Parse error: syntax error, unexpected $end in...

**code green** · Jun 25 '09, 03:47 PM

Lets improve your code a bit to narrow down the problem

Code:

<?php 
include("admin-dbcon.php"); 
  
//Check to see if the username and password is in database
$username = $_POST['username']; 
echo $username; #disable for header to work
$password = $_POST['password'];  
echo $password; #disable for header to work

$sql = "select * from admin_login 
    where username = '$username' 
    and password = '$password'";
echo $sql; #disable for header to work

if($validate = mysql_query($sql))
{  
     $isvalid = mysql_num_rows($validate);
     echo $isvalid; 
  
     //if valid login send on, if not send to error page 
    if ($isvalid) 
    { 
       $_SESSION['username'] = $_POST[username]; 
       while ($row=mysql_fetch_array($validate))
       { 
             $_SESSION['userid']=$row["ID"]; 
       } 
       print_r($_SESSION);#disable for header to work
       //If everything is OK up to here un-comment header
       #header("Location: admintasks.php"); 
    } 
   else 
   { 
     echo 'invalid login';
     #header("Location: login-error.php"); 
   } 
}else echo 'empty recordset';
?>

**Atli** · Jun 25 '09, 04:02 PM

Code_green is right there.
The header function, as well as any function that alters the HTTP headers, can't be called after you have started sending output.

Output being; echo calls, HTML before the <?php ?> block, white-spaces before the <?php ?> block... anything like that.

The reason for this, just to clarify, is that a HTTP response is composed of two parts; the headers and the content.
The headers must be sent before the contents, which is why you can not alter the headers after you start sending content.

P.S.
To reiterate my earlier point about SQL Injection.
The login script you posted there, where you put the $_POST values directly into the SQL query, is wide open for even a novice hacker.
Something as simple as passing ' or 1='1 as the password might be enough to log in using an invalid user-name.

mysql_real_esca pe_string - If your data hasn't been passed through this function, do not use it! (99% of the time, anyway)

**mideastgirl** · Jun 26 '09, 12:34 PM

Still having a problem...

Unfortunately that did not go as planned:( I replaced the script with your suggestions and now my username and password are on the adminloginproce ss.php page:

usernamepasswor dselect * from admin_login where username = 'xxx' and password = 'xxx'1Array ( [username] => xxx [userid] => )

That was not exactly the desired result I was looking for, however I do appreciate all of your help!

**code green** · Jun 26 '09, 01:27 PM

No! The code I posted is part of the debugging process.
It was to help you 'see' what is happening.
It hasn't a chance in hell of making your script 'work'.

You need to understand that you cannot keep hacking at a piece of code.
You have to take it apart, find out where it is going wrong then put it back together.

Nobody here is going to give you a completed script.
But we will help you overcome specific problems.

So the code supplied is demonstrating this process.
Are all the ecoed vales as expected?

Repeat what I have done in your other files.

**mideastgirl** · Jun 26 '09, 05:05 PM

_post?

Atli,
You said that the _POST information should not be seen because it can be hacked into, but I am not really sure where this should go then? These are my database files, which will not actually be viewed by anyone because in theory when the user logs in it should either go to the error page or the admintasks page. I have been informed by the IT Department here on campus, where I am a student, to make sure I have database files where I keep these scripts. He has also suggested putting my login for the database in a seperate file, which I have done. I guess I am lost, because you are suggesting one thing while someone else is suggesting another.

**mideastgirl** · Jun 26 '09, 05:14 PM

Parse error: syntax error, unexpected T_ENCAPSED_AND_ WHITESPACE, expecting T_STRING o

CODE GREEN:
I was not aware the script that you gave me was for debugging. As I mentioned I am completely new to this php stuff. I have built website before in html, but never in php where I needed to connect to a database. I have been reading up and trying things with php for the past two months. This is the first post I have made on any forum in regards to php or mysql, so I do not exactly know how they work. I HAVE read the guidelines, and I have also looked at other posts and have found that many times those replying give the person with a question a code to try. I thought that is what you had done.
In any case, this is the code I am now using, and am receiving a different error than before.

[code=php]
<?php
include("admin-dbcon.php");

//Check to see if the username and password is valid (if it is in the database)
$username =$_POST ['username'];
echo $username;
$password = $_POST['password'];
echo $password;

$sql ="select * from admin_login where username = 'username' and password = 'password';
echo $sql;
if ($validate = mysql_quere($sq l))
{

$isvalid=mysql_ num_rows($valid ate);
echo $isvalid;

//if valid login send on, if not send to error page
if ($isvalide)
{
$_SESSION['username'] = $_POST[username];
while ($row=mysql_fet ch_array($valid ate))
{
$_SESSION['userid']=$row["ID"];
}
if ($isvalid)
{
$_SESSION['username'] = $_POST[username];
while ($row=mysql_fet ch_array($valid ate))
{
$_SESSION['userid']=$row["ID"];
}
print_r($SESSIO N);
#header("Locati on: admintasks.php" );
}
else{
echo 'invalid login';
#header (Location: login-error.php");
}
}else echo 'empty recordset';
?>
[/code]

**Atli** · Jun 27 '09, 02:24 PM

Line #19 of your latest code example. You spell the $isvalid variable name incorrectly. There is an extra "e" at the end there.

And the if on line #26 isn't really needed, as you have already validated the $isvalid variable at that point in line #19.

Originally posted by mideastgirl

Atli,
You said that the _POST information should not be seen because it can be hacked into, but I am not really sure where this should go then? These are my database files, which will not actually be viewed by anyone because in theory when the user logs in it should either go to the error page or the admintasks page. I have been informed by the IT Department here on campus, where I am a student, to make sure I have database files where I keep these scripts. He has also suggested putting my login for the database in a seperate file, which I have done. I guess I am lost, because you are suggesting one thing while someone else is suggesting another.

What I am suggesting has nothing to do with database connection files, or anything of that sort.

What I am saying is:
You need to validate the information that your clients are passing to you via the <form> elements on your page.

For example, if I have this form:
[code=php]
<form action="login.p hp">
User: <input name="Username" type="text" /><br />
Pass: <input name="Password" type="password" /><br />
<input type="submit" />
</form>[/code]
And this query in a login script:
[code=php]
$sql = "SELECT `UserID` FROM `User`
WHERE `UserName` = '{$_POST['Username']}'
AND `Password` = '{$_POST['Password']}'";
$result = mysql_query($sq l) or die(mysql_error ());
[/code]
This query should work perfectly. Valid users would return the UserID and invalid users would return an empty set.

But... if I were to put ANY username into the field, and use ' OR 1='1 as my password, it would turn the query into this:

Code:

SELECT `UserID` FROM `User`
WHERE `UserName` = 'random username'
AND   `Password` = '' OR 1='1'

Which would return the ENTIRE TABLE, and successfully validate the user, even tho he doesn't exist.

This is what you have to protect against.
If I were to change the query in my previous script like so:
[code=php]
// Get and sanitize the user input
$sUsername = mysql_real_esca pe_string($_POS T['Username']);
$sPassword = mysql_real_esca pe_string($_POS T['Username']);

// Check if the username and password are valid
$sql = "SELECT `UserID` FROM `User`
WHERE `UserName` = '{$sUsername}'
AND `Password` = '{$sPassword}'" ;
$result = mysql_query($sq l) or die(mysql_error ());[/code]
Using the password I used earlier, would create this query:

Code:

SELECT `UserID` FROM `User`
WHERE `UserName` = 'random username'
AND   `Password` = '\' OR 1=\'1'

Now the previous scenario would fail, because the mysql_real_esca pe_string function escaped the quotes, turning the password into a single string of text, rather then allowing it to alter the actual query.

See what I mean?

**mideastgirl** · Jun 29 '09, 12:47 PM

sanitize...

so by placing an "s" in front of Username and Password, it is allowing the sanitizing? I kind of understand. I am going to apply it to my current script (that is applying the s before username and password and add the necessary brackets into my scripting and will let you know the results.

Thanks Atli!

**mideastgirl** · Jun 29 '09, 01:31 PM

mysql_real_esca pe_string?

If I may ask, what does that mean?

**Dormilich** · Jun 29 '09, 01:44 PM

Originally posted by mideastgirl

so by placing an "s" in front of Username and Password, it is allowing the sanitizing?

not quite, the "s" alone does not sanitize anything, it's the mysql_real_esca pe_string() function that does the hard work for you.

Atli sanitizes the POST values ($_POST['Username']) by creating a new variable ($sUsername) and giving that variable the sanitized value of $_POST['Username'] as result of the mysql_real_esca pe_string() function.

**mideastgirl** · Jun 29 '09, 01:49 PM

I think I am getting closer!!!

Ok I am now receiving this error which has something to do with sending users to the next page...I think that is.

Here is the code I am using, and my error is saying this: Parse error: syntax error, unexpected T_ELSE in /home/content/m/i/d/mideasthonors/html/adminloginproce ss.php on line 32

[code=php]
<?php
include("admin-dbcon.php");
//sanitize the user input to ensure random usernames cannot be used
$sUsername= mysql_real_esca pe_string($_POS T ['Username']);
$sPassword = mysql_real_esca pe_string($_POS T['Password']);
//ensure username and password are valide
$sql ="SELECT * from admin_login WHERE Username = 'username' AND password = 'password'";

if ($validate = mysql_quere($sq l))
{

$isvalid=mysql_ num_rows($valid ate);
echo $isvalide;

//if valid login send on, if not send to error page
if ($isvalide)
{
$_SESSION['username'] = $_POST['username'];
while ($row=mysql_fet ch_array($valid ate))
{
$_SESSION['userid']=$row["ID"];
}
{
$_SESSION['username'] = $_POST['username'];
while ($row=mysql_fet ch_array($valid ate))
{
$_SESSION['userid']=$row["ID"];
}
print_r($SESSIO N);
#header("Locati on: admintasks.php" );
}
else{
echo 'invalid login';
#header ("Location: login-error.php");
}
}else echo 'empty recordset';
?>
[/code]

**mideastgirl** · Jun 29 '09, 02:25 PM

Call to undefined function mysql_quere() in???

I am now receiving this error?!!! GRRR! I just want this script to work! I have to get this website running within the next 3 weeks, and I keep getting all of these errors!:(

The error is saying that it is occurring on line 9.
[code=php]
<?php
include("admin-dbcon.php");
//sanitize the user input to ensure random usernames cannot be used
$sUsername= mysql_real_esca pe_string($_POS T ['Username']);
$sPassword = mysql_real_esca pe_string($_POS T['Password']);
//ensure username and password are valide
$sql ="SELECT * from admin_login WHERE Username = 'username' AND Password = 'password'";

if ($validate = mysql_quere($sq l))
{

$isvalide=mysql _num_rows($vali date);
echo $isvalide;

//if valid login send on, if not send to error page
if ($isvalide)
{
$_SESSION['username'] = $_POST['username'];
while ($row=mysql_fet ch_array($valid ate))
{
$_SESSION['userid']=$row["ID"];
}
{
$_SESSION['username'] = $_POST['username'];
while ($row=mysql_fet ch_array($valid ate))
{
$_SESSION['userid']=$row["ID"];
}
print_r($SESSIO N);
#header("Locati on: admintasks.php" );
}
#header ("Location: login-error.php");
}
}else echo 'empty recordset';
?>
[/code]

HELP ME PLEASE!

**Dormilich** · Jun 29 '09, 03:29 PM

it's a typo, the function is named mysql_query().

I don't know which editor you use, but I recommend one with auto-complete functionality (Geany, or (if you have a Mac) SubEthaEdit) and code folding (minimize code blocks in curly brackets)

**mideastgirl** · Jun 29 '09, 04:26 PM

wow! I am slow

That was a really easy typo I should have seen, thank you so much. So now that is fixed and instead of moving on to the next page I am just getting "()" on the page after I enter my login info. I have looked to see if I have have that anywhere in my script but I do not. I do not think it is an error because it is not saying that it is. If anyone has an idea please let me know.

**Atli** · Jun 29 '09, 06:29 PM

Line #7.
Surely this part of your query isn't correct?

Code:

WHERE Username = 'username' AND Password = 'password'";

Did you mean to put the $sUsername and $sPassword variables in there to check for?

Line #29

Code:

print_r($SESSION);

Should be:

Code:

print_r($_SESSION);

And once you are done debugging the script, you should remove all the echo and print_r calls and de-comment your header calls. Those aren't meant to be in there once you start using it.

Parse error: syntax error, unexpected $end in...

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment