Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in C:\xampp\htdocs\\server.php on line 65

Question

I don't know why I am getting this error it shows the error at $sql.

Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in C:\xampp\htdocs\coldstar\server.php on line 65

The file name is server.php

This is the line that I am getting the error:

$sql = "INSERT INTO users (firstName, lastName, phoneNumber, userName, emailaddress, coldstarPassword) VALUES ('$firstName', '$lastName', '$phoneNumber', '$userName', '$emailaddress', '$coldstarPassword')";

PHP Code

<?php


 session_start();
        //variable declaration
        $firstName = "";
        $lastName = "";
        $userName = "";
        $emailaddress    = "";
        $errors = array(); 
        $_SESSION['success'] = "";
        //creating a connection to database
        $db = mysqli_connect('localhost', 'root', '', 'registration');

        //if submit button is clicked

        if(isset($POST['signIn']))
        {
            $firstName = mysql_real_escape_string($db, $POST['fname']);
            $lastName = mysql_real_escape_string($db, $POST['lname']);
            $phoneNumber = mysql_real_escape_string($db, $POST['pNo']);
            $userName = mysql_real_escape_string($db, $POST['username']);
            $emailaddress = mysql_real_escape_string($db, $POST['email']);
            $password_1 = mysql_real_escape_string($db, $POST['password_1']);
            $password_2 = mysql_real_escape_string($db, $POST['password_2']);


            //to ensure that all fields are filled properly
            if(empty($firstName))
            {
                array_push($errors, "First name is required"); 
            }
            if(empty($lastName))
            {
                array_push($errors, "Last name is required"); 
            }
            if(empty($phoneNumber))
            {
                array_push($errors, "Phone Number is required"); 
            }
            if(empty($userName))
            {
                array_push($errors, "Username is required"); 
            }
            if(empty($emailaddress))
            {
                array_push($errors, "Email address is required"); 
            }
            if(empty($password_1))
            {
                array_push($errors, "A new Password for coldstar is required"); 
            }
            if(empty($password_2))
            {
                 array_push($errors, "confirmation of password is required"); 
            }
            if($password_1!=$password_2)
            {
                array_push($errors, "Passwords do not match"); 
             } 

            //if there is no errors then save it to database

            if(count($errors) == 0)
            {
                $coldstarPassword = md5($password_1) //encrypt password before 
              storing in database (security)
                 $sql = "INSERT INTO users (firstName, lastName, phoneNumber, userName, emailaddress, coldstarPassword)
                    VALUES ('$firstName', '$lastName', '$phoneNumber', '$userName', '$emailaddress', '$coldstarPassword')";
                    mysqli_query($db, $sql);
                    $_SESSION['userName'] = $userName;
                    $_SESSION['success'] = "You are now logged in";

        }
    }

?>

Your comment statement broke into two lines. Second line is without comment `storing in database (security)` — Thamilhan, Oct 19 '17 at 17:13
`mysql_real_escape_string` is the wrong function. (...although not the issue you are asking about) You also should not be using `md5` for password hashing anymore. — chris85, Oct 19 '17 at 17:17
***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Oct 20 '17 at 20:13
***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Oct 20 '17 at 20:13
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Oct 20 '17 at 20:13

usman ikram · Answer 1 · 2017-10-23T11:27:20.057

0

You comment is going on two lines:

Change

$coldstarPassword = md5($password_1) //encrypt password before 

storing in database (security)

to

$coldstarPassword = md5($password_1) //encrypt password before storing in database (security)

Security Issue

never use md5() to encrypt password, you can use password_hash(), please check the documentation:

http://php.net/manual/en/function.password-hash.php

edited Oct 23 '17 at 11:27

answered Oct 19 '17 at 17:17

usman ikram

461
4
10

1

Turn the tide against teaching/propagating sloppy and dangerous coding practices. ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** – Jay Blanchard Oct 20 '17 at 20:14

Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in C:\xampp\htdocs\\server.php on line 65

1 Answers1