anthonydamasco Posted August 10, 2006 Share Posted August 10, 2006 The problem I am having is a little complex, well to me at least. I developed a very simple - register - login script using what little php knowlage I have and The more i test it, the more holes I find. My session variables dont work, and it lets anyone who acesses Login_success.php without checking for login name and a valid password, what do i have to change to fix this?This is my login script[code=php:0]<?php/* Check User Script */session_start(); // Start Session$conn = mysql_connect("localhost","www2","****");$db = mysql_select_db("accu") or die( "Unable to select database");$username="";$password="";// Conver to simple variables$username = $_POST['username'];$password = $_POST['password'];// Convert password to md5 hash$password = md5($password);$sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";mysql_query($sql);$login_check = mysql_num_rows($sql);mysql_close();if($login_check = 0){ while($row = mysql_fetch_array($sql)){ foreach( $row AS $$key => $val ){ $$key = stripslashes( $val ); } session_register('firstname'); $_SESSION['firstname'] = $firstname; session_register('lastname'); $_SESSION['lastname'] = $lastname; session_register('email'); $_SESSION['email'] = $email; session_register('user_level'); $_SESSION['user_level'] = $user_level; mysql_query("UPDATE staff SET last_login=now() WHERE userid='$userid'"); header("Location: login_success.php"); }} else { echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br /> Please try again!<br />";}?>[/code][hr]and here is my login success script:[code=php:0]<?phpsession_start();echo "Welcome ". $_SESSION['firstname'] ." ". $_SESSION['lastname'] ."! You have made it to the members area!<br /><br />";echo "Your user level is ". $_SESSION['user_level']." which enables you access to the following areas: <br />";if($_SESSION['user_level'] == 0){ echo "- Forums<br />- Chat Room<br />";}if($_SESSION['user_level'] == 1){ echo "- Forums<br />- Chat Room<br />- Moderator Area<br />";}if($_SESSION['user_level'] == 2){ echo "- Forums<br />- Chat Room<br />- Moderator Area - Rapid response form search<br />";}if($_SESSION['user_level'] == 3){ echo "- Forums<br />- Chat Room<br />- Moderator Area staff management<br />";}if($_SESSION['user_level'] == 4){ echo "- Forums<br />- Chat Room<br />- Moderator Area admin tools!<br />";}echo "<br /><a href=logout.php>Logout</a>";?>[/code] Quote Link to comment Share on other sites More sharing options...
mewhocorrupts Posted August 10, 2006 Share Posted August 10, 2006 Are you testing this from the same computer that you're logging in with? If you are, the session might be saved, and when you access the login page, it's pulling from an old session that's stored on your computer.Also, as a side note, session_register() is deprecated. You don't have to include that any longer to create session variables. Quote Link to comment Share on other sites More sharing options...
anthonydamasco Posted August 10, 2006 Author Share Posted August 10, 2006 I just tried to goto "login_success.php" from another PC and it goes right through Quote Link to comment Share on other sites More sharing options...
SharkBait Posted August 10, 2006 Share Posted August 10, 2006 This part might be your issue.[code]<?php$sql = "SELECT * FROM staff WHERE username='$username' AND password='$password' AND activated='1')";mysql_query($sql);$login_check = mysql_num_rows($sql);mysql_close();if($login_check = 0){?>[/code]If I am reading it right.. you continue if $login_check equals 0. Well if it finds the login name, it will return at least 1 wont it??Try changing it to [code]<?php if($login_check > 0) {?>[/code] Quote Link to comment Share on other sites More sharing options...
yyboo Posted August 24, 2006 Share Posted August 24, 2006 wouldn't be if ($login_check==0){}anyway? (two equals signs)if you wanted the zero.. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.