I've looked over the code and I can't find the problem.



<?php
session_start();
if (isset($_POST["username"])) {

$valid = false;
$username = $_POST["username"]; $pass = $_POST["pass"];


$check = mysql_query("SELECT * FROM users WHERE username = "'.$username.' AND password = '.$pass.'")or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
$valid = true;
}

if ($valid) {
$_SESSION["user"] = $username;
header("Location: ../members");
} else header("Location: error");
}
?>

I know it's is this bit


$check = mysql_query("SELECT * FROM users WHERE username = "'.$username.' AND password = '.$pass.'")or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
$valid = true;
}




The error is


( ! ) Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in C:\Documents and Settings\Owner\Desktop\canberra amatuer productions\www\new site\login\check.php on line 9


Any help would be great!

$check = mysql_query("SELECT * FROM users WHERE username = $username AND password = $pass)" or die(mysql_error());


The editor you're using probably highlights/color codes strings, functions, etc. I'd look into checking that when you hit problems like this. The forum here also highlights strings, so when you see ' AND password = ' in a different color I'd recommend looking at it closer.

You should also not just take in user input as being valid, you need to sanitize it.


$username = mysql_real_escape_string($_POST["username"]);
$pass = mysql_real_escape_string($_POST["pass"]);

Thanks Blue Walrus.
Now It's coming up with this error.



( ! ) Parse error: syntax error, unexpected ';' in C:\Documents and Settings\Owner\Desktop\canberra amatuer productions\www\new site\login\check.php on line 9




<?php
session_start();
if (isset($_POST["username"])) {

$valid = false;
$username = $_POST["username"];
$pass = $_POST["pass"];

$check = mysql_query("SELECT * FROM users WHERE username = $username AND password = $pass)" or die(mysql_error());
$check2 = mysql_num_rows($check);

if ($check2 == 1) {
$valid = true;
}

if ($valid) {
$_SESSION["user"] = $username;
header("Location: ../members");
} else header("Location: error");
}
?>

For a text editor I'm just using notepad. Could anyone suggest a good editor which highlights the different ttypes of code?

Thanks for everything!

this
$check = mysql_query("SELECT * FROM users WHERE username = $username AND password = $pass)" or die(mysql_error());should be
$check = mysql_query("SELECT * FROM users WHERE username = $username AND password = $pass") or die(mysql_error()); (note the order of the double-quote and parenthesis after $pass).

as for an editor, if you're using windows I'd recommend notepad++ (http://notepad-plus-plus.org/).

haha didn't take my own advice there, sorry about that.

$check = mysql_query("SELECT * FROM users WHERE username = $username AND password = $pass") or die(mysql_error());

For text editors (assuming you are on PC)

http://notepad-plus-plus.org/
Adobe Dreamweaver (Mac also available)

or http://en.wikipedia.org/wiki/List_of_PHP_editors

phpDesigner.

http://www.mpsoftware.dk/phpdesigner.php

For Mac OSX, I highly recommend Text Wrangler. Free and easy to use, including FTP.

This code checks my login form-


<?php
session_start();
if (isset($_POST["username"])) {
require "../database.php";
$valid = false;
$username = $_POST["username"];
$pass = $_POST["pass"];

$check = mysql_query("SELECT * FROM users WHERE username = $username AND password = $pass") or die(mysql_error());
$check2 = mysql_num_rows($check);

if ($check2 == 1) {
$valid = true;
}

if ($valid) {
$_SESSION["user"] = $username;
header("Location: ../members");
} else header("Location: error");
}
?>

The code is coming up with this error when you enter nothing into the username and password inputs


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND password =' at line 1

And this error when you enter test as a username and test2 as the password


Unknown column 'test' in 'where clause'

Any help?

you need to quote the non-numeric field values in your SQL statement.

mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$pass' ")furthermore, you should quote your identifiers (http://dev.mysql.com/doc/refman/5.0/en/identifiers.html) - things like table names, field names, etc. - to prevent any conflicts with SQL commands (there is no conflict in this case, but it is more likely than you realize).
The identifier quote for MySQL is the backtick ( ` ) (this is not a single-quote).
mysql_query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$pass'")