ERROR: *Parse error: syntax error, unexpected T_VARIABLE on line 9* <-- still giving me same error..
PHP
<?php
#connect mysql
require_once "dbcred.php";
$dbh = testdb_connect ();
session_start();
$username = $_POST['regduser'];
$userpass = md5($_POST['regdpass']);
$sql = $pdo->prepare("SELECT * from Students WHERE regduser=:username and regdpass=:pass");
$sql->bindParam(':username', $username)
$sql->bindParam(':pass', $userpass)
$sql->execute();
$result = mysql_query($sql);
if (mysql_num_rows($result)!= 1) {
$error = "Login failed";
#include "loginform.php";
} else {
echo "<h1>exists</h1>";
#$_SESSION['regduser'] = "$username";
#$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
// any other data needed to navigate the site or
// to开发者_Python百科 authenticate the user can be added here
#include "membersection.php";
}
?>
dbcred.php
<?php
# pdo_testdb_connect.php - function for connecting to the "test" database
function testdb_connect ()
{
$dbh = new PDO("mysql:host=localhost;dbname=#", "root", "");
return ($dbh);
}
?>
HTML:
<form action="inc/check_regUsr.php" method="post" id="userLogon">
<div class="field required">
Username: <input type="text" name="regduser" tabindex="1" /><br />
</div>
<div class="field required">
Password: <input type="text" name="regdpass" tabindex="2" /><br />
</div>
<input type="submit" name="submitUser" />
</form>
$sql = $dbh->prepare("SELECT * from Students WHERE regduser=:username and regdpass=:pass");
$sql->bindParam(':username', $username)
$sql->bindParam(':pass', $userpass)
$sql->execute();
Bobby-Tables PHP.
If you already use PDO, then use a parameterized query to take advantage of escaping. Also, you are using single quotes in the query and to enclose the string. Use double quotes for the string and single quotes IN the query, because the way it is now, you are already terminating the string after the first single quote.
You need to put the string concatenation syntax in your query (periods):
$sql = $pdo->prepare('SELECT * from Students WHERE regduser="'.addslashes($username).'" and regdpass="'.addslashes($userpass).'"');
You could also use double quotes for your string, which means variables will be replaced within the string.
$username = addslashes($username);
$sql = $pdo->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");
I have escaped your variables too, you need to make sure you always escape data from the user before it is used in your queries, or use the PDO to swap them in with question marks (?)
You need to put the string in double quotes. PHP thinks the statement is terminated at the second single quote character.
Like this: $sql = $pdo->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");
you use string-concatenation the wrong way. Line 9 should look like this:
$sql = $pdo->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");
or this, if you want to use single quotes:
$sql = $pdo->prepare('SELECT * from Students WHERE regduser=\''.$username.'\' and regdpass=\''.$userpass.'\'");
Your string construction is broken:
$sql = $pdo->prepare('SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'');
^--start string ^---end string
Try this instead:
$sql = $pdo->prepare("SELECT * from Students WHERE regduser='$username' and regdpass='$userpass'");
^--double quote ^---ditto
精彩评论