0

i have a problem with a code.

Parse error: syntax error, unexpected 'user' (T_STRING) in www\php\login.php on line 9

$sql1= “select * from user where (username=\”$_POST[username]\” or fullname=\”$_POST[username]\”) and password=\””.sha1(md5($_POST[password])).”\” “;

I want the passwords to be in md5, I do not use a registry just enter.

And I also have another problem add the code:

        <h2>Welcome <?php $query = $con->query("select * from user where id=".$_SESSION["user_id"]);
while ($r=$query->fetch_array()) {
    echo $r["name"]; ?>}/h2>

Parse error: syntax error, unexpected end of file in C:\wamp64\www\home.php on line 30

thanks!

Sensei SkarY
  • 1
  • 1
    `md5()`is obsolete for hashing passwords and should *not be used*. PHP provides [password_hash()](http://php.net/manual/en/function.password-hash.php) and [password_verify()](http://php.net/manual/en/function.password-verify.php), please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet). If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat). – John Conde Apr 24 '17 at 19:54
  • 1
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Apr 24 '17 at 19:55
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.4/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords with a uselessly weak hash like SHA1 or MD5**. – tadman Apr 24 '17 at 20:11

0 Answers0