gtrufitt Posted March 6, 2008 Share Posted March 6, 2008 Hi, I am a complete newbie with PHP and MySQL and am trying to build a user login system, so far I have the following code: The form that the user logs in with: <form action="authenticate.php" id="login" method="post"> <label for="username">User name:</label><input type="text" id="username" name="username" /> <label for="password">Password:</label><input type="password" id="password" name="password /> <p class="login"><input type="submit" name="login" value="Login" /> </form> and the authenticate.php PHP: <?php @mysql_connect("localhost", "admin", "admin") or die("Cannot connect to DB!"); @mysql_select_db("padgate") or die("Cannot select DB!"); $sql = "SELECT email FROM user WHERE email = '".$username."' AND password = '”.$password.”'”; $r = mysql_query($sql); if(!$r) { $err=mysql_error(); print $err; exit(); } if(mysql_affected_rows()==0) { echo 'no such login please try again.' ; exit(); } else { echo 'successfully logged into system.'; } ?> However, when I run it I get the error: Parse error: syntax error, unexpected $end in C:\Inetpub\wwwroot\padgate2\authenticate.php on line 21 But cannot work out what it means! Any help would be great please! Gareth Quote Link to comment Share on other sites More sharing options...
revraz Posted March 6, 2008 Share Posted March 6, 2008 What's up with the weird quotes around $password in your query? Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted March 6, 2008 Share Posted March 6, 2008 okay lets clear up a few things so you do it right the first time 1) Do not supress any errors with the @ sign while debugging 2) All queries need to be in the form $r = mysql_query($sql) or die(mysql_error()."<Br /><br /.".$sql); so errors are populated 3) You don't define $username and $password 4) if you do there is no injection protection on them i.e mysql_real_escape_string 5) Your error is in an unclosed bracketed ({ }) section. Clean it up and repost Quote Link to comment Share on other sites More sharing options...
helraizer Posted March 6, 2008 Share Posted March 6, 2008 <?php @mysql_connect("localhost", "admin", "admin") or die("Cannot connect to DB!"); @mysql_select_db("padgate") or die("Cannot select DB!"); $sql = "SELECT email FROM user WHERE email='$username' AND password='$password'"; $r = mysql_query($sql); if(!$r) { $err=mysql_error(); print $err; exit(); } if(mysql_affected_rows()==0) { echo 'no such login please try again.' ; exit(); } else { echo 'successfully logged into system.'; } ?> Your problem was you may have copied the statement from somewhere, or something. You needed quotes " rather than ” - so php thought the rest of the code was part of $sql. The code I posted here will now work. Sam Quote Link to comment Share on other sites More sharing options...
revraz Posted March 6, 2008 Share Posted March 6, 2008 It won't really work, since the two variables are not defined, but at least that one error will be gone. Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted March 6, 2008 Share Posted March 6, 2008 It won't really work, since the two variables are not defined, but at least that one error will be gone. Unless they live in candyland where its okay to have registered globals on and they pull off post vars defined in the global. Until some mugger comes along and steals all the candy and leaves you crying cause u left registered globals turn on Quote Link to comment Share on other sites More sharing options...
gtrufitt Posted March 6, 2008 Author Share Posted March 6, 2008 Ok, Cheers, I tried to clean up the code, however, im not sure how to define the variables. Thanks for your help. <?php mysql_connect("localhost", "admin", "admin") or die("Cannot connect to DB!"); mysql_select_db("padgate") or die("Cannot select DB!"); $sql = "SELECT email FROM user WHERE email = '".$username."' AND password = '".$password."'"; $r = mysql_query($sql) or die(mysql_error()."<Br /><br /.".$sql); if(!$r) { $err=mysql_error(); print $err; exit(); } if(mysql_affected_rows()==0) { echo 'no such login please try again.' ; exit(); } else { echo 'successfully logged into system.'; } ?> I was also unsure what you meant by: 4) if you do there is no injection protection on them i.e mysql_real_escape_string 5) Your error is in an unclosed bracketed ({ }) section. Cheers Quote Link to comment Share on other sites More sharing options...
revraz Posted March 6, 2008 Share Posted March 6, 2008 Don't worry abou #5, it wasn't correct Here's a Tutorial on forms http://www.tizag.com/phpT/forms.php As for the injection part, get past this and we'll explain more. Quote Link to comment Share on other sites More sharing options...
gtrufitt Posted March 6, 2008 Author Share Posted March 6, 2008 Ok, Thanks for that tutorial, I understand that now. Are the variables defined in the correct place here? Also, when I try and login with a username and password that I know are in the mysql user table, the result always comes back as 'no such login please try again.' <?php mysql_connect("localhost", "admin", "admin") or die("Cannot connect to DB!"); mysql_select_db("padgate") or die("Cannot select DB!"); $username = $_POST['username']; $password = $_POST['password']; $sql = "SELECT email FROM user WHERE email = '.$username.' AND password = '.$password.'"; $r = mysql_query($sql) or die(mysql_error()."<Br /><br /.".$sql); if(!$r) { $err=mysql_error(); print $err; exit(); } if(mysql_affected_rows()==0) { echo 'no such login please try again.' ; exit(); } else { echo 'successfully logged into system.'; } ?> Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted March 6, 2008 Share Posted March 6, 2008 Drop the if(!$r) since you now have a proper error reporting the mysql_affected_rows is for an update query use mysql_num_rows() Quote Link to comment Share on other sites More sharing options...
uniflare Posted March 6, 2008 Share Posted March 6, 2008 WHERE email = '.$username.' you sure this shouldn' be: WHERE username = '.$username.' Quote Link to comment Share on other sites More sharing options...
revraz Posted March 6, 2008 Share Posted March 6, 2008 Yep, it would help if we knew your DB Table layout. Also, did you manually enter the info into the DB and is the PW in plain text? May want to review this http://www.roscripts.com/PHP_login_script-143.html Quote Link to comment Share on other sites More sharing options...
gtrufitt Posted March 6, 2008 Author Share Posted March 6, 2008 Yea, the database username field is named email. Sorry that is slightly confusing. I already have a signup form so the details are added through that, Its plain text at the moment yea. Sorry the layout is: ID - PK - AutoInc PASSWORD - Varchar (20) EMAIL - Varchar (65) F_NAME - Varchar (45) L_NAME - Varchar (45) Quote Link to comment Share on other sites More sharing options...
revraz Posted March 6, 2008 Share Posted March 6, 2008 Did you change if(mysql_affected_rows()==0) to if(mysql_num_rows($r) == 0) Quote Link to comment Share on other sites More sharing options...
gtrufitt Posted March 6, 2008 Author Share Posted March 6, 2008 Yea, the code is now: <?php mysql_connect("localhost", "admin", "admin") or die("Cannot connect to DB!"); mysql_select_db("padgate") or die("Cannot select DB!"); $username = $_POST['username']; $password = $_POST['password']; $sql = "SELECT email FROM user WHERE email = '.$username.' AND password = '.$password.'"; $r = mysql_query($sql) or die(mysql_error()."<Br /><br /.".$sql); { $err=mysql_error(); print $err; exit(); } if(mysql_num_rows($r) == 0) { echo 'no such login please try again.' ; exit(); } else { echo 'successfully logged into system.'; } ?> But only shows a blank page now when the login form is submitted. Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted March 6, 2008 Share Posted March 6, 2008 try <?php mysql_connect("localhost", "admin", "admin") or die("Cannot connect to DB!"); mysql_select_db("padgate") or die("Cannot select DB!"); $username = $_POST['username']; $password = $_POST['password']; $sql = "SELECT email FROM user WHERE email = '.$username.' AND password = '.$password.'"; $r = mysql_query($sql) or die(mysql_error()."<Br /><br /.".$sql); if(mysql_num_rows($r) >0){ echo "successfully logged into system."; } else{ echo "invalid login."; } ?> Quote Link to comment Share on other sites More sharing options...
gtrufitt Posted March 6, 2008 Author Share Posted March 6, 2008 Thanks, I am now seeing invalid login again though, when trying to login. Is there any reason why the word 'test' when added into the varchar fields of email and password, would not work when trying to login? Quote Link to comment Share on other sites More sharing options...
helraizer Posted March 6, 2008 Share Posted March 6, 2008 in the sql statement, you don't need to break the string.. only for echo. Use $sql = "SELECT email FROM user WHERE email = '$username' AND password = '$password'"; You should also protect your variables - <?php mysql_connect("localhost", "admin", "admin") or die("Cannot connect to DB!"); mysql_select_db("padgate") or die("Cannot select DB!"); $username = mysql_real_escape_string(htmlspecialchars($_POST['username'])); $password = mysql_real_escape_string(htmlspecialchars($_POST['password'])); $sql = "SELECT email FROM user WHERE email = '$username' AND password = '$password'"; $r = mysql_query($sql) or die(mysql_error()."<Br /><br /.".$sql); // don't use your SQL statement in your error. It will let malicious users know your table structure and open it up to sql injection. $count = mysql_num_rows(); if($count == 0) { echo 'no such login please try again.' ; exit(); } else { echo 'successfully logged into system.'; } ?> Your problem is with $sql = "SELECT email FROM user WHERE email = '.$username.' AND password = '.$password.'"; You don't need the fullstops, let's say you have a username helraizer and password testing123 Your sql statement is SELECT email FROM user WHERE email = '.helraizer.' AND password = '.testing123.' but my username is helraizer, not .helraizer. and my password is testing123 not .testing123. so it won't find anything - do you see what I mean? take out the dots and it should be fine. MySQL is also case sensitive so it'd be $sql = "SELECT EMAIL FROM user WHERE EMAIL = '$username' AND PASSWORD = '$password'"; Sam Quote Link to comment Share on other sites More sharing options...
gtrufitt Posted March 6, 2008 Author Share Posted March 6, 2008 Ah right ok, thats great, I understand what you mean. For some reason I am still getting the same problem though. I also get this error with that code. Warning: Wrong parameter count for mysql_num_rows() in C:\Inetpub\wwwroot\padgate2\authenticate.php on line 13 Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted March 6, 2008 Share Posted March 6, 2008 $count = mysql_num_rows($r); mysql_num_rows requires the result resource identifier, you have captured the result resource identifier with the $r variable Quote Link to comment Share on other sites More sharing options...
helraizer Posted March 6, 2008 Share Posted March 6, 2008 Ah right ok, thats great, I understand what you mean. For some reason I am still getting the same problem though. I also get this error with that code. Warning: Wrong parameter count for mysql_num_rows() in C:\Inetpub\wwwroot\padgate2\authenticate.php on line 13 in my code? Then add $r into it so $count = mysql_num_rows($r); Try that; should get rid of the error. It should (in theory) also fix the problem. Sam Quote Link to comment Share on other sites More sharing options...
gtrufitt Posted March 6, 2008 Author Share Posted March 6, 2008 Yup, in your code, I added $count = mysql_num_rows($r); It got rid of the warning but rather frustratingly I still cannot get the username and password to work! On the sign up form is there something that would cause this to happen if the user uses 'test' as their username and 'test' as their password in a varchar field that when they try to login in with this form with the same username and password that would stop it from working!? Quote Link to comment Share on other sites More sharing options...
peranha Posted March 6, 2008 Share Posted March 6, 2008 If you could, post the register page. Quote Link to comment Share on other sites More sharing options...
gtrufitt Posted March 6, 2008 Author Share Posted March 6, 2008 Here is the register page: <html> <head> <title>Untitled Document</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <link rel="stylesheet" type="text/css" href="main.css" /> </head> <body> <div id="center"> <div id="logo"> <img src="/images/padcommlogo.png" alt="PadComm" /></div> <?php include("php/login.php"); ?> <?php include("php/navigation.html"); ?> <div id="content"> <h2>Sign Up!</h2> <p> </head> <body> <?php include("php/connect.php"); $query = "INSERT INTO user (id, password, email, f_name, l_name) VALUES (0, '{$_POST['password']}', '{$_POST['email']}', '{$_POST['f_name']}', '{$_POST['l_name']}')"; $query2 = "INSERT INTO profile (id) VALUES (0)"; $query3 = "INSERT INTO userhall (id, hallid) VALUES (0, '{$_POST['hallid']}')"; if (@mysql_query ($query)) { if (@mysql_query ($query2)) { if (@mysql_query ($query3)) { print '<p> User Created. </p>'; } else { echo "<p> Could not create user in userhall because: <b> ".mysql_error()." </b> . The query was $query3. </p>"; } } else { echo "<p> Could not create user in user because: <b> ".mysql_error()." </b> . The query was $query2. </p>"; } } else { echo "<p> Could not create user in profile because: <b> ".mysql_error()." </b> . The query was $query. </p>"; } ?> <form action="<?php echo $SERVER['PHP_SELF']; ?>" id="signup" method="post" onsubmit="return checkPw(this)"; "validate_form(this)"> <fieldset> <legend>Sign Up!</legend> <p> <label for name="email">E-Mail address:</label> <input type="text" name="email" size="60" maxsize="60" /> </p> <p> <label for name="password">Password:</label> <input type="password" name="password" size="20" maxsize="20" /> </p> <p> <label for name="password2">Confirm password:</label> <input type="password" name="password2" size="20" maxsize="20" /> </p> <p> <label for name="f_name">First Name:</label> <input type="text" name="f_name" size="45" maxsize="45" /> </p> <p> <label for name="l_name">Last Name: </label> <input type="text" name="l_name" size="45" maxsize="45" /> </p> <p> <label for name="hallid">Hall Number:</label> <select name="hallid"> <option value="1">Hall 1</option> <option value="2">Hall 2</option> <option value="3">Hall 3</option> <option value="4">Hall 4</option> <option value="5">Hall 5</option> <option value="6">Hall 6</option> <option value="7">Hall 7</option> <option value="8">Hall 8</option> <option value="9">Hall 9</option> <option value="10">Off Campus</option> </select> </p> <p class="submit"> <input type="submit" name="submit" value="Sign Up!" /> </fieldset> </form> </div> <?php include("php/footer.php"); ?> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
uniflare Posted March 6, 2008 Share Posted March 6, 2008 ok to make this easy, echo the query before you send it to mysql and tell us the exact query that gets sent, eg: $sql = "SELECT email FROM user WHERE email = '$username' AND password = '$password'"; exit($sql); // remove line once you have the query. $r = mysql_query($sql) or die(mysql_error()."<Br /><br /.".$sql); // don't use your SQL statement in your error. It will let malicious users know your table structure and open it up to sql injection. .... then we can get a better understanding of whats wrong... cheers Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.