0

I am getting this message

Parse error: syntax error, unexpected '$username' (T_VARIABLE) in C:\wamp64\www\tutorial\register_parse.php on line 9

when trying my own register for forum. I can figure out what ive done wrong. here is the code:

<?php 
include("connect.php");

$username = $_POST["username"];
$password = $_POST["password"];

$sql = "INSERT INTO forum.users(username,password)
VALUES("$username","$password"); ";
$res = mysql_query($sql);

if($res){
echo "Successfully registered as: ".$username;

}
else{
echo "failed to register, please try again </br>";
echo "ERROR: ".mysql_error();
}

?>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
fawz96
  • 1
  • 1
    Also hash your passwords, upgrade your driver (PDO or mysqli), and don't pass user input directly to your query. – user3783243 Aug 07 '18 at 16:21
  • 1
    You should count your lucky stars that this hasn't taken off. That code is old and dangerous to be used in a live environment. Use a prepared statement with either mysqli or PDO and hash passwords with `password_hash()` man. You ***will*** get hacked using that. – Funk Forty Niner Aug 07 '18 at 16:22
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text** or a weak hash like **SHA1 or MD5**. – tadman Aug 07 '18 at 16:28
  • **WARNING**: Do not use the obsolete [`mysql_query`](http://php.net/manual/en/function.mysql-query.php) interface which was removed in PHP 7. A replacement like [PDO is not hard to learn](https://phpdelusions.net/pdo) and a guide like [PHP The Right Way](http://www.phptherightway.com/) helps explain best practices. Here parameters are **NOT** [properly escaped](http://bobby-tables.com/php) and this has severe [SQL injection bugs](http://bobby-tables.com/) in this code. Escape **any** and all user data, especially from `$_POST` or `$_GET`. – tadman Aug 07 '18 at 16:28
  • If you're not using a syntax highlighting editor you should upgrade to one because it will make syntax errors like this more visually obvious and easier to fix. Hint: If you're using double quotes inside a string you *must* escape them `"...\"stuff\"..."` or use single quotes, though single quotes disallow interpolation. Note that this is a *feature* as it makes SQL injection bugs less likely. – tadman Aug 07 '18 at 16:29

0 Answers0