Help - Search - Members - Calendar
Full Version: Parse errors....help
HTMLHelp Forums > Programming > Databases
imrie
Jul 1 2007, 01:38 PM
OK errors are popping up a lot: here is the full coding, what is wrong? please help.

lines 19 and 24 have errors. this is the error: "Parse error: syntax error, unexpected T_STRING in /path/to/doc/ on line 19"


CODE

<?php

//Database Information

$dbhost = "*****";
$dbname = "******";
$dbuser = "********";
$dbpass = "**************";

//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

session_start();
$username = $_POST[‘username’];
$password = md5($_POST[‘password’]);

$query = “select * from users where username=’$username’ and password=’$password’”;

$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
$error = “Bad Login”;
    include “login.html”;

} else {
    $_SESSION[‘username’] = “$username”;
    include “memberspage.php”;
}

?>
Liam Quinn
Jul 1 2007, 06:23 PM
You need to use normal quotation marks (") and apostrophes (') instead of the "curly" or "smart" quotes.

You also have a SQL injection security hole. See http://en.wikipedia.org/wiki/SQL_injection for further explanation, and note the part about using mysql_real_escape_string.
imrie
Jul 2 2007, 03:03 AM
Ok, script working thanks. About the SQL injection factor, does this mean the script is hackable and people can hack accounts? or can people insert trojans etc. on to the site?

What can i do about it?

Thanks.
Liam Quinn
Jul 2 2007, 10:33 AM
The SQL injection security hole allows people to do anything that your code could do in SQL. It's a very serious security hole.

To prevent SQL injection, any string inserted into a SQL statement should be escaped as described at http://en.wikipedia.org/wiki/SQL_injection...ion_remediation and http://www.php.net/mysql_real_escape_string.
imrie
Jul 2 2007, 01:15 PM
unsure.gif Ok, im a bit baffled here could you please insert the security measure into the code for me?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2013 Invision Power Services, Inc.