Parse error: syntax error, unexpected T_VARIABLE

dami

Could someone please tell me what is wrong with my code as I have taken a look at it several times and i don't know why it's giving me this error

<?php
ob_start();
$host="localhost"; // Host name
$username="user"; // Mysql username
$password="pass"; // Mysql password
$db_name="pa"; // Database name
$tbl_name="user"; // Table name
 // Get info from the session

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword and $myusertype
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$myusertype=$_POST['myusertype'];


//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and //password='$mypassword'";
//$result=mysql_query($sql);


$sql=("SELECT user_type FROM $tbl_name WHERE username='$myusername' and password='$mypassword' and user_type ='$myusertype'");

//$result2=mysql_query($sql);


// Mysql_num_row is counting table row
$count=mysql_num_rows($result2);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1 ){
Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
session_register("myusertype");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

//ob_end_flush();
?>

thank you

this is the error message
Parse error: syntax error, unexpected T_VARIABLE in C:\xampp\htdocs\capat\checklogin.php on line 34

NogDog

Looks like that line should be a comment, but it's missing the starting "//".

jeremyphphaven

Problem -

if($count==1 ){
Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");

should be

if($count==1 ){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");

ALSO Is this an include file? Is that why you put an buffer start without end?
ob_start(); on line two is what I'm referring to.

NogDog

jeremyphphaven wrote:
...
ALSO Is this an include file? Is that why you put an buffer start without end?
ob_start(); on line two is what I'm referring to.

Not really an issue, since the buffer is automatically output at the end of the script if it hasn't been specifically cleared before then.

jeremyphphaven

NogDog wrote:
Not really an issue, since the buffer is automatically output at the end of the script if it hasn't been specifically cleared before then.

Right, remember, we're in a NEWBIE forum... I'm partaking in the excercise of letting whomever know it's not necessary.

scross

Two quick suggestions:

Indent your code. This will make it much easier to read and understand, and you'll find errors with much greater ease. If you wrote the code up as an example or the indentation of the code was lost when you copied, and you normally do indent your code, then good job.
Change:

header("location:login_success.php");

to:

header("Location: login_success.php");

The reason for changing it in this way is that some browsers (the truly rubbish 🙂 ) may not recognise the location header in lowercase, plus the extra space after the colon is part of the standard HTTP header format and so should not be omitted.

laserlight

If you really want to follow HTTP/1.1, the URL should be an absolute URL. Oh, and it is good practice to have an exit or a die after a location header is sent.

scross

laserlight wrote:
If you really want to follow HTTP/1.1, the URL should be an absolute URL. Oh, and it is good practice to have an exit or a die after a location header is sent.

Yeah, that's very true. You can use information from the $_SERVER array to generate the absolute URL.

I'd also like to point out that the original code is vulnerable to SQL injection attacks. Take a look at this code extract:

// Define $myusername and $mypassword and $myusertype 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
$myusertype=$_POST['myusertype']; 

$sql=("SELECT user_type FROM $tbl_name WHERE username='$myusername' and password='$mypassword' and user_type ='$myusertype'"); 

//$result2=mysql_query($sql);

Here the data is obtained from $_POST, placed into variables and then immediately inserted into the SQL statement. There's a good description of SQL injection here: http://www.acunetix.com/websitesecurity/sql-injection.htm

Oh, and since we're all tied up on coding standards, I'd like to point out that this code will generate NOTICE errors if the relevant data is not provided via POST:

$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
$myusertype=$_POST['myusertype'];

An improved version could use the ternary conditional operator (described on my own website: http://www.scross.co.uk/tips/59/ ), like so:

$myusername=isset($_POST['myusername']) ? $_POST['myusername'] : ''; 
$mypassword=isset($_POST['mypassword']) ? $_POST['mypassword'] : ''; 
$myusertype=isset($_POST['myusertype']) ? $_POST['myusertype'] : '';

You should probably use this whenever you're obtaining data from any of the superglobals ($POST, $GET, $_SESSION etc.).

jeremyphphaven

scross wrote:
I'd also like to point out that the original code is vulnerable to SQL injection attacks....

Dami, what's your website again??? 😃

LOL, just kidding!!!