[RESOLVED] Parse error: syntax error, unexpected '[' on line 22

Lange_K

Please Help me Solve This Error 🙂

<?php
/*
  Author: DarkedenUnited.com
*/

  include "config.php";
  $acc = $_POST['user'];
  $passwd = $_POST['pass'];

  $con = mysql_connect($host, $user, $pass);
  mysql_select_db($db);

  $query = mysql_query("SELECT Password FROM Player WHERE PlayerID='$acc'");
  $row = mysql_fetch_array($query);
  $count = mysql_num_rows($query);
  if($count == 0){
    $error = "Account not found!";
    header("Location: login.php?error=$error");
    mysql_close($con);
  }

  $password = row ['Password'];

  $query = mysql_query("SELECT PASSWORD('$passwd') AS Password");
  $row = mysql_fetch_array($query);
  if($row['Password'] == $password){
    $OK = "Access granted!";
    header("Location: login.php?error=$OK");
  }
  $error = "Invalid Username or Password!";
  header("Location: login.php?error=$error");
?>

dagon

$password = $row['Password'];

Lange_K

dagon;10994309 wrote:
$password = $row['Password'];

Solved thanks man!

Lange_K

Lange K;10994310 wrote:
Solved thanks man!

uhm not solved now it give error invaled pass and username!

dagon

try

 if($row['Password'] == $password){
    $OK = "Access granted!";
    header("Location: login.php?error=$OK");
exit();
  }else{
  $error = "Invalid Username or Password!";
  header("Location: login.php?error=$error"); 
exit();
}

Lange_K

dagon;10994312 wrote:

try

 if($row['Password'] == $password){
    $OK = "Access granted!";
    header("Location: login.php?error=$OK");
exit();
  }else{
  $error = "Invalid Username or Password!";
  header("Location: login.php?error=$error"); 
exit();
}

Invalid Username or Password! 🙁

Lange_K

and yes i'm typing the username and password correct :p

dagon

echo them out, they are not the same value.

Lange_K

dagon;10994315 wrote:
echo them out, they are not the same value.

what do you mean with echo them out ?

bradgrafelman

Your code also contains many other errors:

```
  $acc = $_POST['user']; 
  $passwd = $_POST['pass']; 
```
If $POST['user'] and/or $POST['pass'] don't exist, these two lines will generate E_NOTICE level errors since you're attempting to access external data that doesn't exist. As such, you should always first verify that the external data does in fact exist (e.g. via [man]isset/man, [man]empty/man, etc.). For that reason, I prefer to create local variables that represent external data like so:
```
$foo = isset($_POST['foo']) ? $_POST['foo'] : NULL;
```
which uses the ternary operator for compactness.
```
$con = mysql_connect($host, $user, $pass);
  mysql_select_db($db); 
```
Where did $host, $user, etc. come from? How is someone to know that $pass is a MySQL DB password whereas $passwd represents the external form data (and how is that person, even you, supposed to never forget that while working on code 😉)?

Your 'config.php' file should instead most likely be defining such entities as [man]constants[/man] via [man]define/man. Doing so will not only remove confusion (I prefer constants with prefixes like DB_HOST, DB_USER, DB_PASS, etc.) but also ensure that you don't accidentally overwrite that data with something else.
You should always be checking to see if the various mysql_*() functions are successful (e.g. by examining their return values) if possible. This is especially true for [man]mysql_query/man.

If they fail, it's often helpful to include debugging info in the error log, such as the full SQL query string itself as well as the MySQL-provided error message.
Speaking of things you should be doing, note that the [man]mysql[/man] extension itself has been replaced with [man]MySQLi[/man]; newer projects are suggested to use it (or something like [man]PDO[/man]) rather than the outdated mysql extension.
User-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize it such as with a function like [man]mysql_real_escape_string/man (for string data) or use prepared statements.
Why are you using two separate queries? Most login systems don't differentiate between an invalid account/username versus an invalid password simply because a) the end result is the same, and b) there is no need to tell the user if the account/username they gave does not exist.

Even if you did for some reason want to differentiate a nonexistent account error from an invalid password, there's still no need to use two separate SQL queries - just retrieve both the 'Password' column and the result from the expression:
```
PASSWORD('$passwd')
```
all in the same query.
This code:
```
    $error = "Account not found!"; 
    header("Location: login.php?error=$error"); 
```
(as well as the two other similar instances of it) has two problems:
1. You never end the script execution after the [man]header/man call (e.g. via [man]exit[/man] or [man]die[/man]). That means that PHP will simply queue up the HTTP header as instructed and continue executing the rest of your code (despite the fact that you didn't structure the code with this in mind).
2. This:
```
Location: login.php?error=Account not found!
```
  is not a valid HTTP header for two reasons:
  1. The 'Location' header expects an absolute URI (meaning relative paths, or paths that don't begin with 'http(s)://', are not supported according to the HTTP specs).
  2. URIs can't have spaces in them. If you want to include a space in the data, you must encode it (e.g. with the '+' character or using the hex-character notation '%20'). See [man]urlencode/man for more info.

EDIT: Also note that all of the above was based on the code provided in the first post of the thread.

dagon

echo 'p1 '.$row['Password'];
echo 'p2 '.$password;
exit();

Lange_K

bradgrafelman;10994317 wrote:
Your code also contains many other errors:
  $acc = $_POST['user']; 
  $passwd = $_POST['pass']; 
If $POST['user'] and/or $POST['pass'] don't exist, these two lines will generate E_NOTICE level errors since you're attempting to access external data that doesn't exist. As such, you should always first verify that the external data does in fact exist (e.g. via [man]isset/man, [man]empty/man, etc.). For that reason, I prefer to create local variables that represent external data like so:
$foo = isset($_POST['foo']) ? $_POST['foo'] : NULL;
which uses the ternary operator for compactness.
$con = mysql_connect($host, $user, $pass);
  mysql_select_db($db); 
Where did $host, $user, etc. come from? How is someone to know that $pass is a MySQL DB password whereas $passwd represents the external form data (and how is that person, even you, supposed to never forget that while working on code 😉)?

Your 'config.php' file should instead most likely be defining such entities as [man]constants[/man] via [man]define/man. Doing so will not only remove confusion (I prefer constants with prefixes like DB_HOST, DB_USER, DB_PASS, etc.) but also ensure that you don't accidentally overwrite that data with something else.
You should always be checking to see if the various mysql_*() functions are successful (e.g. by examining their return values) if possible. This is especially true for [man]mysql_query/man.

If they fail, it's often helpful to include debugging info in the error log, such as the full SQL query string itself as well as the MySQL-provided error message.

Speaking of things you should be doing, note that the [man]mysql[/man] extension itself has been replaced with [man]MySQLi[/man]; newer projects are suggested to use it (or something like [man]PDO[/man]) rather than the outdated mysql extension.

User-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize it such as with a function like [man]mysql_real_escape_string/man (for string data) or use prepared statements.
Why are you using two separate queries? Most login systems don't differentiate between an invalid account/username versus an invalid password simply because a) the end result is the same, and b) there is no need to tell the user if the account/username they gave does not exist.

Even if you did for some reason want to differentiate a nonexistent account error from an invalid password, there's still no need to use two separate SQL queries - just retrieve both the 'Password' column and the result from the expression:
PASSWORD('$passwd')
all in the same query.
This code:
    $error = "Account not found!"; 
    header("Location: login.php?error=$error"); 
(as well as the two other similar instances of it) has two problems:
You never end the script execution after the [man]header/man call (e.g. via [man]exit[/man] or [man]die[/man]). That means that PHP will simply queue up the HTTP header as instructed and continue executing the rest of your code (despite the fact that you didn't structure the code with this in mind).
This:
Location: login.php?error=Account not found!
is not a valid HTTP header for two reasons:

The 'Location' header expects an absolute URI (meaning relative paths, or paths that don't begin with 'http(s)://', are not supported according to the HTTP specs).

URIs can't have spaces in them. If you want to include a space in the data, you must encode it (e.g. with the '+' character or using the hex-character notation '%20'). See [man]urlencode/man for more info.
EDIT: Also note that all of the above was based on the code provided in the first post of the thread.

thanks for the help but those help suggestions only give more errors cause i'm connecting a mysql server inside vmware station 🙂

bradgrafelman

Lange K;10994319 wrote:
thanks for the help but those help suggestions only give more errors cause i'm connecting a mysql server inside vmware station 🙂

The fact that a virtual machine is being used has nothing to do with anything mentioned.

Lange_K

bradgrafelman;10994320 wrote:
The fact that a virtual machine is being used has nothing to do with anything mentioned.

well oke but your suggestions give only more errors 🙂

bradgrafelman

Lange K;10994321 wrote:
well oke but your suggestions give only more errors 🙂

No, my suggestions resolve many errors. Your misguided attempt at utilizing my suggestions to modify your code... well that could definitely cause more errors.

Lange_K

dagon;10994318 wrote:

echo 'p1 '.$row['Password'];
echo 'p2 '.$password;
exit();

and where i put those?

<?php
/*
  Author: Bloodyshade
*/

  include "config.php";
  $acc = $_POST['user'];
  $passwd = $_POST['pass'];

  $con = mysql_connect($host, $user, $pass);
  mysql_select_db($db);

  $query = mysql_query("SELECT Password FROM Player WHERE PlayerID='$acc'");
  $row = mysql_fetch_array($query);
  $count = mysql_num_rows($query);
  if($count == 0){
    $error = "Account not found!";
    header("Location: login.php?error=$error");
    mysql_close($con);
  }

 if ($row['Password'] == $password){
    $OK = "Access granted!";
    header("Location: login.php?error=$OK");
exit();
  }else{
  $error = "Invalid Username or Password!";
  header("Location: login.php?error=$error");
exit();
}

i realy dunno how to fix can 1 of you supply me good version then?

Lange_K

I solved it myself