Logging into website help

[sted999]

Hiya all.

 

I am very new to PHP and MySQL so apologies in advance if my code is awful. I am making a website where a user can sign into the members area. But when i run my code it is not logging me, it is just taking me to the page if a wrong user name or password has been given. All my MySQL fields have the right names, its driving me mad why it wont work!!??!

 

Any help would be really appreciated. My code is below.

Thanks,

Stephen.

 

------Login section on home page -------

<div id="login">

<h2 class="title1">User Login</h2>

<form id="form1" method="post" action="login.php?do=login">

 

<fieldset>

<label for="inputtext1">Username:</label>

<input id="inputtext1" type="text" name="fusername" value="" />

<label for="inputtext2">Password:</label>

<input id="inputtext2" type="password" name="fpassword" value="" />

<input id="inputsubmit1" type="submit" name="log" value="Sign In" />

<p><a href="#">Forgot your password?</a><br />

<a href="register.html">Register for Free!</a></p>

</fieldset>

</form>

</div>

 

----- Login php -------

<?php

/* Program: Login.php

*/

 

  session_start();                                       

  include("connect.inc");                                   

  switch (@$_GET['do'])                                 

  {

    case "login":                                       

      $connection = mysql_connect($host, $user,$password)

              or die ("Couldn't connect to server.");

      $db = mysql_select_db($database, $connection)

              or die ("Couldn't select database.");     

 

      $sql = "SELECT loginName FROM Member

              WHERE loginName='$_POST[fusername]'";     

      $result = mysql_query($sql)

                  or die("Couldn't execute query.");     

      $num = mysql_num_rows($result);                   

      if ($num == 1)  // login name was found           

      {

        $sql = "SELECT loginName FROM Member

                WHERE loginName='$_POST[fusername]'

                AND password=password('$_POST[fpassword]')";

        $result2 = mysql_query($sql)

                  or die("Couldn't execute query 2."); 

        $num2 = mysql_num_rows($result2);

        if ($num2 > 0)  // password is correct         

        {

          $_SESSION['auth']="yes";                     

          $logname=$_POST['fusername'];

          $_SESSION['logname'] = $logname;             

          $today = date("Y-m-d h:m:s");                 

          $sql = "INSERT INTO Login (loginName,loginTime)

                  VALUES ('$logname','$today')";

          mysql_query($sql) or die("Can't execute query.");

 

  $url = "http://www.students.ncl.ac.uk/stephen.davie/members.php";

 

          header("Location: $url");         

 

        }

        else    // password is not correct             

        {

          unset($_GET['do']);                           

          $message="The Login Name, '$_POST[fusername]'

                    exists, but you have not entered the

                    correct password! Please try again.<br>";

          include("contactus.php");                   

        }

      }                                                 

      elseif ($num == 0)  // login name not found       

      { 

        unset($_GET['do']);                             

        $message = "The Login Name you entered does not

                    exist! Please try again.<br>";

        include("contactus.php");

      }

    break; 

 

}

?>

 

[kickstart]

Hi

 

Only thing that jumps out at me is that you are mixing $_GET and $_POST. Easiest solution would be to add a hidden field call do with a value of login, and then take the ?do=login off the forms action.

 

Also you should clean the data before you use it in the SQL.

 

All the best

 

Keith