[SOLVED] login script allows access with no passwords

wmguk · March 31, 2009

My script allows users to access the website just using a registered email address, and you dont need the passwords...

any ideas?

<?php
//Engage sesions.
session_start();
// Here we include the mysql connection script.
include("connection.php");

$email=strtolower($_POST['email']); 
$password=$_POST['password']; 

/* Select data from database. */
$sql="SELECT * FROM users WHERE email='$email' AND password='$password'"; 
$result=mysql_query($sql); 
$count=mysql_num_rows($result);

while($row = mysql_fetch_array($result)) 
{ 
$id = $row['id'];
$admin = $row['admin'];
$monthspend = $row['monthspend'];
}

$today = date('j');

if($today == '1'){

//INSERT MONTH SPEND TO DB
	$ins = 	"INSERT INTO months (uid, amount) VALUES ('$id', '$monthspend')";
	mysql_query($ins) or die (mysql_error());

//RESET THE MONTH SPEND		
	$editsql = "UPDATE users SET monthspend = '0' WHERE email='$email';";
	mysql_query($editsql) or die (mysql_error());
} else { }

// If only one occurrence is there.
if($count=1){
		// Set the myusername sesion to 1 
		$_SESSION['email'] = $email;
		$_SESSION['password'] = $password; 
		$_SESSION['admin'] = $admin;

		// Make an sesion called authenticated to tell main.php that the user is logged in. 
		$_SESSION['authenticated'] == 'true';
		header("location:../account.php");
		exit;
} else { 
		header("location:../failed.php?err=The Account Details You Entered Have Failed. Please Try Again.");
		exit;
} 
?>

MasterACE14 · March 31, 2009

change...

if($count=1){

to

if($count == 1){

Regards, ACE

wmguk · March 31, 2009

ugh, Something so simple lol, just like all of php really!

Thank you

Sign In

[SOLVED] login script allows access with no passwords

Recommended Posts

wmguk

Link to comment

Share on other sites

MasterACE14

Link to comment

Share on other sites

wmguk

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information