Having problems creating a login script

Question

Getting this error, You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

Getting the above error from this, I'm new to PHP so I have no idea what the problem could be, any help?

<?php
 session_start();
 //ob_start();


//make connection
$con = mysql_connect ("***" , "***", "***")
    or die ("Query died: connect");

mysql_select_db("*****",$con);

// Grab User submitted information
$user = $_POST["myuser"];
$pass = $_POST["mypwd"];

strong text$result = mysql_query("SELECT FirstName, Password FROM memberst WHERE FirstName   =      $user");
if (!$result) { // add this check.
die('Invalid query: ' . mysql_error());
}
$row = mysql_fetch_array($result);

if($row["Firstname"]==$user && $row["Password"]==$pass) {
echo $row["Firstname"];
  //header("location:LoginSuccess.php");
 }

 else {
 echo"Sorry, your credentials are not valid, Please try again.";
    }`enter code here`

?>

there are a lot of dangerous practices in this, i would find a better tutorial — , Mar 27 '14 at 21:32
I agree. This is not going well. This tutorial is probably from 2001... — Sebas, Mar 27 '14 at 21:34
With this script, you will lose your entire server: http://xkcd.com/327/ — Unamata Sanatarai, Mar 27 '14 at 21:34
The issue here is that you forgot you quote your value in your SQL query `(WHERE FirstName = '$user')`. But, like everyone else suggested, I'd scrap this code and start over. 1) *Don't* store passwords plaintext in your database, 2) Use MySQLi or PDO, not `mysql_query`, 3) Use prepared statements. — gen_Eric, Mar 27 '14 at 21:39
**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Mar 27 '14 at 21:44
You've already compared `FirstName` to `$user` in your SQL (you're missing the quotes around it) - why do it again in PHP? ... and the `strong text` part probably won't help either... — scrowler, Mar 27 '14 at 21:47

score 1 · Answer 1 · answered Mar 28 '14 at 00:24

try this

<?php
    define('DB_host', 'localhost');

    define('DB_username', 'root');

    define('DB_password','');


     if( !(isset( $_POST['login'] ) ) ) { ?>
    <div align="center">
    <fieldset style="width:10%;">

    <form name="login" action="" method="POST">
        <div align="left">
        <label  for "username">Username: </label>
        <input type="text" name="username"/>
     <br /> 
        <label for "password">Password: </label>
        <input type="password" name="password"/><br />
     </div>
     <div align="center">
     <input type="submit" name="login" value="Login" />
     <input type="reset"  value="Reset" />
             </div>
        </form>
    </fieldset>
        </div>
    </div> 

    <?php 
    } else {
    $con = new PDO("mysql:host=". DB_host .";dbname=YOUR DATABASE NAME", DB_username , DB_password);

    $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

    $sql = "SELECT * FROM users WHERE username = :username AND password = :password LIMIT 1";


    $stmt = $con->prepare( $sql );

    $stmt->bindValue( "username", $_POST['username'], PDO::PARAM_STR );
    $stmt->bindValue( "password",  $_POST['password'] , PDO::PARAM_STR );
    $stmt->execute();




    if( $stmt->rowCount() > 0 ) {


    header('location: home.php');


    } else {
      echo '<script> window.alert("Incorrect Input")
        window.location.href="login.php";</script>';
           }
    }
    ?>

Having problems creating a login script

1 Answers1