Page 1 of 1

login page

Posted: Sun Oct 09, 2005 6:28 pm
by elecktricity
im not sure why this one wont work

Code: Select all

<?PHP # login.php page
 if(isset($_POST['submit'])) {
$dbh=mysql_connect ("localhost", "root", "password") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("content");

function escape_data($data) {
global $dbc;
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}
return mysql_real_escape_string($data, $dbc);
}
$message = NULL;
if (empty($_POST['username'])) {
 $u = FALSE;
 $message .= '<p class=\'text\'>You forgot to enter your username!</p>';
} else {
 $u = escape_data($_POST['username']);
}
$message = NULL;
if (empty($_POST['password'])) {
 $p = FALSE;
 $message .= '<p class=\'text\'>You forgot to enter your password!</p>';
} else {
 $p = escape_data($_POST['password']);
}
if ($u && $p) {
$query = "SELECT * FROM users WHERE username='$u' AND password=PASSWORD('$p')";
$result = @mysql_query ($query);
$row = mysql_fetch_array($result, MYSQL_NUM);
if ($row) {
session_start();
$SESSION['name'] = $row[name];
$SESSION['userid'] = $row[userid];
header ('Location: http://www.vividgamers.com/sessions/index.php');
exit;
}
echo '<form action=\'index.php\' method=\'post\'>';
echo '<table width=\'455\' cellpadding=\'0\' cellspacing=\'0\' border=\'0\' class=\'header1\'>';
echo '<tr>';
echo '<th colspan=\'2\' height=\'20\' class=\'header2\'>User Info:</th>';
echo '</tr>';
echo '<tr>';
echo '<td valign=\'middle\' width=\'163\' class=\'header8\'>Username:</td>';
echo '<td valign=\'middle\' class=\'header8\'><input maxlength=\'50\' class=\'text3\' type=\'text\' name=\'name\'></td>';
echo '</tr>';
echo '<tr>';
echo '<td valign=\'middle\' width=\'163\' class=\'header9\'>Passwords:</td>';
echo '<td valign=\'middle\' class=\'header9\'><input maxlength=\'16\' class=\'text3\' type=\'password\' name=\'pwd\'></td>';
echo '</tr>';
echo '<tr>';
echo '<th colspan=\'2\' height=\'20\' class=\'header2\' style=\'border-bottom: 1px solid black;\'><input class=\'text3\' type=\'submit\' value=\'Login!\'></th>';
echo '</tr>';
echo '</table>';
echo '</form>';
?>
it's giving me this error
Parse error: parse error, unexpected $ in /home/rootbee/public_html/site/sessions/login.php on line 56
there isnt even a '$' on line 56 which is the last line on there btw

Posted: Sun Oct 09, 2005 6:43 pm
by Dm7

Code: Select all

$dbh=mysql_connect ("localhost", "root", "password") or die ('I cannot connect to the database because: ' . mysql_error());
might want to put it as...

Code: Select all

$dbh = mysql_connect ("localhost", "root", "password") or die ('I cannot connect to the database because: ' . mysql_error());

Code: Select all

$query = "SELECT * FROM users WHERE username='$u' AND password=PASSWORD('$p')";
might want to try this...

Code: Select all

$query = "SELECT * FROM users WHERE username='". $u ."' AND password=PASSWORD('". $p ."')";
That's what I think might caused the error... I had faced the similar error recently and I vaguely remember that it had to do with the strings in $query above. :)

Posted: Sun Oct 09, 2005 6:44 pm
by feyd

Code: Select all

if ($u && $p) {
wasn't closed.

Posted: Sun Oct 09, 2005 6:50 pm
by John Cartwright
You seemed to have a few bad practices.. compare yours to this version

Code: Select all

<?	
	//to be safe always start session on first line
	session_start();

	function escape_data($data) {
		#no need to pass database instance
		#if none is supplied assumes last connection
		#plus globals are bad
		if (get_magic_quotes_gpc()) {
			$data = stripslashes($data);
		}
		$data = htmlentities($data);
		$data = mysql_real_escape_string($data);
		return $data;
	}
	
	#should change $_POST['submit'] to a hidden form element
	#try hitting enter in Internet explorer, 'submit' won't exist
	if(isset($_POST['submit'])) {
		$dbh = mysql_connect ("localhost", "root", "password") or die (mysql_error());
		mysql_select_db ("content");
		
		#have a list of required form elements
		$required = array(
			'username',
			'password'
		);
	
		$error = '';
		#loop through your results and check if they exists
		#this way we not only sanitize data, but assign the variables
		foreach ($required as $fieldname) {
			if (empty($_POST[$fieldname])) {
				$error .= '<p class=\'text\'>You forgot to enter your '.$fieldname.'!</p>';
				$$fieldname = '';				
			}
			else {
				$$fieldname = escape_data($_POST[$fieldname]);
			}
		}
		
		//no errors were found
		if (empty($error)) {
			//changed your query to only accept 1 row
			//just in case
			$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password=PASSWORD('$password') LIMIT 1") or die(mysql_error());
			//check if a row has been found
			if (mysql_num_rows($result) == 1) {
				$row = mysql_fetch_assoc($result);
				//make sure you quote your name indices
				$_SESSION['name'] = $row['name'];
				$_SESSION['userid'] = $row['userid'];
				header ('Location: http://www.vividgamers.com/sessions/index.php');
				exit;
			}
		}
		
		//check to see if $error is not empty
		//if errors exist display it
	}
	
	//show form here

	?>