• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 146
  • Last Modified:

Problem to echo

Hi,
I get
Parse error: syntax error, unexpected T_IF, expecting ',' or ';' in D:\edi\Zim_GlobalDA\adm\login_menu.php on line 14

due to
echo "'$username'"

Open in new window


what to adjust?
0
HuaMinChen
Asked:
HuaMinChen
  • 3
  • 2
2 Solutions
 
Terry WoodsIT GuruCommented:
It just needs a semicolon on the end:
echo "'$username'";

Open in new window

0
 
HuaMinChenBusiness AnalystAuthor Commented:
Many thanks.
Sorry, I see there are correct values inside $username and $passwd but it does get into 'else' part below. What can be the reason?
    if (login($username, $passwd))
    {
      // if they are in the database register the user id
      $valid_user = $username;
      session_register("valid_user");
	  $conn = df_conn();
	  $sql="select top 1 principal from user_acct where username='$username'";
	  $rst = odbc_exec($conn,$sql);
	  $qry = odbc_fetch_array($rst);
	  $pri=$qry[principal];
      session_register("pri");
	  $sql="select top 1 territory from user_acct where username='$username'";
	  $rst = odbc_exec($conn,$sql);
	  $qry = odbc_fetch_array($rst);
	  $g_area=$qry[territory];
	  session_register("g_area");
	  $g_multiarea = str_replace(",", chr(13), $g_area);
	  session_register("g_multiarea");
    }  
    else
    {
      // unsuccessful login
      do_html_header("Problem:");
      echo "You could not be logged in. 
            You must be logged in to view this page.";
      do_html_url("login.php", "Login");
      do_html_footer();
      exit;
    }      
    ...      

function login($username, $password)
// check username and password with db
// if yes, return true
// else return false
{
  // connect to db
  $conn = df_conn();
  if (!$conn)
    return 0;

  // check if username is unique

$sql="select top 10000 * from user_acct where username='$username' and passwd = '$password'";
$rst = odbc_exec($conn,$sql);
$num_rows = odbc_num_rows($rst); 

 if (!$rst)
     return 0;
  
  if ($num_rows>0)
     return 1;
  else 
     return 0; 
}

Open in new window

0
 
Terry WoodsIT GuruCommented:
Have the values for username and password been sanitised by code not visible above? If not, then you're vulnerable to SQL injection attack (highly dangerous), and it also would break the login if a user puts a single quote in their username or password, and get into the "else" section you're asking about.

A minor side point: Why is the query labelled as checking "if username is unique" getting the top 10000 records? Surely 2 would be enough to indicate that... besides, despite the comment, it just seems to be checking if one user exists with the given credentials.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
HuaMinChenBusiness AnalystAuthor Commented:
Please leave the comments in above (which is confusing).
There is a record matching to values of $username and $passwd but I do not know why it does get into 'else' part in above.
0
 
Brian TaoSenior Business Solutions ConsultantCommented:
Is your password stored in the DB as plain text?  
If yes, it must be something else (but it's extremely dangerous) and we need to see other part of your code.  
If not, your sql won't return any row, and the result of login() will be 0 (or false).
0
 
Terry WoodsIT GuruCommented:
Thanks for accepting my answer. Not sure why you dropped the grade to a B on the solution though...
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now