Parse error: syntax error, unexpected ']', expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in ... on line 17

Question

 <?php
    include("con.php");
    $username=$_POST["username"];
    $password=$_POST["password"];

    $query = "select * from login where username='$username' and password='$password'";
    $data = mysqli_query($con,$query) or die ("Couldn't execute query");
    $result = mysqli_fetch_assoc($data);

    if ($username=="" and $password=="")
    {
        echo '<script language="JavaScript">alert("Blank Username or Password");
         document.location="login.html"</script>';
    }
    else
    {
        if ($username=="$result[]" and $password=="$result[]")
        {
            session_start();
            $_SESSION['namauser'] = $username;
            $sql = mysqli_query($con,$query) or die ("Couldn't execute query");
            header("Location:hal1.php");
        }
        else
        {
            echo '<script language="JavaScript">alert("Wrong Username or Password");
            document.location="login.html"</script>';
        }
    }
    ?>

Please fix this... I've tried my best to fix this but I failed.

**Warning:** You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) and should really use parameterized [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of manually building your queries like that. Specially since you're not escaping the user inputs at all! — M. Eriksson, Feb 27 '19 at 06:22
**Never store passwords in clear text!**. Only store password hashes! Use PHP's [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) . If you're running a PHP version lower than 5.5 (which I _really_ hope you aren't), you can use the [password_compat library](https://github.com/ircmaxell/password_compat) to get the same functionallity. — M. Eriksson, Feb 27 '19 at 06:22
What is this expected to do; `$username=="$result[]"`? You can't read from an array using `[]`. It's also pretty strange that you check if username and password are empty _after_ you've done the query. — M. Eriksson, Feb 27 '19 at 06:23
Btw.... why are you making the exact same query again if the username/password was valid? You're not even doing anything with that result? — M. Eriksson, Feb 27 '19 at 06:30
You read an array like this: `$result['username']` etc. `$array['key-name']`. You can [read more in the manual](http://php.net/manual/en/language.types.array.php). — M. Eriksson, Feb 27 '19 at 06:30

Nasir Aliyev · Answer 1 · 2019-02-27T06:35:20.793

0

if ($username==$result['username'] and $password==$result['password'])

But you are doing it very dangerous.

Solutions :

Sanitize and validate input coming from user. Sanitize and validate username and password.
It is not true way ($username=="" and $password=="") you have to do i($username=="" || $password=="")

and your code logic very bad. search it on web ( login form best practice )

edited Feb 27 '19 at 06:35

answered Feb 27 '19 at 06:28

Nasir Aliyev

116
7

if ($username==$result['username'] and $password==$result['password']) is the right array, thanks to you.. But I have another error and those 2 solutions doesn't give any changes. I can actually do both ($username=="" and $password=="") and ($username=="" || $password==""). So, the next error that occur was actually on the hal1.php file. I gave the wrong include() of a php file in hal1.php... Lmao.. Fixed this. – RyckK Feb 27 '19 at 08:06

Parse error: syntax error, unexpected ']', expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in ... on line 17

1 Answers1