Problems with PHP Login System

chrisj89

I am new to PHP and have beeing trying to create a Login function that links to a mysql database. I have tryed to incoperate security such as mysql injection protection and php's biult in encription for passwords. I am getting errors on most of my pages like:-

Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /.automount/barra4/ug/home/cjt2v07/public_html/index.php on line 81

index.php:-

<?php
session_start();

//Login form (index.php)

include "Connect.php";
if(!$_POST['submit'])
{
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
<link href="Home.css" rel="stylesheet" type="text/css" /><!--[if IE 5]>
<style type="text/css"> 

.twoColFixLtHdr #sidebar1 { width: 230px; }
</style>
<![endif]--><!--[if IE]>
<style type="text/css"> 

.twoColFixLtHdr #sidebar1 { padding-top: 30px; }
.twoColFixLtHdr #mainContent { zoom: 1; }
</style>
<![endif]-->
</head>

<body class="twoColFixLtHdr">

<div id="container">
  <div id="header">
    <h1>Login</h1>
 </div>
  <div id="sidebar1">

<form method="post" action="index.php">
Username<input type="text" name="username" maxlength="16">
Password<input type="password" name="password" maxlength="16">
<input type="submit" name="submit" value="Login">
</form>
<a href="Register.php">Register Here</a>

</div>
  <div id="mainContent">
    <h1>The Security Hole</h1>
    <p>This website had been designed with many security problems.</p>
    <h2>Can You Get In Without Registering?</h2>
    <p>Lets see if you can get in with out registering.</p>
    <p>&nbsp;</p>
	</div>
	<br class="clearfloat" />
  <div id="footer">
    <p>Copyright Chris Taylor 2009 </p>
  <!-- end #footer --></div>
<!-- end #container --></div>
</body>
</html>

<?php
}
else
{
  $user = protect($_POST['username']);
  $pass = protect($_POST['password']);

if($user && $pass)
{
$pass = md5($pass); //compare the encrypted password
$sql="SELECT id,username FROM `users` WHERE `username`='$user' AND `password`='$pass'";
$query=mysql_query($sql) or die(mysql_error());

if(mysql_num_rows($query) == 1) ;
{
  $row = mysql_fetch_assoc($query); // mysql_fetch_assoc gets the value for each field in the row
  $_SESSION['id'] = $row['id']; //creates the first session var
  $_SESSION['username'] = $row['username']; // second session var

  echo "<script type="text/javascript">window.location="home.php"</script>";
}
else
   {
    echo "<script type="text/javascript"> ;
    alert("Username and password combination is incorrect!");
    window.location="index.php"</script>";
    }
}
else
{			
    echo "<script type="text/javascript">  ;
    alert("You need to gimme a username AND password!!");
    window.location="index.php"</script>";
}
}
?>

--
Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /.automount/barra4/ug/home/cjt2v07/public_html/Home.php on line 11

Home.php:-

[CODE]<?php
session_start();
//home.php
if($_SESSION['id'])
{
echo "Welcome ",$_SESSION['username'] ;
echo " <a href="Logout.php">Logout</a>" ;
}
else
{
echo "You don't belong here!";
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
<link href="Home.css" rel="stylesheet" type="text/css" /><!--[if IE 5]>
<style type="text/css"> 
/* place css box model fixes for IE 5* in this conditional comment */
.twoColFixLtHdr #sidebar1 { width: 230px; }
</style>
<![endif]--><!--[if IE]>
<style type="text/css"> 
/* place css fixes for all versions of IE in this conditional comment */
.twoColFixLtHdr #sidebar1 { padding-top: 30px; }
.twoColFixLtHdr #mainContent { zoom: 1; }
/* the above proprietary zoom property gives IE the hasLayout it needs to avoid several bugs */
</style>
<![endif]-->
</head>

<body class="twoColFixLtHdr">

<div id="container">
  <div id="header">
    <h1>Security Testing</h1>
  <!-- end #header --></div>
  <div id="sidebar1">
</div>
  <div id="mainContent">
    <h1>The Security Hole</h1>
    <p>This website had been designed with many security problems.</p>
    <h2>Can You Get In Without Registering?</h2>
    <p>Lets see if you can get in with out registering.</p>
    <p>&nbsp;</p>
	<!-- end #mainContent --></div>
	<!-- This clearing element should immediately follow the #mainContent div in order to force the #container div to contain all child floats --><br class="clearfloat" />
  <div id="footer">
    <p>Copyright Chris Taylor 2009 </p>
  <!-- end #footer --></div>
<!-- end #container --></div>
</body>
</html>

Notice: Undefined index: submit in /.automount/barra4/ug/home/cjt2v07/public_html/Register.php on line 5

<?php
//Create registration form (register.php)
include "Connect.php";

if(!$_POST['submit']) // 'submit' hasn't been clicked so output html.
{
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
<link href="Home.css" rel="stylesheet" type="text/css" /><!--[if IE 5]>
<style type="text/css"> 
/* place css box model fixes for IE 5* in this conditional comment */
.twoColFixLtHdr #sidebar1 { width: 230px; }
</style>
<![endif]--><!--[if IE]>
<style type="text/css"> 
/* place css fixes for all versions of IE in this conditional comment */
.twoColFixLtHdr #sidebar1 { padding-top: 30px; }
.twoColFixLtHdr #mainContent { zoom: 1; }
/* the above proprietary zoom property gives IE the hasLayout it needs to avoid several bugs */
</style>
<![endif]-->
</head>

<body class="twoColFixLtHdr">

<div id="container">
  <div id="header">
    <h1>Security Testing</h1>
  <!-- end #header --></div>
  <div id="sidebar1">
    <form method="post" action="Register.php">
      <p>First Name:
        <input type="text" name="first">
        <br />
        Last Name:
<input type="text" name="last">
      Desired Username: <input type="text" name="username"></p>
   Password: 
     <input type="password" name="password"></p>
   Confirm Password: 
     <input type="password" name="pass_conf"></p>
     Email:
  <input type="text" name="email"></p>
   About: 
     <textarea name="about">Tell us about yourself</textarea>
   </p>
      </p>
<input type="submit" name="submit" value="Register">
   </p>
    </form>
or <a href="index.php">Login</a>

</div>
  <div id="mainContent">
    <h1>The Security Hole</h1>
    <p>This website had been designed with many security problems.</p>
    <h2>Can You Get In Without Registering?</h2>
    <p>Lets see if you can get in with out registering.</p>
    <p>&nbsp;</p>
	<!-- end #mainContent --></div>
	<!-- This clearing element should immediately follow the #mainContent div in order to force the #container div to contain all child floats --><br class="clearfloat" />
  <div id="footer">
    <p>Copyright Chris Taylor 2009 </p>
  <!-- end #footer --></div>
<!-- end #container --></div>
</body>
</html>
<?php
}
else
{
$first = protect($_POST['first']);
$last = protect($_POST['last']);
$username = protect($_POST['username']);
$password = protect($_POST['password']);
$pass_conf = protect($_POST['pass_conf']);
$email = protect($_POST['email']);
$about = protect($_POST['about']);
$errors = array();
$regex = "/^[a-z0-9]+([_.-][a-z0-9]+)*@([a-z0-9]+([.-][a-z0-9]+)*)+.[a-z]{2,}$/i";
if(!preg_match($regex, $email))
{
  $errors[] = "E-mail is not in name@domain format!";
}
if(!$first || !$last || !$username || !$password || !$pass_conf || !$email || !$about)
{
   $errors[] = "You did not fill out the required fields";
}
if ($password != $pass_conf)
{
  $errors[] = "Your confirmed password does not match you initial password";
}
$sql = "SELECT * FROM `Users` WHERE `username`='{$username}'";
$query = mysql_query($sql) or die(mysql_error());

if(mysql_num_rows($query) > 0) 
{
  $errors[] = "Username already taken, please try another";
}
if(count($errors) > 0)
{
  echo "The following errors occured with your registration";
  foreach($errors AS $error)
  {
    echo $error . "\n";
  }
  echo "</font>";
  echo "<a href=\"javascript:history.go(-1)\">Try again</a>";
  //we use javascript to go back rather than reloading the page 
  // so the user doesn't have to type in all that info again.
}
else
{
  $sql = "INSERT into `Users`(`first`,`last`,`username`,`password`,`email`,`about`);
  VALUES 
  ('$_POST[first]','$_POST[last]','$_POST[username]','".md5($password)."','$_POST[email]','$_POST[about]')";


 $query = mysql_query($sql) or die(mysql_error());
 echo "Thank You for registering {$first_name}! Your username is {$username}";
}
}
?>

Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /.automount/barra4/ug/home/cjt2v07/public_html/Logout.php on line 9

Logout.php:-

<?php
session_start();
//logout (logout.php)
include "Connect.php";

if($_SESSION['id'])
{
session_destroy();
echo "<script type="text/javascript">;
    alert("You have logged out");
    window.location="index.php"</script>";
}
?>

Any help that can be offered would be much appriciated.

Thanks.

NogDog

The first recurring problem I see is that if you have a double-quoted string literal within which you want to have double-quote characters, you must escape them with a back-slash:

echo "<a href=\"foobar\" title=\"example\">test</a>";

Alternatively, either use single quotes around the string literal and double quotes within it, or vice versa (remembering that PHP treats them a bit differently, only doing variable interpolation within double-quoted strings as well as having some special escape character sequences).

PS: In the future, please use this forum's [noparse]

...

[/noparse] tags for your PHP code, as it does syntax highlighting (often making certain syntax errors immediately apparent).

Roger_Ramjet

You should use PDO Prepared Statements for all of your database work. Read the intro to see why.