Simple PHP Question I have

ugriffin

if ($result==$pass)
 {
 $_SESSION['username']=$username;
 ?>
<meta HTTP-EQUIV="REFRESH" content="10; url=vetragames.com/member/">
<?php
 }
 else
 {
 session_destroy();
  ?>
<meta HTTP-EQUIV="REFRESH" content="10; url=vetragames.com/loginfailed.html">
<?php
 }
?>

Note: This is just a portion of my code. I did initlialize the variables, start my PHP code and everything

The error I am getting is:

Parse error: syntax error, unexpected T_VARIABLE in /home/ugriffin/public_html/login.php on line 31

Which would be the beginning statement (the if statement)

Thanks in advance for your help.

laserlight

I suggest that you post the code a few lines before as well.

ugriffin

laserlight wrote:
I suggest that you post the code a few lines before as well.

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<?php session_start(); 
setcookie("Username",$_SESSION,time()+3600);?>
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"><title>Logging in | Vetra Games</title>

<meta content="ugriffin" name="author">
</head><body>
<big style="font-family: Arial; color: rgb(153, 153, 153);"><img style="width: 548px; height: 100px;" alt="Vetra Games" src="http://vetragames.com/data/banner.png"><br>
<br>
<big><big>Vetra Online System<br>
<small><small>_____________________________</small></small><br>
</big></big>&nbsp;Looks like you tried to login as:</big>&nbsp;
<?php echo $_POST["username"]; ?><br>
<big><br>
<span style="color: rgb(153, 153, 153); font-family: Arial;">Please
wait while we verify the information...</span></big><br>
<?php $con = mysql_connect("?????","?????","???");
if (!$con)
{
die('Vetra Online Connection Failiure! Redirecting in 10 seconds!' . mysql_error());
session_destroy();
?>
<meta HTTP-EQUIV="REFRESH" content="10; url=vetragames.com">
<?php
}
// some code
mysql_select_db("ugriffin_vetrasql", $con);
$username= $_POST["username"]
$pass=$_POST["password"]
$result = mysql_query("SELECT "Password" FROM $username");
if ($result==$pass)
 {
 $_SESSION['username']=$username;
 ?>
<meta HTTP-EQUIV="REFRESH" content="10; url=vetragames.com/member/">
<?php
 }
 else
 {
 session_destroy();
  ?>
<meta HTTP-EQUIV="REFRESH" content="10; url=vetragames.com/loginfailed.html">
<?php
 }
?>
<meta http-equiv="REFRESH">
</body></html>

There you go.

bradgrafelman

The portion of code you originally showed us didn't include line 31. Here's lines 28-32:

// some code
mysql_select_db("ugriffin_vetrasql", $con);
$username= $_POST["username"]
$pass=$_POST["password"] // line 31
$result = mysql_query("SELECT "Password" FROM $username");

Note in that code there are 3 syntax errors:

Missing semicolon at the end of $username variable assignment.
Missing semicolon at the end of $pass assignment.
Unescaped double quotes in the query string.

In addition to those syntax errors, there's some overall problems with this section of the script:

[man]session_start/man must be called before any data is outputted, e.g. an HTML doctype.

What is the purpose of this:

setcookie("Username",$_SESSION,time()+3600);

???

If the $_POST variables don't exist (i.e. this page was reached directly without POST'ing a form), PHP error messages (E_NOTICE level) will be generated since you don't check that the variables exist (e.g. with [man]isset/man) before using them.
[man]mysql_query/man returns a resource to a MySQL query set. It does not return any data (e.g. a password from the table).
Your query, as it stands, suggest that you've created new tables for every single user who logs in to your site. I highly doubt you do this... you might want to visit the MySQL manual (link) to learn the syntax of a simple SELECT statement.
Your SQL query (once corrected) is vulnerable to SQL injection attacks. User-supplied data should never be placed directly into a SQL query. Instead, it should first be sanitized with a function such as [man]mysql_real_escape_string/man.
A simple "SELECT * FROM foo" is definitely not the way to go about a login query. Try something like:
```
$query = sprintf("SELECT 1 FROM userTable WHERE username='%s' AND pass='%s' LIMIT 1",
		mysql_real_escape_string($user),
		mysql_real_escape_string($pass));
```
Note that I used [man]sprintf/man simply because I find it helps keep the code neater when constructing SQL queries. You could do a simple concatenation if you prefer.

Once you perform a query like that, you'd simply check if a row was returned (user credentials matched a row in the table) or not (no row found = invalid credentials), e.g. by using [man]mysql_num_rows/man. Simple example:
```
$exec = mysql_query($query);

if(mysql_num_rows($exec)) {
    // row found - valid login!
} else {
    // no rows found - invalid login!
}
```
Note that this assumes (as you've shown in the present situation) that you don't actually need to retrieve any data from the database - you're simply performing a valid/invalid authentication check.

JVassie

This is a function i call at all of the pages that need a login before being allowed to be viewed.

function checkLogin(){
   /* Check if user has been remembered */
   if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
      $_SESSION['username'] = $_COOKIE['cookname'];
      $_SESSION['password'] = $_COOKIE['cookpass'];
   }

   /* Username and password have been set */
   if(isset($_SESSION['username']) && isset($_SESSION['password'])){
      /* Confirm that username and password are valid */
      if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){
         /* Variables are incorrect, user not logged in */
         unset($_SESSION['username']);
         unset($_SESSION['password']);
         return false;
      }
      return true;
   }
   /* User not logged in */
   else{
      return false;
   }
}

And this is a function i use to check that the user/password combo is legit:

function confirmUser($username, $password){
   global $conn;
   /* Add slashes if necessary (for query) */
   if(!get_magic_quotes_gpc()) {
	$username = addslashes($username);
   }

   /* Verify that user is in database */
   $q = "select password from users where username = '$username'";
   $result = mysql_query($q,$conn);
   if(!$result || (mysql_numrows($result) < 1)){
      return 1; //Indicates username failure
   }

   /* Retrieve password from result, strip slashes */
   $dbarray = mysql_fetch_array($result);
   $dbarray['password']  = stripslashes($dbarray['password']);
   $password = stripslashes($password);

   /* Validate that password is correct */
   if($password == $dbarray['password']){
      return 0; //Success! Username and password confirmed
   }
   else{
      return 2; //Indicates password failure
   }
}

Perhaps those functions might be of some use in an edited form? 🙂

bradgrafelman

Note that [man]addslashes/man shouldn't be used to prepare data for a SQL query, passwords shouldn't be stored in cookies, and [man]stripslashes/man should never be performed on data retrieved from a database (if it's necessary, then you've got major problems on your INSERT'ing end).