Parse errors....help, T_STRING |
Parse errors....help, T_STRING |
imrie |
Jul 1 2007, 01:38 PM
Post
#1
|
Newbie Group: Members Posts: 15 Joined: 10-April 07 Member No.: 2,477 |
OK errors are popping up a lot: here is the full coding, what is wrong? please help.
lines 19 and 24 have errors. this is the error: "Parse error: syntax error, unexpected T_STRING in /path/to/doc/ on line 19" CODE <?php //Database Information $dbhost = "*****"; $dbname = "******"; $dbuser = "********"; $dbpass = "**************"; //Connect to database mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error()); mysql_select_db($dbname) or die(mysql_error()); session_start(); $username = $_POST[‘username’]; $password = md5($_POST[‘password’]); $query = “select * from users where username=’$username’ and password=’$password’”; $result = mysql_query($query); if (mysql_num_rows($result) != 1) { $error = “Bad Login”; include “login.html”; } else { $_SESSION[‘username’] = “$username”; include “memberspage.php”; } ?> |
Liam Quinn |
Jul 1 2007, 06:23 PM
Post
#2
|
WDG Founder Group: Root Admin Posts: 52 Joined: 2-August 06 From: Canada Member No.: 1 |
You need to use normal quotation marks (") and apostrophes (') instead of the "curly" or "smart" quotes.
You also have a SQL injection security hole. See http://en.wikipedia.org/wiki/SQL_injection for further explanation, and note the part about using mysql_real_escape_string. |
imrie |
Jul 2 2007, 03:03 AM
Post
#3
|
Newbie Group: Members Posts: 15 Joined: 10-April 07 Member No.: 2,477 |
Ok, script working thanks. About the SQL injection factor, does this mean the script is hackable and people can hack accounts? or can people insert trojans etc. on to the site?
What can i do about it? Thanks. |
Liam Quinn |
Jul 2 2007, 10:33 AM
Post
#4
|
WDG Founder Group: Root Admin Posts: 52 Joined: 2-August 06 From: Canada Member No.: 1 |
The SQL injection security hole allows people to do anything that your code could do in SQL. It's a very serious security hole.
To prevent SQL injection, any string inserted into a SQL statement should be escaped as described at http://en.wikipedia.org/wiki/SQL_injection...ion_remediation and http://www.php.net/mysql_real_escape_string. |
imrie |
Jul 2 2007, 01:15 PM
Post
#5
|
Newbie Group: Members Posts: 15 Joined: 10-April 07 Member No.: 2,477 |
Ok, im a bit baffled here could you please insert the security measure into the code for me?
|
Lo-Fi Version | Time is now: 18th April 2024 - 11:40 PM |