Sql and php

jnich104 · 11-08-2009, 08:19 AM

Hey guys, i am creating a new script for my site and i am getting a error but i cant see where it is, and my MySQL looks right

Code

PHP Code:

  if($_GET['page'] == 'login')

    {

        $CONNECT = mysql_connect($DB_IP,$DB_USER,$DB_PASS);

            if(!$CONNECT)

                {

                    die('MySQL Error : '.mysql_error());

                }

        mysql_select_db($DB_NAME, $CONNECT);

 
        $RESULT = mysql_query("SELECT * FROM ".$PREFIX."accounts WHERE username='".$_POST['username']."");

        $RESULTB = mysql_query("SELECT * FROM ".$PREFIX."accounts WHERE username='".$_POST['username']." AND password=".md5($_POST['password'])."");

        while($row = mysql_fetch_array($RESULT))

          {

            

            

             while($rowb = mysql_fetch_array($RESULTB))

              {

                   session_regenerate_id();

                  $_SESSION['HEWP_MEMBER_ID'] = $rowb['user_id'];

                  $_SESSION['HEWP_FIRSTNAME'] = $rowb['user_firstname'];

                  header('location: index.php');

              }

                  else

              {

                  session_regenerate_id();

                $_SESSION['HEWP_ERROR'] = 'Password was wrong';

                header('location: login.fun.php');

              }

          } 

              else 

         {

              session_regenerate_id();

              $_SESSION['HEWP_ERROR'] = 'Username was wrong';

              header('location: login.fun.php');

          }

        mysql_close($CONNECT);

        

    }

Error

PHP Code:

  Parse error: parse error in C:wampwwwfunctions.php on line 30

Line 30 :

PHP Code:

  }

/* ->  */ else 

{

Any ideas

DJMaze · 11-08-2009, 08:48 AM

PHP Code:

  while { } else { }

Is that valid code?

jnich104 · 11-08-2009, 09:07 AM

KK so i cant have else after a while. Thanks

DJMaze · 11-08-2009, 09:17 AM

duh. They are:
if {} else {}
do {} while ()

Read: PHP: Control Structures - Manual
NOTE: skip "goto" it sucks hard!

billybolsa · 11-13-2009, 03:00 PM

you should also call session_start() at the beginning (with nothing above it) of your document if your going to be working with session variables, otherwise they will not work.

farmdve · 11-13-2009, 05:24 PM

Seeing this code i see quite a few security holes with those posts. Anyone can execute a simple mysql injection through those.
The password is ok tho but use mysql_real_escape_string on all the posts that you compare in the db

jnich104 · 11-24-2009, 09:47 AM

How do i use this Function mysql_real_escape_string()

?? i looked into it and it confusing me

billybolsa · 11-24-2009, 09:53 AM

$string =mysql_real_escape_string($stringToStrip);

but you can only use this if you establish a mysql connection first. Otherwise it will produce errors. I think its probably a better idea to create your own validating functions because then you can use them any where you want.

jnich104 · 11-29-2009, 07:05 AM

k so if i got

PHP Code:

  function strip($code)

  {

  }

What code would i put which will strip code for input text???

sde · 11-29-2009, 11:14 PM

PHP Code:

  $username = mysql_real_escape_string($_POST['username']);

then pass $username instead of $_POST['username'] in the query.