Can't find a 'syntax error' in my PHP code

2
votes

I'm writing a function to authenticate a user. I create a connection with a database, then prepare a query, bind the parameter, execute the query, bind the result to a variable,check if the query returned a result.

If it did I compare the result (bound to the variable), close the statement, close the connection, and then return the appropriate value. Well, that's what I think I am doing, but I keep getting a syntax error and I can't figure out what I am doing wrong:

Syntax error: expected: exit, if, identifier, variable, echo, do, while, for, foreach, declare, switch, break, continue, function, return, try, throw, use, global, unset, isset, empty, class, interface, array, {, }, include, include_once, eval, require, require_once, print, ';', +, -, !, ~, ++, --, @, [, new, static, abstract, final, (, $

My code:

/**
     * Authenticates a user. 
     * @param type $email - String value
     * @param type $hashedPassword - String value
     * @return true if user is authenticated or false otherwise - Boolean value
     */
    function isValidUser($email, $hashedPassword)
    {
        //This variable will hold the value returned from the query to the database.
        var $rPassword = NULL;

        //Establish a connection
        $mysqli = new mysqli($GLOBALS['dbServer'], $GLOBALS['dbUserName'], $GLOBALS['dbPassword'], $GLOBALS['dbName']);

        //Check if connection failed
        if($mysqli->connect_error)
        {
            die('Connect Error (' . $mysqli->connect_errno . ') ' 
                    . $mysqli->connect_error);
        }

        $stmt = $mysqli->prepare("SELECT password FROM user_info WHERE email=?");
        $stmt->bind_param('s', $email);
        $stmt->execute();
        $stmt->bind_result($rPassword);
        if($stmt->fetch())
        {
            if(($rPassword != null) && ($rPassword == $hashedPassword))
            {
                $stmt->close();
                $mysqli->close();
                return true;
            } 
        }           
        $stmt->close();
        $mysqli->close();
        return false;           
    }

I was doing this without using prepared statements and the code worked fine, but then I did some research and found out that prepared statements is the way to go because they help prevent SQL injections.

3
phpdatabasemysqliprepared-statement
Which line gets he syntax error?Peter Wooster
SELECT password FROM user_info WHERE email=:sv0d1ch
@vodich Nope. This is MySQLi. You're thinking PDO.Ian Atkin
If removing he var removed he error don't forget to up vote the answers and choose an accepted on.Peter Wooster
It got rid of he syntax error, that was your question. The code could have lots of other problems, but that's not relevant to ths question. SO is not a debugging service.Peter Wooster

3 Answers

3
votes
var $rPassword = NULL;

should be:

$rPassword = NULL;

var is for initializing properties in classes. See documentation. If you are using a class you need to initialize it outside of the method (function) and then access the property through $this->rPassword.

2
votes

The var keyword is deprecated from PHP 5.0 on...

It was for declaring class member variables in PHP4, and is no longer needed. It will work in PHP5, but will raise an E_STRICT warning in PHP from version 5.0.0 up to version 5.1.2, as of which it has been deprecated.

0
votes

you have tow mistakes

one do not reboot rPassword as NULL just make it like this $rPassword = 0; or make tow NULL and null the same NULL both with caps! second the rPassword not getting the resualt you neet to it like this you need to pass the right verbails look here

http://php.net/manual/en/mysqli-stmt.bind-result.php

 $stmt->bind_result($rPassword);
        if($stmt->fetch())
        {
            if(($rPassword == null) || ($rPassword != $hashedPassword))
            {
                $stmt->close();
                $mysqli->close();
                return false;
            } 
        }