[SOLVED] Login script help needed

[Dracolas]

Ok I'm really new to login scripts and i'm wondering if there is something wrong with this one...it's causing me 2 problems:

1st when i go to login...it crashes my site

2nd the login button (when i hover on it) says index.php on it... am I just missing something or is there something wrong with this code?

 

<div class=log><?php 

require("db.php");

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs you in and directes you to the members page
{ 
$username = $_COOKIE['ID_my_site']; 
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check )) 
{
if ($pass != $info['password']) 
{
}
else
{
header("Location: console.php");

}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted

// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('You did not fill in a required field.');
}
// checks it against the database

if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=index.php>Home</a>');
}
while($info = mysql_fetch_array( $check )) 
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('Incorrect password, please try again.');
}
else 
{ 

// if login is ok then we add a cookie 
$_POST['username'] = stripslashes($_POST['username']); 
$hour = time() + 3600; 
setcookie(ID_my_site, $_POST['username'], $hour); 
setcookie(Key_my_site, $_POST['pass'], $hour); 

//then redirect them to the members area 
header("Location: console.php"); 
} 
} 
} 
else 
{ 

// if they are not logged in 
?> 
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> 
<table border="0"> 
<tr><td colspan=2><center><img src="pics/login.png"></td></tr> 
<tr><td><img src="pics/user.png"></td><td> 
<input type="text" name="username" width="10" maxlength="20"> 
</td></tr> 
<tr><td><img src="pics/pass.png"></td><td> 
<input type="password" name="pass" maxlength="20"> 
</td></tr> 
<tr><td colspan="2" align="right"> 
<input type="submit" name="submit" value="Login"> 
</td></tr> 
</table> 
</form> 
<?php 
} 

?> 
</div>

[mpharo]

in your form action you have $_SERVER['PHP_SELF'], which will return the page that it is being called from, so if you are on index.php it will return index.php. Which in looking at your login section at the top of the page is how you want it setup.

 

Cookies are not a secure way to store login info, espically passwords, and from the looks of it your not even encrypting the password in the cookie. You should look at changing this to session based and not cookie based.

[Dracolas]

as I said I'm very new to login scripts... how would I change that...I see how that could be a problem.

[mpharo]

You would need to store the username and passwords in the database, encrypt the passwords using a MD5 hash before you insert it.

 

<?php

session_start();

if (!$_SESSION['username']) {

     $username = strip_tags(addslashes($_POST[username]));
     $password =  strip_tags(addslashes($_POST[password]));

     $passwordhash = md5($password);

     $select = mysql_query("select * from tlogin where username=$username and password=$passwordhash") or die(mysql_error());

     $rows = mysql_num_rows($select);

}

if ($rows>0) {

     $_SESSION['username'] = $username;

} else {

     echo "Login Failed!";

}

?>

 

This is rough code, but it should get you on the right track...

[Dracolas]

Actually I found that if I put the Login on it's own page (which will work fine for my website) it works fine.... thanks anyway guys.