Hi

I am trying to do what I thought would be a simple job of creating a registration function that allows users to register to my site. The software I used had a basic version built in with instructions to modify it manually which I followed but not wel enough obviously as I just get errors.

Could someone take the time to look at this and see if they could advise why I get the following error

Parse error:
syntax error, unexpected '<' in /home/fr03thee/public_html/register.php on line 88

The offending line just seems to be the start of the "normal" HTML bit of the page so I dont understand why is is creating an error. The demo code I coy looks identical to me and seems to work but I have been through this 100 times and cant see any difference. Help!!!!

<?php
$error_message = "";
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
   $action = isset($_POST['action']) ? $_POST['action'] : '';
   $mysql_server = 'localhost';
   $mysql_username = 'myusername';
   $mysql_password = 'mypassword';
   $mysql_database = 'mydatabaser';
   $mysql_table = 'mytable';

   $success_page = './login.html';

   if ($action == 'signup')
   {
      $newusername = $_POST['username'];
      $newtitle = $_POST['title'];
      $newfirst_name = $_POST['first_name'];
      $newlast_name = $_POST['last_name'];
      $newpostcode = $_POST['postcode'];
      $newbirthday = $POST['birthday'];
      $newemail = $_POST['email'];
      $newpassword = $_POST['password'];
      $confirmpassword = $_POST['confirmpassword'];
      $newallow_contact = $_POST['allow_contact'];
      if ($newpassword != $confirmpassword)
      {
         $error_message = 'Password and Confirm Password are not the same!';
      }
      else
      if (!ereg("^[A-Za-z0-9_!@$]{1,50}$", $newusername))
      {
         $error_message = 'Username is not valid, please check and try again!';
      }
      else
      if (!ereg("^[A-Za-z0-9_!@$]{1,50}$", $newpassword))
      {
         $error_message = 'Password is not valid, please check and try again!';
      }
      else
      if (!ereg("^[A-Za-z0-9_!@$.' &]{1,50}$", $newfullname))
      {
         $error_message = 'Fullname is not valid, please check and try again!';
      }
      else
      if (!ereg("^.+@.+\..+$", $newemail))
      {
         $error_message = 'Email is not a valid email address. Please check and try again.';
      }
      if (empty($error_message))
      {
         $db = mysql_connect($mysql_server, $mysql_username, $mysql_password);
         mysql_select_db($mysql_database, $db);
         $sql = "SELECT username FROM ".$mysql_table." WHERE username = '".$newusername."'";
         $result = mysql_query($sql, $db);
         if ($data = mysql_fetch_array($result))
         {
            $error_message = 'Username already used. Please select another username.';
         }
      }
      if (empty($error_message))
      {
         $crypt_pass = md5($newpassword);
         $sql = "INSERT `".$mysql_table."` (`username`, `title`, `first_name`, `last_name`, `postcode`, `birthday`, `email`, `password`, `signup_date`, `last_login`, `account_level`, `activated`, `allow_contact`) VALUES ('$newusername', ‘$newtitle’, ‘$newfirst_name’, ‘$newlast_name’, ‘$newpostcode’, ‘$newbirthday’, ‘$newemail’, '$crypt_pass', 'now()', 'now(), a, 1, ‘$newallow_contact’)”;
         $result = mysql_query($sql, $db);
         mysql_close($db);
         $mailto = $newemail;
         $subject = 'Your new account';
         $message = 'A new account has been setup.';
         $message .= "Username: ";
         $message .= $newusername;
         $message .= "Password: ";
         $message .= $newpassword;
         $message .= "";
         $header  = "From: webmaster@yourwebsite.com"."";
         $header .= "Reply-To: webmaster@yourwebsite.com"."";
         $header .= "MIME-Version: 1.0"."";
         $header .= "Content-Type: text/plain; charset=utf-8"."";
         $header .= "Content-Transfer-Encoding: 8bit"."";
         $header .= "X-Mailer: PHP v".phpversion();
         mail($mailto, $subject, $message, $header);
         header('Location: '.$success_page);
         exit;
      }
   }
}
?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Register</title>

Cut off so it fits but the error is ahead of this I think

    Welcome to PHPBuilder! When posting PHP code, please use the board's [noparse]

    ..

    [/noparse] bbcode tags as they make your code much easier to read and analyze.

    In fact, now that I've added these bbcode tags, the error should be obvious (due to the color-coding going all out of whack around line 88). Looking at the end of the line where you define $sql, you've got a "curly quote" there instead of a plain double quote. Whichever editor you were using that inserted that "curly quote" is definitely not an editor meant to be used for writing code. Then again, if your editor was meant for code writing, it would have done the syntax highlighting for you as well. 😉

    Also, here are some other general comments about your code:

    1. The 'mysql' PHP extension is old and outdated; newer PHP projects should instead use a more up-to-date/actively maintained library such as [man]mysqli[/man], [man]PDO[/man], etc.

    2. [man]eregi/man (and the other ereg() functions) have been deprecated for some time now in favor of the [man]PCRE[/man] library of functions (such as [man]preg_match/man, in your case).

    3. For validating e-mail addresses, I recommend using [man]filter_var/man with the FILTER_VALIDATE_EMAIL flag/option.

    4. You've got more "curly quotes" (single quotes, this time) on the line where you define $sql. Note that neither PHP nor MySQL will treat a "curly quote" the same as a regular single or double quote (since they are two distinct characters, naturally) and using the former will cause errors.

    5. User-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize it with a function such as [man]mysql_real_escape_string/man (for string data) or use prepared statements.

    6. Why are you appending an empty string ("") to the end of all of the $header values? Not only does that not do anything at all, but it will also cause errors since all of the headers will be smashed together on a single line. Perhaps instead of an empty string you meant to append "\r\n" (e.g. a CRLF line break sequence)?

      Thanks for the reply and sorry about the code tags I didnt know what they did,

      Your clearly about a million miles ahead of me with all this stuff as I have to confess to not fully understanding the answer - sorry!

      I copied someone elses code and just tried to make a couple of changes so I think my skills are probably to basic to tackle something like this.

      Incidently is there a particular code editor you would reccomend using that would make it easier to pick up on this type of thing. I mainly use a WYSIWYG but they dont seem to have made one that lets a non programmer create a membership system which is why I have ended up here.

      The thing that you pointed out ref the mysql real escape string - do you know of anywhere that takes you through this step by step for an absolute beginner. I have managed to get the form working by starting from scratch but am concerned I am proably wide open to anyone who knows what there doing attacking my database which is a scary thought if I ever get this thing off the ground?

      I will mark the thread solved as your answer was awesome if a little wasted on a code virgin - I feel like a caveman having a TV explained to them or something.

      Going for a lie down!!

        andyhill40 wrote:

        Incidently is there a particular code editor you would reccomend using that would make it easier to pick up on this type of thing. I mainly use a WYSIWYG but they dont seem to have made one that lets a non programmer create a membership system which is why I have ended up here.

        Try a search or two in the Echo Lounge forum - there have been numerous topics discussing the pro's and con's of different editors.

        Myself? I personally just use Notepad2 (never did give Notepad++ a fair attempt at competing; I may very well switch one day if I ever do). You didn't tell us exactly which editor you're using, but it's very possible that if it was meant at all for web programming/design than it has a "Code" mode (thinking of Dreamweaver back when I used to use it... shudder) that is more suited for writing the pure code (e.g. "programming") rather than prettifying it (e.g. "designing").

        andyhill40 wrote:

        The thing that you pointed out ref the mysql real escape string - do you know of anywhere that takes you through this step by step for an absolute beginner. I have managed to get the form working by starting from scratch but am concerned I am proably wide open to anyone who knows what there doing attacking my database which is a scary thought if I ever get this thing off the ground?

        I don't know of any good tutorial or something of that nature (I'm sure they're out there), so the best I can say is post the code you're using in the Code Critique forum and we can help you out.

        If you do search the web for tutorials, just remember that it doesn't take any knowledge or mastery of SQL to write a tutorial; John Doe in his infinite wisdom could somehow kludge together the most insecure, inefficient way of interacting with SQL and think "Hey, I could help other people learn SQL if I wrote a tutorial/article!"

        Same goes for writing a book, to be honest. That's one of the many reasons why I've never wasted the money. :p

          Thanks for your help amazing skills in here. I am using WYSIWYG v7 from Pablo software which isnt really a code writing tool it is a WYSIWYG but it allowsd custom PHP and HTML code to be added to any element of the page.

          I have got the form working see new code below but the form loses someones data if they trigger an error which is quite annoying. Is there a way I could show the error but keep their fields completed so they can just edit the error.

          Also is there a way to make sure this is more secure from injection attacks?

             {
      $newtitle = $_POST['title'];
      $newusername = $_POST['username'];
      $newemail = $_POST['email'];
      $newpassword = $_POST['password'];
      $confirmpassword = $_POST['confirmpassword'];
      $newfullname = $_POST['fullname'];
      $confirm_email = $_POST['confirm_email'];
      $birthday = $_POST['birthday'];
      $pcode = $_POST['postcode'];
      $marketing = $_POST['marketing'];

  if ($newpassword != $confirmpassword)
  {
     $error_message = 'Password and Confirm Password are not the same!';
  }
  else
  if ($newemail != $confirm_email)
  {
     $error_message = 'Email and Confirm Email are not the same!';
  }
  else
  if (!ereg("^[A-Za-z0-9_!@$]{1,50}$", $newusername))
  {
     $error_message = 'Username is not valid, please check and try again!';
  }
  else
  if (!ereg("^[A-Za-z0-9_!@$]{1,50}$", $newpassword))
  {
     $error_message = 'Password is not valid, please check and try again!';
  }
  else
  if (!ereg("^[A-Za-z0-9_!@$.' &]{1,50}$", $newfullname))
  {
     $error_message = 'Fullname is not valid, please check and try again!';
  }
  else
  if (!ereg("^.+@.+\..+$", $newemail))
  {
     $error_message = 'Email is not a valid email address. Please check and try again.';
  }
  if (empty($error_message))
  {
     $db = mysql_connect($mysql_server, $mysql_username, $mysql_password);
     mysql_select_db($mysql_database, $db);
     $sql = "SELECT email FROM ".$mysql_table." WHERE email = '".$newemail."'";
     $result = mysql_query($sql, $db);
     if ($data = mysql_fetch_array($result))
     {
        $error_message = 'Email already used. Please select another Email Address.';
     }
  }
  {
     $db = mysql_connect($mysql_server, $mysql_username, $mysql_password);
     mysql_select_db($mysql_database, $db);
     $sql = "SELECT username FROM ".$mysql_table." WHERE username = '".$newusername."'";
     $result = mysql_query($sql, $db);
     if ($data = mysql_fetch_array($result))
     {
        $error_message = 'Username already used. Please select another username.';
     }
  }
  if (empty($error_message))
  {
     $crypt_pass = md5($newpassword);
     $sql = "INSERT `".$mysql_table."` (`title`, `username`, `password`, `fullname`, `email`, `active`, `birthday`, `postcode`, `marketing`) VALUES ('$newtitle', '$newusername', '$crypt_pass', '$newfullname', '$newemail', 1, '$birthday', '$pcode', '$marketing')";
     $result = mysql_query($sql, $db);
     mysql_close($db);
     $mailto = $newemail;
     $subject = 'Your new account';
     $message = 'A new account has been setup.';
     $message .= "\r\nUsername: ";
     $message .= $newusername;
     $message .= "\r\nPassword: ";
     $message .= $newpassword;
     $message .= "\r\n";
     $header  = "From: donotreply@thestratfordguide.co.uk"."\r\n";
     $header .= "Reply-To: sales@thestratfordguide.co.uk"."\r\n";
     $header .= "MIME-Version: 1.0"."\r\n";
     $header .= "Content-Type: text/plain; charset=utf-8"."\r\n";
     $header .= "Content-Transfer-Encoding: 8bit"."\r\n";
     $header .= "X-Mailer: PHP v".phpversion();
     mail($mailto, $subject, $message, $header);
     header('Location: '.$success_page);
     exit;
  }
   }
}
?>
</div>
            andyhill40 wrote:

            Also is there a way to make sure this is more secure from injection attacks?

            Well... "more secure" implies that you've got even some security against such attacks, which at this point you do not.

            See my comment #5 above. The PHP manual has some examples; I personally like to use the [man]sprintf/man method illustrated in example #1 for [man]mysql_real_escape_string[/man]]() since that also allows you to sanitize numeric input as well (e.g. by using "&#37;d" to force it to be casted to an integer).

              Write a Reply...