
   echo "<h4 align=center>$try_again</h4>";
   exit;
                                  }

while ($row = mysql_fetch_array($result)){
extract($row);
                                         }
 ?>
<?

if (!isset($_POST['submit'])) 
{ 
    echo "<h4 align=center>There is a problem 1234</h4>";
} 
  //check if username and passwords are correct 
  else { 
   if ($name == $user && $pass == $password)
       include($members_area); 
       }      

   //wrong username and password 
   else { 
    //This is line 50
echo "<h4 align=center>$try_again</h4>"; 
        } 



mysql_free_result($result);
?>

psikic

The if statement around line 45 is missing an open curly bracket {

Psikic

move3rd

Thanks allot Psikic!

There was also a problem with the the $password variable in the if statment I'm using to check if the inputed password matches the password in my db. (the db colum name is PASSWORD not password) This is what I ended up with:

<?php 
// start the session 
session_start(); 
header("Cache-control: private"); //IE 6 Fix 

// Get the user's input from the form 
   $name = $_POST['username']; 
   $pass = $_POST['password']; 

// Register session key with the value 
 $_SESSION['username'] = $name; 

// Set variables
   $try_again = "Incorrect \"username\" or \"password\"";
   $members_area = "members_area.php";

include "db.php";

$sql = "SELECT * FROM `users` WHERE `user` = '$name'";

$result = mysql_query($sql);

if (!$result) {
   echo "Could not successfully run query ($sql) from DB: " . mysql_error();
   exit;
              }

if (mysql_num_rows($result) == 0) {
   echo "<h4 align=center>$try_again</h4>";
   exit;
                                  }

while ($row = mysql_fetch_array($result)){
extract($row);
                                         }
 ?>
<?

if (!isset($_POST['submit'])) 
{ 
    echo "<h4 align=center>There is a problem 1</h4>";
} 
  //check if username and passwords are correct 
  else { 
   if ($name == $user && $pass == $PASSWORD){
       include($members_area); 
       }      

   //wrong username and password 
   else { 
    echo "<h4 align=center>There is a problem 2</h4>"; 
        } 
}


mysql_free_result($result);
?>

psikic

Glad I could help,

by the way, consider using md5() to encrypt passwors before storing them into the database, and checking passwords on login by using md5() as well.

Psikic

pseudonym

Id also change:

$sql = "SELECT * FROM `users` WHERE `user` = '$name'";

To:

$sql = "SELECT DISTINCT * FROM `users` WHERE `user` = '$name'";

Also, you haven't escaped the $name variable. Are you using magic_quotes_gpc = 'On' in your php.ini??

Id suggest checking for magic quotes and then escaping the $user var 🙂

move3rd

Could you explain how and why I should do thay?

pseudonym

Ok... example ...

If magic_quotes are not on and your user logging in has a nick of:

Bert's Store

$sql = "SELECT DISTINCT * FROM `users` WHERE `user` = '$name'";

.. would be read as ...

$sql = "SELECT DISTINCT * FROM `users` WHERE `user` = 'Bert'";

See how the statement terminates?? That because of the paranthesis.

So if it's escaped (either by using the addslashes() function, mysql_escape_string() or having magic_quotes_gpc='On' in your php.ini ...

$sql = "SELECT DISTINCT * FROM `users` WHERE `user` = 'Bert\'s Store'";

See the \ ?? EDIT:.. no you won't because Vbulletin sucks. But.. it's there trust me..

That's escaped the extra ' that would cut off the statement.

There is alot more to this than just that however. So perhaps I can turn your attention to:

http://www.zend.com/zend/tut/using-strings.php

http://uk.php.net/get-magic-quotes-gpc

http://uk.php.net/addslashes

http://uk.php.net/manual/en/function.stripslashes.php