Problem with if statement in php code

[vonz]

This is the code that I am working on. I am trying to add md5 encryption to the login code.

PHP Code:

<?php
//Delcarle the variables
$User=$_GET['User'];
$passwd=($_GET['Password']);
$passwd=md5($_POST['Password'])

if(!isset($_GET['User']) && !isset($_GET['Password']))
{
  ?>
  <h3>Please Logon</h3>
  
  <form action="adminlogin.php" method="GET">
  <table border="1">
  <tr><th>UserID</th><td><input type="text" name="User"></td></tr>
  <tr><th>Password</th><td><input type="password" name="Password"></td></tr><tr><td colspan=2 align="center"><input type="submit" value="login"></td></tr>
  </table>
  </form>
  <?php
}
  else
  {
   
    include ("connect.php");
    $passwd=md5($passwd);
    
    echo "$User>>>>>>>$passwd";
    
   $query = "select * from users where User='$User' and password_md5='$passwd'";
   $result=mysql_query($query) or die ("error in query");

    if (mysql_num_rows($result)>0)
    {
      echo "<a href='system_management.php'>System Management</a>";
    }
    else
    {
      if(isset($User))
      {
        echo"Could not log you in.<br>";
      }
    }
  }
?>

each time I try to run the code i get this error message. It is referring to the first if statement

Parse error: syntax error, unexpected T_IF

I only know very little about what I am trying to do. I know I don't have IF in caps.

Please can someone help me out on this?

Vonz

[7stud]

Hint: look at the previous line.

[vonz]

Thank you for pointing out what I should have seen.

I am really tired and pushed for time. What else is new?

thank you for helping

Vonz

[devbanana]

I should point out something.

You refer to password both from $_GET and $_POST? Which is it? I have a feeling you're just being inconsistent, and so will get unexpected results.

Also, you're going to end up with a double md5'd password, I believe.

[vonz]

It is probably more of a case of not knowing what I am doing. All I know is that GET will show the info up in the url and POST hides it.

How do I avoid the double MD5's?

also can you have a look at the query I think its ok, when I split it up in mysql and ran it I got the right results, but on running the script the second if statement doesn't kick in.

Any and all help is very much appreciated.

Vonz

[devbanana]

How did you write that code then? It's going to take an extremely long explanation to explain everything needed about that code, because I'm not one for just handing over some code without explanation, since it won't do you one bit of good in the longrun.

Here's how it goes, though. When you post a form, if within the method attribute you have "post", the data will be posted. This is as opposed to "get", which will display the data in the URL. Posted data can be a lot larger than data sent with the GET method; in fact the maximum size of posted data is generally a few megabytes.

Anyway, if you post a form, all your data will be available in the $_POST superglobal. See predefined variables. So if you have a text field named password, it'll be available with $_POST['password'].

The reason your data is getting md5()'d twice is that you first encrypt it before the conditional statement, then again within the `else'.

[vonz]

Hi devbanana

thank you for taking the time to explain some things to me.

So if I understand you correctly, it is good practice to either post everything or get everything and not a mixture?

With the md5() I take it, it is better to encrypt before the if statement?

Unfortunately I am coding without really understanding what I am doing most of the time.

I need to add session variables to this code. Can you point me in the direction or a good tutorial for this?

Your help has been really appreciated.

Many thanks

Vonz

[devbanana]

I'd probably encrypt the password within the else statement, since you don't need to do so otherwise, unless they are attempting to login.

I know of no tutorials off hand for using sessions, though you should be able to find some by searching on Google. Also, Sitepoint probably has some articles on it.

[vonz]

this is basically the same script as before but i have added session variables to it. It works with one user name from the table, but when I try with other user names from the table I get that 'can't logged on, enter username'

PHP Code:

<?php

//Start a session
session_start();
if(isset($_POST['User']) && isset($_POST['Password']))
{
//Delcarle the variables.
$User=$_POST['User'];
//$passwd=($_POST['Password']);
$passwd=md5($_POST['Password']);
  include ("connect.php");

          $query = "select * from users where User='$User' and password_md5='$passwd'";
   $result=mysql_query($query) or die ("error in query");

    if (mysql_num_rows($result)>0)
    {
      $_SESSION['valid_user']=$User;
    }
    mysql_close();
}
?>
<html>
<body>
<?php
  if (isset($_SESSION['valid_user']))
  {
    echo "You are logged in as ".$_SESSION['valid_user']."<br>";
    echo "<a href='system_management.php'>System Management</a>";
    echo "<a href='logout.php'>Log Out</a><br>";
  }
  else
  {
   echo "Could not log you in. Please enter Username and Password<br>";
  }
  echo "<h3>Please Logon</h3>";
  
  echo "<form action=''adminlogin.php' method='POST'>";
  echo "<table border='1'>";
  echo "<tr><th>UserID</th><td><input type='text' name='User'></td></tr>";
  echo "<tr><th>Password</th><td><input type='password' name='Password'></td></tr><tr><td colspan=2 align='center'><input type='submit' value='login'></td></tr>";
  echo "</table>";
 echo " </form>";
?>
</body>
</html>

this has me stumped.

thank you for looking

Vonz