Posted by Hilarion on 12/28/05 18:16

Damien <gerard@nsecure.nl> wrote:
> English:
>
> I want to know whats wrong with the script. I am gettich the error:
>
> Parse error: syntax error, unexpected '=' in
> c:\inetpub\wwwroot\login.php on line 17
>
> I think the error is in:
> $usernameexists = mssql_query("SELECT ID FROM tblusers WHERE
> username"=.$_POST["username"]."' &&
> password='".$_POST["password"]."'");

>
> But how to solve it?

You placed "=" after the "username" outside the query string, which is
the PHP syntax error. Your query is also incorrect, because it has no
opening quote around username value and it uses "&&" which is not
valid (as far as I know, but MySQL - which I do not use - may accept
it) and should be replaced with "AND".
So change this:

$usernameexists = mssql_query("SELECT ID FROM tblusers WHERE
username"=.$_POST["username"]."' &&
password='".$_POST["password"]."'");

to this:

$usernameexists = mssql_query(
"SELECT id " .
"FROM tblusers " .
"WHERE username = '" . $_POST['username'] . "' " .
" AND password = '" . $_POST['password'] . "' "
);


There's also one more thing. You should read about SQL injection
attacks and "mysql_real_escape_string" function. Your script may
be (and probably is) vulnerable to those attacks and proper
use of this function would prevent it.



Hilarion

• Next in forum: Re: PHP MSSQL login script, newbee
• Prev in forum: Re: PHP MSSQL login script, newbee
• Thread view: Re: PHP MSSQL login script, newbee

[Reply to this message]