Dvdbrink Posted April 7, 2008 Share Posted April 7, 2008 First of all, I'm new to PHP. Please do not terrorize this topics with poitnless posts saying that I and my code suck. I'll first post here some codes were I'm going to ask questions about. login.php <?php require_once('inc/dbconnect.php'); session_start(); if($_SESSION['logged']) { $result = mysql_query("SELECT * FROM users") or die(mysql_error()); while($row = mysql_fetch_array($result)) { if($row['rank']=="admin") { echo "Welcome ". $_SESSION['username'] ." !<br />"; echo "[<a href=\"\">Admin Panel</a>]<br />"; echo "[<a href=\"\">Mod Panel</a>]<br />"; echo "[<a href=\"logout.php\">logout</a>] "; } if($row['rank']=="mod") { echo "Welcome ". $_SESSION['username'] ." !<br />"; echo "[<a href=\"\">Mod Panel</a>]<br />"; echo "[<a href=\"logout.php\">logout</a>] "; } if($row['rank']=="member") { echo "Welcome ". $_SESSION['username'] ." !<br />"; echo "[<a href=\"logout.php\">logout</a>] "; } } } else { echo " <form action=\"?login=check\" method=\"post\"> Username:<input type=\"text\" name=\"username\" /><br /> Password:<input type=\"password\" name=\"password\" /><br /> <input type=\"submit\" name=\"login\" value=\"Login\" /> </form> "; } if($_GET['login'] == "check") { include("check_login.php"); } ?> check_login.php <?php require_once('inc/dbconnect.php'); session_start(); if($_POST['login']) { $username = addslashes($_POST['username']); $password = md5($_POST['password']); $sql = "SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."' AND rank"; $result = mysql_query($sql); if(mysql_num_rows($result) != 1) { header('Refresh: 5; url=index.php'); echo "<b>Wrong Username and/or Password!</b>"; } else { $_SESSION['logged'] = true; $_SESSION['username'] = $username; header('location:index.php'); } } ?> register.php <?php require_once('inc/dbconnect.php'); session_start(); if($_SESSION['logged']) { header('Refresh: 5; url=index.php'); echo "You are already registered!"; } if(isset($_POST['register'])) { $username = mysql_real_escape_string($_POST['username']); $password = md5($_POST['password']); $email = mysql_real_escape_string($_POST['email']); $rank = "member"; mysql_query("INSERT INTO users (username, password, email, rank) VALUES ('".$username."', '".$password."', '".$email."', '".$rank."') "); echo "Registration successfull! You can login now."; } else { echo "<h2>Register</h2>"; echo " <form action=\"register.php\" method=\"post\"> <label>Username</label> <input type=\"text\" name=\"username\" /><br /> <label>Password</label> <input type=\"password\" name=\"password\" /><br /> <label>Confirm Password</label> ******<br /> <label>E-Mail</label> <input type=\"text\" name=\"email\" /><br /> <input type=\"submit\" name=\"register\" value=\"Register\" /> </form> "; } ?> Questions: 1.I'm pretty sure this code is not save at all. How can people 'hack' my member system? I would like to know that. 2.What is the best way to protect a member system. 3.In check_login.php, how come when I change my code to: <?php require_once('inc/dbconnect.php'); session_start(); if($_POST['login']) { $username = addslashes($_POST['username']); $password = md5($_POST['password']); $sql = "SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."' AND rank"; $result = mysql_query($sql); if(mysql_num_rows($result) = 1) { $_SESSION['logged'] = true; $_SESSION['username'] = $username; header('location:index.php'); } else { header('Refresh: 5; url=index.php'); echo "<b>Wrong Username and/or Password!</b>"; } } ?> I get this error: "Fatal error: Can't use function return value in write context in /home/dvdbrink/domains/dvdbrink.gethost.nl/public_html/check_login.php on line 12". 4.Any other tips for a beginner in PHP for a member-system? Thanks in advance, Dvdbrink. Link to comment https://forums.phpfreaks.com/topic/100032-solved-a-few-questions/ Share on other sites More sharing options...
Barand Posted April 7, 2008 Share Posted April 7, 2008 if(mysql_num_rows($result) = 1) is attempting to assign the value 1 to the function result. Use == and not = Link to comment https://forums.phpfreaks.com/topic/100032-solved-a-few-questions/#findComment-511541 Share on other sites More sharing options...
Dvdbrink Posted April 7, 2008 Author Share Posted April 7, 2008 Oh ofcourse! I should've known that, haha. Thanks for the answer Barand! Link to comment https://forums.phpfreaks.com/topic/100032-solved-a-few-questions/#findComment-511543 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.