[SOLVED] Login Script Help

[GOLDfish_74]

Hey there,

I used a tutorial and changed it to suit my site. And when I attempted to run the page I returned this error:

 

Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in c:\easyphp\www\login.php on line 11

 

This is what the code looks like:

Line 11 is the first mysql_query

<?
session_start();
include ('includes/dbconnect.php');
include ('includes/session_def.php');
// This is the username and password you login with, you can also use 
// a database to get the username and match it up (later tutorial).


// If the form was submitted 
if (isset($_POST['Submit'])) {
$userquery = mysql_query("SELECT user_id FROM users WHERE user_id = '$_POST['Username']'") or die(mysql_error());
$pinquery = mysql_query("SELECT user_pin FROM users WHERE user_id = '$_POST['Username']'") or die(mysql_error());
$namequery = mysql_query("SELECT user_name FROM users WHERE user_id = '$_POST['Username']'") or die(mysql_error());
$secquery = mysql_query("SELECT user_sec FROM users WHERE user_id = '$_POST['Username']'") or die(mysql_error());

    // If the username and password match up, then continue... 
    if ($_POST['Username'] == $userquery && $_POST['Password'] == $pinquery) { 

        // Username and password matched, set them as logged in and set the 
        // Username to a session variable. 
        $_SESSION['logged'] = true; 
        $_SESSION['username'] = $namequery;
        $_SESSION['userid'] = $userquery;
	$_SESSION['usersec'] = $secquery;
    } else {
echo('Either the User ID or PIN was incorrect.');
}
} 

// If they are NOT logged in then show the form to login... 
if ($_SESSION['logged'] = false) { 

    echo '<form method="post" action="' . $_SERVER['PHP_SELF'] . '"> 
        Username: <input type="textbox" name="Username"><br /> 
        Password: <input type="textbox" name="Password"><br /> 
        <input type="Submit" name="Submit"> 
    </form>'; 
} 
else 
{ 
    echo "You are logged in as: <b>" . $_SESSION['username'] . "</b> 
    <br /><a href=\"" . $_SERVER['PHP_SELF'] . "?mode=logout\">Logout</a>"; 
} 

// If they want to logout then 
if (isset($_GET['mode']) && $_GET['mode'] == "logout") { 
session_defaults();
    // Redirect to show results.. 
    echo '<META HTTP-EQUIV="refresh" content="1; URL=' . $_SERVER['PHP_SELF'] . '">'; 
} 
?>

 

I am sure it is something simple, but I have never been that good at interpreting error messages.

 

Regards,

 

THEfish!

[spode]

I'm sort of a noob, but to me it sounds like (if I counted line numbers correctly) that it is trying to retrieve information that doesn's exist. But don't listen to me .

[GOLDfish_74]

Well I think you could be right, but isn't that what the

if isset() {

is for?

Why would it even be looking at line 11?

Keep me posted,

 

THEfish!

[john010117]

Change the first query to this:

	
$userquery = mysql_query("SELECT user_id FROM users WHERE user_id = '$_POST[username]'") or die(mysql_error());

 

I have removed the ' from Username. Do that for all the queries.

[GOLDfish_74]

This time I got an error in one of my includes:

 

Parse error: parse error, expecting `T_STRING' in c:\easyphp\www\includes\session_def.php on line 2

 

I'm sure you can locate line 2 on your own this time 

<?
function (session_defaults()) {
$_SESSION['logged'] = (false);
$_SESSION['userid'] = (0);
$_SESSION['username'] = ('');
$_SESSION['usersec'] = (0);
}
if (!isset($_SESSION['userid']) ) {
session_defaults();
}
?>

 

I have never used function() before besides copying from tutorials, this is my first attempt. Thanks in advance for your help.

 

Regards,

 

TEHdish! lol

[john010117]

Remove the first set of brackets.

 

function session_defaults() {

 

If you have copied that from a tut, look for a different tut.

[GOLDfish_74]

Well I have been through so many different tutes and this one was the closest to doing all I need it to do. I dont need much for this. That has solved that problem... damn this is getting annoying though. Now it is just saying I am logged in without having logged in! I'll look over this one myself and post again if I have any problems though,

 

Thanks for your time,

 

THEfish!

[trq]

Sorry, but that code is ridiculous on so many levels. Try this...

 

<?php

  session_start();
  include ('includes/dbconnect.php');
  include ('includes/session_def.php');

  if (isset($_POST['Submit'])) {
    $uname = mysql_real_escape_string($_POST['Username'];
    $upass = mysql_real_escape_string($_POST['Password'];
    if ($result = mysql_query("SELECT user_id,user_pin,user_name,user_sec FROM users WHERE user_name = '$uname' && user_pin = '$upass'")) {
      if (mysql_num_rows($result)) {
        $row = mysql_fetch_assoc($result);
        $_SESSION['logged'] = true; 
        $_SESSION['username'] = $uname;
        $_SESSION['userid'] = $row['user_id'];
        $_SESSION['usersec'] = $row['user_sec'];
      } else {
        echo('Either the User ID or PIN was incorrect.');
      }
    }
  } 

  if (!isset($_SESSION['logged'])) { 
    echo "<form method=\"post\">";
    echo "  Username: <input type=\"textbox\" name=\"Username\"><br />";
    echo "  Password: <input type=\"textbox\" name=\"Password\"><br />";
    echo "  <input type=\"Submit\" name=\"Submit\">";
    echo "</form>";
  } else {
    echo "You are logged in as: {$_SESSION['username']}<br />"; 
    echo "<a href=\"{$_SERVER['PHP_SELF']}?mode=logout\">Logout</a>"; 
  } 

  if (isset($_GET['mode']) && $_GET['mode'] == "logout") { 
    session_defaults(); 
    header("Location: {$_SERVER['PHP_SELF']}");
  }

?>

[spode]

lol...pretty much owned.

[GOLDfish_74]

Here I thought I got pwned too, but it says your line 8 has a parse error in it.

I had a look at the manual on php.net but couldn't understand exactly how i should use mysql_real_escape_string all I know is that it adds security.

 

Can someone fill me in on the correct usage for that function, or just what simple thing is missing from the line.

 

Thank you,

THEfish!

[kathas]

no big deal he just forgot to close the brackets...

 

$uname = mysql_real_escape_string($_POST['Username']);
    $upass = mysql_real_escape_string($_POST['Password']);

 

i suggest you use his code...

[GOLDfish_74]

Oh, definately agreed:

Will this work with passwords that are md5-ed?

Because I tried to change the password field to a password type and it would not work. Just said the username or password was wrong.

 

Regards,

 

THEfish!

[trq]

Will this work with passwords that are md5-ed?

 

Not as is, but simply change...

 

$upass = mysql_real_escape_string($_POST['Password']);

 

to...

 

$upass = md5(mysql_real_escape_string($_POST['Password']));

 

Because I tried to change the password field to a password type and it would not work.

 

What exactly do you mean by this?

[GOLDfish_74]

By that I meant <input type="password".... >

So doesn't that make it md5 without the use of md5(...);?

 

Also I am having a problem with a section of the code:

  if ($_SESSION['logged']='0') { 
    echo "<form method=\"post\">";
    echo "  Username: <input type=\"textbox\" name=\"username\"><br />";
    echo "  Password: <input type=\"password\" name=\"password\"><br />";
    echo "  <input type=\"Submit\" name=\"Submit\">";
    echo "</form>";
  } else {
    echo ('logged = ');
    echo ($_SESSION['logged']);
    echo ('<br>');
    echo ("You are logged in as: {$_SESSION['username']}<br />"); 
    echo ("<a href=\"{$_SERVER['PHP_SELF']}?mode=logout\">Logout</a>"); 
  } 

 

This returns (when run with the whole script, not just this portion):

Logged = 0

You are logged in as

Logout

 

Why would it return that? It shouldn't execute that part of the script if logged = 0.

 

Regards,

 

THEfish!

[trq]

By that I meant <input type="password".... >

So doesn't that make it md5 without the use of md5(...);?

 

No. Thats simple html and just hides the password while its typed.

 

As for the rest. = is the assignment operator, your looking for ==. Also, integers are not strings... do not surround them in quotes.

 

<?php
if ($_SESSION['logged'] == 0) { 
    echo "<form method=\"post\">";
    echo "  Username: <input type=\"textbox\" name=\"username\"><br />";
    echo "  Password: <input type=\"password\" name=\"password\"><br />";
    echo "  <input type=\"Submit\" name=\"Submit\">";
    echo "</form>";
  } else {
    echo 'logged = ';
    echo $_SESSION['logged'];
    echo '<br>';
    echo "You are logged in as: {$_SESSION['username']}<br />"; 
    echo "<a href=\"{$_SERVER['PHP_SELF']}?mode=logout\">Logout</a>"; 
  }
?>

 

The use of isset however is less problematic.

[MadTechie]

OK first

<input type="password".... >  means display entry as ***

 

2nd

if ($_SESSION['logged']='0') {  

will SET $_SESSION['logged'] to '0'

 

you need $_SESSION['logged']== '0';

 

3rd without seeing the whole script its impossible hard to say exactly what the problem is

 

 

EDIT: thorpe is too quick for me

[GOLDfish_74]

I originally didn't have quotes, but when in desperation lol.

That worked at treat though!

Thanks all for your help... ALL login garbage works perfectly for now... until I decide to change something.

 

Ciao for now!

 

THEfish!

[GOLDfish_74]

$upin = md5(mysql_real_escape_string($_POST['pin']));

 

Where is the parse error in that?!

 

I am lost!

 

THEfish!

[GOLDfish_74]

I can answer my own question there.... wrong file.

 

This is the line that has the parse error:

$logentry = mysql_query("INSERT INTO log (log_user_id, log_action, log_datetime) VALUES ('".$_SESSION['userid']."', 'User entered entry.php', '".$timedate")");

 

Thanks if you can spot the error,

THEfish!

 

NB: DONT WORRY (not that you were) FOUND IT!