kaiman Posted October 25, 2009 Share Posted October 25, 2009 I keep getting multiple syntax errors on this script like this one: Parse error: syntax error, unexpected T_ELSE in .../scripts/php/loginform2.php on line 40 when I change that line I get another on line 33... Can someone please help me with this script? Thanks, kaiman <?php // connects to server and selects database. include ("dbconnect.inc.php"); // table name $tbl_name="registered_members"; // removes magic_quotes_gpc slashes function stripQuotes($arg) { if (get_magic_quotes_runtime()) { return stripslashes($arg); } else { return $arg; } } // protect against mysql injection function cleanString($string){ htmlentities(mysql_real_escape_string($string)); return $string; } // username and password sent from login form $username = stripQuotes($_POST['username']); $username = cleanString($_POST['username']); $pass = sha1($_POST['pass']); // select info from database $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$pass'"; $result=mysql_query($sql); // mysql_num_row counts the table row $count=mysql_num_rows($result); // if result matched $username and $pass, table row must be 1 row if($count==1){ // register $_SESSION session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; $_SESSION['id'] = $row['id']; $_SESSION['level'] = $row['level']; else { echo "Incorrect Username or Password"; exit ; } // user levels // 0 = guest // 1 = user - default // 2 = auther // 3 = moderator // 4 = admin // 5 = banned user // check user levels if ($_SESSION['level'] == '1') { header("Location: http://www.example.com/user/"); } if ($_SESSION['level'] == '2') { header("Location: http://www.example.com/author/"); } if ($_SESSION['level'] == '3') { header("Location: http://www.example.com/moderator/"); } if ($_SESSION['level'] == '4') { header("Location: http://www.example.com/admin/"); } } else { echo "You Don't Have Permission to View This Page"; exit ; } ?> Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted October 25, 2009 Share Posted October 25, 2009 you forgot the closing bracket here if($count==1){ // register $_SESSION session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; $_SESSION['id'] = $row['id']; $_SESSION['level'] = $row['level']; else { echo "Incorrect Username or Password"; exit ; } should be if($count==1){ // register $_SESSION session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; $_SESSION['id'] = $row['id']; $_SESSION['level'] = $row['level']; } else { echo "Incorrect Username or Password"; exit ; } also you should put session_start() at the top of the page Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 Okay got that thanks, however, I still can't get the variables id and level out of the database. It just says, "You Don't Have Permission to View This Page." Can you please help me here? When I use var_dump($_SESSION); to write the info to the screen I get: array(4) { ["username"]=> string(6) "kaiman" ["pass"]=> string(40) "sha1passwordhere" ["id"]=> NULL ["level"]=> NULL } You Don't Have Permission to View This Page. So for some reason the variables aren't being passed to the $_SESSION??? Any insight into this or where I am going wrong? Thanks, kaiman Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted October 25, 2009 Share Posted October 25, 2009 do a vardump or $row['level'] and $row['id'] it seems those variables aren't being populated with data from your data base Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 The results of the var_dump($_SESSION); are below: array(4) { ["username"]=> string(6) "kaiman" ["pass"]=> string(40) "sha1passwordhere" ["id"]=> NULL ["level"]=> NULL } You Don't Have Permission to View This Page. Both level and id come up NULL... How in the heck do I get those columns out of the db? Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted October 25, 2009 Share Posted October 25, 2009 i said $row... not $_SESSION... Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 After running: var_dump($row['id']); var_dump($row['level']); I get NULL NULL Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted October 25, 2009 Share Posted October 25, 2009 oh haha. you never do the $row = mysql_fetch_array($sql) part Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 Okay, I've added the mysql_fetch_array($sql) part like this: while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) { $row['id'], $row['level']); } and now I am getting this: Parse error: syntax error, unexpected ',' in /home/stormkin/public_html/projects/rft/scripts/php/loginform2.php on line 34 Any ideas? Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted October 25, 2009 Share Posted October 25, 2009 this $row['id'], $row['level']); makes absolutely no sense. What are you trying to do with this line Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 Sorry that was my sticky finger on that last post. Here is the code I am trying, but it still comes back NULL. while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) { printf($row['id'], $row['level']); } How would I go about pulling those rows into the mysql_fetch_array? Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted October 25, 2009 Share Posted October 25, 2009 hmm, are you sure those are the correct names of the columns? also, you can get an associative array like this mysql_fetch_assoc() instead of passing in the second parameter. it makes no difference, but just so you know. but printf prints a formatted string, the second paramters (and paramters after words) are arguments that are put into the formatted string. try just doing print_r($row); Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 Here is the partial results of the running a print r. You can clearly see the two columns id and level, but I am still getting the error below: You Don't Have Permission to View This Page. Array ( [id] => 1 [level] => 1 ) BTW my two columns look like this in my db_table: `id` int(4) NOT NULL auto_increment, `level` int(4) NOT NULL default '1', PRIMARY KEY (`id`) Any other ideas? Thanks again! kaiman Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted October 25, 2009 Share Posted October 25, 2009 dont use a while loop. just do $row = mysql_fetch_assoc() its just 1 entry right? well the while loop will store the right value for the first run, but it will try to run again. when it does that mysql_fetch_assoc() will return false because there are no more rows to return, and then $row will have the value of false. Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 Yes, it's just the one db entry. Still just coming back with error: You Do Not Have Permission... and doesn't redirect the page via header: Location blah, blah, blah. Here is the whole script as I have it so far: <?php // connects to server and selects database. include ("dbconnect.inc.php"); // table name $tbl_name="registered_members"; // removes magic_quotes_gpc slashes function stripQuotes($arg) { if (get_magic_quotes_runtime()) { return stripslashes($arg); } else { return $arg; } } // protect against mysql injection function cleanString($string){ htmlentities(mysql_real_escape_string($string)); return $string; } // username and password sent from login form $username = stripQuotes($_POST['username']); $username = cleanString($_POST['username']); $pass = sha1($_POST['pass']); // select info from database $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$pass'"; $result=mysql_query($sql); // mysql_num_row counts the table row $count=mysql_num_rows($result); // pull rows into array $row = mysql_fetch_assoc($result); // print_r($row); // if result matched $username and $pass, table row must be 1 row if($count==1){ // register $_SESSION session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; $_SESSION['id'] = $row['id']; $_SESSION['level'] = $row['level']; } else { echo "Incorrect Username or Password"; exit ; } // var_dump($row['id']); // var_dump($row['level']); // user levels // 0 = guest // 1 = user - default // 2 = auther // 3 = moderator // 4 = admin // 5 = banned user // check user levels if ($_SESSION['level'] == '1') { header("http://www.example.com/user/"); } if ($_SESSION['level'] == '2') { header("Location: http://www.example.com/author/"); } if ($_SESSION['level'] == '3') { header("Location: http://www.example.com/moderator/"); } if ($_SESSION['level'] == '4') { header("Location: http://www.example.com/admin/"); } else { echo "You Don't Have Permission to View This Page"; exit ; } ?> Thanks again (this is my first foray into setting up a complete user level system with PHP/MySQL and I am learning alot!) kaiman Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted October 25, 2009 Share Posted October 25, 2009 it might be because of this if ($_SESSION['level'] == '1') { remove the single quotes. right now you are comparing an integer to a string, and that may be causing problems Quote Link to comment Share on other sites More sharing options...
dreamlove Posted October 25, 2009 Share Posted October 25, 2009 I have a idea. Our bbs program should have this function: while inserting some PHP code , the editor should automatically indent it! Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 Haha dreamlove, very funny! I understand your point, but right now I am more concerned with function over form... I have a idea. Our bbs program should have this function: while inserting some PHP code , the editor should automatically indent it! Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted October 25, 2009 Share Posted October 25, 2009 just glancing at your code, this is not doing what you think it is: $username = stripQuotes($_POST['username']); $username = cleanString($_POST['username']); the value of $username has been set twice .. you're thinking it's been cleaned by two separate functions, but it hasn't. two accomplish what is it you are looking for, do this: $username = stripQuotes($_POST['username']); $username = cleanString($username); ultimately, it's best to keep keep your functions all-in-one style for instances like this .. that way, your not forgetting to run certain sanitizing functions on common variables. Quote Link to comment Share on other sites More sharing options...
Andy-H Posted October 25, 2009 Share Posted October 25, 2009 <?php // connects to server and selects database. include ("dbconnect.inc.php"); // table name $tbl_name="registered_members"; // removes magic_quotes_gpc slashes function stripQuotes($arg) { if (get_magic_quotes_runtime()) { return stripslashes($arg); } else { return $arg; } } // protect against mysql injection function cleanString($string){ htmlentities(mysql_real_escape_string($string)); return $string; } // username and password sent from login form $username = stripQuotes($_POST['username']); $username = cleanString($username); $pass = sha1($_POST['pass']); // select info from database $sql="SELECT id, level FROM $tbl_name WHERE username='$username' AND password='$pass' LIMIT 1"; // LIMIT 1 will stop mysql from searching once it has found the result $result=mysql_query($sql) or trigger_error("A MySQL ERROR HAS OCCURED!"); //Perhaps there was an error with the query? // mysql_num_row counts the table row $count = mysql_num_rows($result); // if result matched $username and $pass, table row must be 1 row if($count === 1){ // register $_SESSION session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; // pull rows into variables while (list($id, $level) = mysql_fetch_row($result)) { $_SESSION['id'] = $id; $_SESSION['level'] = $level; } } else { echo "Incorrect Username or Password"; exit ; } // var_dump($row['id']); // var_dump($row['level']); // user levels // 0 = guest // 1 = user - default // 2 = auther // 3 = moderator // 4 = admin // 5 = banned user // check user levels === will check that type is also same (ie integer) if ($_SESSION['level'] === 1) { header("http://www.example.com/user/"); } if ($_SESSION['level'] === 2) { header("Location: http://www.example.com/author/"); } if ($_SESSION['level'] === 3) { header("Location: http://www.example.com/moderator/"); } if ($_SESSION['level'] === 4) { header("Location: http://www.example.com/admin/"); } else { echo "You Don't Have Permission to View This Page"; exit; } ?> Try that, dont type cast the variable tho as NULL will cast to 0 (guest). Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted October 25, 2009 Share Posted October 25, 2009 <?php // connects to server and selects database. include ("dbconnect.inc.php"); // table name $tbl_name="registered_members"; // removes magic_quotes_gpc slashes function stripQuotes($arg) { if (get_magic_quotes_runtime()) { return stripslashes($arg); } else { return $arg; } } // protect against mysql injection function cleanString($string){ htmlentities(mysql_real_escape_string($string)); return $string; } // username and password sent from login form $username = stripQuotes($_POST['username']); $username = cleanString($username); $pass = sha1($_POST['pass']); // select info from database $sql="SELECT id, level FROM $tbl_name WHERE username='$username' AND password='$pass' LIMIT 1"; // LIMIT 1 will stop mysql from searching once it has found the result $result=mysql_query($sql) or trigger_error("A MySQL ERROR HAS OCCURED!"); //Perhaps there was an error with the query? // mysql_num_row counts the table row $count = mysql_num_rows($result); // if result matched $username and $pass, table row must be 1 row if($count === 1){ // register $_SESSION session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; // pull rows into variables while (list($id, $level) = mysql_fetch_row($result)) { $_SESSION['id'] = $id; $_SESSION['level'] = $level; } } else { echo "Incorrect Username or Password"; exit ; } // var_dump($row['id']); // var_dump($row['level']); // user levels // 0 = guest // 1 = user - default // 2 = auther // 3 = moderator // 4 = admin // 5 = banned user // check user levels === will check that type is also same (ie integer) if ($_SESSION['level'] === 1) { header("http://www.example.com/user/"); } if ($_SESSION['level'] === 2) { header("Location: http://www.example.com/author/"); } if ($_SESSION['level'] === 3) { header("Location: http://www.example.com/moderator/"); } if ($_SESSION['level'] === 4) { header("Location: http://www.example.com/admin/"); } else { echo "You Don't Have Permission to View This Page"; exit; } ?> Try that, dont type cast the variable tho as NULL will cast to 0 (guest). $level is not being populated. to the OP .. are you sure that `level` in the db is 4? 'cause if it's not, You Will Not Have Permission to View This Page. make sure the username and password (encryption matches encryption) match. Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 mrMarcus was correct, I am still getting the error after running Andy-H's script line for line (thanks for the help though Andy). I double checked the password and it is correct. The test user I am using has a level of 1, not 4 - I am trying to run a check to determine the level and redirect... what do you mean that the 'level' in the db is 4? Shouldn't this work if 'level' 1 as well? Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 Okay, I changed the user level to 4 in the db and then ran the script and it works... SO how do I change this section to run a check and redirect if less then 4? Thanks again, kaiman Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted October 25, 2009 Share Posted October 25, 2009 use elseif instead of multiple if's: if ($_SESSION['level'] === 1) { header("http://www.example.com/user/"); exit (0); } elseif ($_SESSION['level'] === 2) { header("Location: http://www.example.com/author/"); exit (0); } elseif ($_SESSION['level'] === 3) { header("Location: http://www.example.com/moderator/"); exit (0); } elseif ($_SESSION['level'] === 4) { header("Location: http://www.example.com/admin/"); exit (0); } else { echo "You Don't Have Permission to View This Page"; } better yet: switch ($_SESSION['level']) { case 1: header("http://www.example.com/user/"); exit (0); break; case 2: header("http://www.example.com/author/"); exit (0); break; case 3: header("http://www.example.com/moderator/"); exit (0); break; case 4: header("http://www.example.com/admin/"); exit (0); break; default: header("http://www.example.com/no_access.php"); exit (0); break; } keep in mind that using the === comparable means that the variables being compared MUST be of the same value and the same type: $a = 1; $b = '1'; $a === $b //no dice.. $a is an integer and $b is a string; $a == $b //true; Quote Link to comment Share on other sites More sharing options...
kaiman Posted October 25, 2009 Author Share Posted October 25, 2009 Still no dice! After trying both level checks it just errors out and won't redirect? It is registering the $_SESSION though, as I can manually enter the URL for the redirect page and it doesn't error out?? Here is what I have right now: <?php // connects to server and selects database. include ("dbconnect.inc.php"); // table name $tbl_name="registered_members"; // removes magic_quotes_gpc slashes function stripQuotes($arg) { if (get_magic_quotes_runtime()) { return stripslashes($arg); } else { return $arg; } } // protect against mysql injection function cleanString($string){ htmlentities(mysql_real_escape_string($string)); return $string; } // username and password sent from login form $username = stripQuotes($_POST['username']); $username = cleanString($username); $pass = sha1($_POST['pass']); // select info from database $sql="SELECT id, level FROM $tbl_name WHERE username='$username' AND password='$pass' LIMIT 1"; // LIMIT 1 will stop mysql from searching once it has found the result $result=mysql_query($sql) or trigger_error("A MySQL Error Has Occured!"); //Perhaps there was an error with the query? // mysql_num_row counts the table row $count = mysql_num_rows($result); // if result matched $username and $pass, table row must be 1 row if($count === 1){ // register $_SESSION session_start(); $_SESSION['username'] = $username; $_SESSION['pass'] = $pass; // pull rows into variables while (list($id, $level) = mysql_fetch_row($result)) { $_SESSION['id'] = $id; $_SESSION['level'] = $level; } } else { echo "Incorrect Username or Password"; exit ; } // var_dump($row['id']); // var_dump($row['level']); // user levels // 0 = guest // 1 = user - default // 2 = auther // 3 = moderator // 4 = admin // 5 = banned user // check user levels === will check that type is also same (ie integer) if ($_SESSION['level'] === 1) { header("http://www.example.com/user/"); exit (0); } elseif ($_SESSION['level'] === 2) { header("Location: http://www.example.com/author/"); exit (0); } elseif ($_SESSION['level'] === 3) { header("Location: http://www.example.com/moderator/"); exit (0); } elseif ($_SESSION['level'] === 4) { header("Location: http://www.example.com/admin/"); exit (0); } else { echo "You Don't Have Permission to View This Page"; } ?> Thanks. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.