[SOLVED] Login problem.

[Shiny_Charizard]

I'm having a problem with a login page I made.

It keeps saying that the username field is empty when I know it was not.

I looked trough the script many times but I couldn't find the problem, so if anyone can help me on this one I would appreciate it.

Here is the page:

 

login.php

<?php
#login.php

#Connect To The DB
require_once 'include/db-conn.php';

#Set Permission
$Permission = 3;

#Require Cookie File
require_once 'include/permissions.php';

$Page_Title = "Login To Your Account -";

#Require Header File
require_once 'include/header.php';

#Page Title
echo "<center><b><u>Login</u></b></center>
<br />
<br />";

#Submit Variable
$Submit = $_POST["Submit"];

#Redirect Variable
$Redirect = $_GET["Redirect"];


#IfThe Form Was Submitted
if($Submit)
{

#User Variable
$User = $Member["UserName"];

#Unencrypted Password
$Unencrypted_Pass = $_POST["PassWord"];

#Password Variable
$Pass = $_POST["PassWord"];

#Fetch Member Details
$MQuery = mysql_query("SELECT * FROM `Users` WHERE `UserName` = '$_POST[userName]'");
$Member = mysql_fetch_array($MQuery)or die(mysql_error());

#Encrypted Password
$Pass = sha1(sha1(md5(md5($Pass))));

#Check If Member Details Are Correct
$Check = mysql_query("SELECT * FROM `Users` WHERE `UserName` = '$User' AND `PassWord` = '$Pass'");

#Count How Many Matches Were Found
$Check_Num_Rows = mysql_num_rows($Check);

#Fetch Rows From Query: $Check
$Check_2 = mysql_fetch_array($Check);

#User ID Variable
$User_ID = $Check_2["User_ID"];

#If The Usernam Field Are Empty 	
if(strlen($User) == 0)
{
echo "<center>Please fill in the username field!<br />
<a href='login.php'>Go Back?</a></center><br />";
#Require Footer File
require_once 'include/footer.php';
exit();
}	
#If The Password Field Are Empty
elseif(strlen($Pass) == 0) {
echo "<center>Please fill in the password field!<br />
<a href='login.php'>Go Back?</a></center><br />";
#Require Footer File
require_once 'include/footer.php';
exit();
}
#If There Are Zero Matches
elseif($Check_Num_Rows == 0)
{
echo "<center>Sorry the password: <b>$Unencrypted_Pass</b> does not match the username: <b>$User</b>! <br />
<a href='login.php'>Go Back?</a></center><br />";
 #Require Footer File
require_once 'include/footer.php';
exit();
}
else
{
#if checkbox is checked
if ($_POST["check"] == 1) {
	#Exipre in a week
	$expiration = 7;
}
else {
	#Expire in an day
	$expiration = 1;
}

#Set Cookies
?>
<script type="javascript">
function setCookie(c_name,value,expiredays) {
	var exdate=new Date();
	exdate.setDate(exdate.getDate()+expiredays);
	document.cookie=c_name+ "=" +escape(value)+
	((expiredays==null) ? "" : ";expires="+exdate.toGMTString());
}
setCookie('UserName','<?="$Member[userName]"; ?>',<?="$expiration"; ?>);
setCookie('PassWord','<?="$Pass"; ?>',<?="$expiration"; ?>);
setCookie('UserID','<?="$User_ID"; ?>',<?="$expiration"; ?>);
</script>
<?
/*
setcookie("UserName", $Member["UserName"], time+$expiration);
setcookie("PassWord", $Pass, time+$expiration);
setcookie("UserID", $User_ID, time+$expiration);	
*/
$User_IP = $_SERVER['REMOTE_ADDR'];
$Users_Online2 = mysql_query("SELECT * FROM `Users_Online` WHERE `UserID` = '$Member[user_ID]'");
    $Users_Online = mysql_num_rows($Users_Online2);
mysql_query("UPDATE `Users` SET `Current_IP` = '$User_IP' WHERE `UserName` = '$User'");

if(empty($Redirect))
{
echo "You have successfully logged in!<br />Welcome $User, ID: $User_ID to The Pokémon Flamez RPG!<br /><a href='index.php'>Continue?</a><br />";
 #Require Footer File
require_once 'include/footer.php';
exit();
}
else
{
	echo "<center><meta http-equiv='Refresh' content='0; url=$Redirect' />Redirecting...";
	#Require Footer File
	require_once 'include/footer.php';
	exit();
}
}
}
?>

<form method='POST'>
<center>
If you haven't registered an account, you can do so by clicking <a href='register.php'>here</a>.
<br /><br />
If you have a registered TPF account and you would like to log in, you may do so by entering your username and password below.
<br /><br />
<b>Username:</b>
<br />
<input type='text' name='UserName' />
<br />
<B>Password:</b>
<br />
<input type='password' name='PassWord' />
<br />
<input type='checkbox' name='check' value='1' /> Keep me signed in for a week
<br />
<br />
<input type='submit' name='Submit' onclick='Loading();' value='Login' />
</form>
<br />
<br />
<small><b>Note:</b> You must have cookies and javascript enabled in your browser to login.</small>
</center>
<?php

#Require Footer File
require_once 'include/footer.php';
?>

[waynew]

$User = $Member["UserName"];

 

Where is the array $Member coming from?

Also, you're not cleaning variables as they come in, which means that you are open to SQL injection.

The fix for this is to do something like:

 

#Fetch Member Details
$username = mysql_real_escape_string($_POST['UserName']);
$MQuery = mysql_query("SELECT * FROM `Users` WHERE `UserName` = '$username'");
$Member = mysql_fetch_array($MQuery)or die(mysql_error());

 

Whoa, wait? Why is $Member being overwritten here? You have the first piece of code above the code above this text?

 

[Shiny_Charizard]

How is it being overwritten?

[waynew]

$User = $Member["UserName"];

#Unencrypted Password
$Unencrypted_Pass = $_POST["PassWord"];

#Password Variable
$Pass = $_POST["PassWord"];

#Fetch Member Details
$MQuery = mysql_query("SELECT * FROM `Users` WHERE `UserName` = '$_POST[userName]'");
$Member = mysql_fetch_array($MQuery)or die(mysql_error());

 

Look at the first line and the last line.

 

Is this your code? Or somebody elses?

[Shiny_Charizard]

Thanks it works now.

Yeah, the code is mine I made a few months ago but it used to log the user in with sessions and yesterday I decided to make the user log in with cookies and I was moving things around I started having some problems. Thanks for the help.