-5

I'm currently trying to create a php file that can verfify a user's input on user and pass against a sql database and bring back a response to the user...via website. But I keep getting this error:

Parse error: syntax error, unexpected '$row' (T_VARIABLE) in /srv/disk7/1855095/www/hmfs.dx.am/index.php on line 24

<?php
define('DB_HOST', 'localhost');
define('DB_HOST', 'practice');
define('DB_HOST', 'root');
define('DB_PASSWORD','');

$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error()); 
$db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error());
 /* 
 $ID = $_POST['user']; 
 $Password = $_POST['pass']; 
 */ 
 function SignIn() 
 {
 session_start(); //starting the session for user profile page 
 if(!empty($_POST['user'])) 
 //checking the 'user' name which is from Sign-In.html, is it empty or have some text 
{
        $query = mysql_query("SELECT * FROM UserName 
where userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(mysql_error()); 
    $row = mysql_fetch_array($query)  
    if(!empty($row['userName']) AND !empty($row['pass'])) 
    {
        $_SESSION['userName'] $row['pass'];
        echo "SUCESSFULLY OGIN TO USER PROFILE PAGE...";


    }
    else
    }
        echo "SORRY...YOU ENTERED THE WRONG ID AND PASSWORD...PLEASE RETRY...";
    }
}
}
if(isset($_POST['submit']))
{
SignIn();
}

?>

Any help? :(

Nick
  • 67
  • 8

4 Answers4

1

your error message says to look at line 24, in which you find this:

$_SESSION['userName'] $row['pass'];

which isn't a valid statement. It should probably be 

$_SESSION['userName'] = $row['pass'];

although I would not store a password in a session (session data might be stored in a shared temporary directory).

Please also note that your code is extremely vulnerable to SQL injection. Read up on prepared statements, and don't use mysql_ which is deprecated since 2013. Use mysqli_ or PDO instead.

Additionally, for real-world code, you should hash your passwords when storing them.

tim
  • 1,999
  • 17
  • 32
  • Thanks for the advice! I'll keep it for future reference, if I ever do take up PHP professionally. – Nick Apr 11 '15 at 21:41
0

Change

$_SESSION['userName'] $row['pass'];

To

$_SESSION['userName'] = $row['pass'];
Marcio Mazzucato
  • 8,841
  • 9
  • 64
  • 79
0

Here are some tips

  • 1)Don't use mysql. It's deprecated and very vulnerable. Use Mysqli or PDO instead.
  • 2)Never check a password in the query itself. Because in your code if I enter your username and ' OR 1=1 as my password I will login in your account. Select by username then check the password via PHP
  • 3) your error is because of a missing ; at the end of $row = mysql_fetch_array($query) or because of a missing = between $_SESSION['userName'] and $row['pass'];
Cârnăciov
  • 1,169
  • 1
  • 12
  • 24
  • Thanks for the advice! As of right now I'm really really new to PHP so I'm kind crawling my way through all of this. This is all for a side personal project, so what I'm trying to get is just a rough working signin page that can check data between a database and the user's input and then login if theres a match. This is all for personal use once again so security is not an issue :) But after correct your error, I've gotten another error sadly... – Nick Apr 11 '15 at 21:27
  • Parse error: syntax error, unexpected '}' in /srv/disk7/1855095/www/hmfs.dx.am/index.php on line 30 – Nick Apr 11 '15 at 21:45
  • @Nick the problem is that after your else you put a } instead of a { . Try to analyze the line you get the error for or the line before it to get your answer. If you have any other questions you can mail me at contact@piratefm.ro – Cârnăciov Apr 11 '15 at 22:11
  • The advice that the mysql library is "very vulnerable" is rather overblown. It is out of security support, and certainly there are things that can go wrong when escaping strings, but there are millions of apps that run on it on the web at the moment, perfectly safely. The OP should worry more about their SQL injection vulns, which are possible in any library. – halfer Apr 11 '15 at 22:32
  • not with parameterized queries they're not – Cârnăciov Apr 11 '15 at 22:48
0

It quite simple you've forgotten to use semicolon after $_SESSION['userName']

Ashouri
  • 906
  • 4
  • 19