Parse errors....help, T_STRING Options

[imrie]

OK errors are popping up a lot: here is the full coding, what is wrong? please help.

lines 19 and 24 have errors. this is the error: "Parse error: syntax error, unexpected T_STRING in /path/to/doc/ on line 19"

CODE

<?php

//Database Information

$dbhost = "*****";
$dbname = "******";
$dbuser = "********";
$dbpass = "**************";

//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

session_start();
$username = $_POST[‘username’];
$password = md5($_POST[‘password’]);

$query = “select * from users where username=’$username’ and password=’$password’”;

$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
$error = “Bad Login”;
    include “login.html”;

} else {
    $_SESSION[‘username’] = “$username”;
    include “memberspage.php”;
}

?>

[Liam Quinn]

You need to use normal quotation marks (") and apostrophes (') instead of the "curly" or "smart" quotes.

You also have a SQL injection security hole. See http://en.wikipedia.org/wiki/SQL_injection for further explanation, and note the part about using mysql_real_escape_string.

[imrie]

Ok, script working thanks. About the SQL injection factor, does this mean the script is hackable and people can hack accounts? or can people insert trojans etc. on to the site?

What can i do about it?

Thanks.

[Liam Quinn]

The SQL injection security hole allows people to do anything that your code could do in SQL. It's a very serious security hole.

To prevent SQL injection, any string inserted into a SQL statement should be escaped as described at http://en.wikipedia.org/wiki/SQL_injection...ion_remediation and http://www.php.net/mysql_real_escape_string.

[imrie]

Ok, im a bit baffled here could you please insert the security measure into the code for me?