New Login Script

[dean7]

Hi all, i attempted to create a whole new login script witch isnt working for some reason i dont know why. When i put the users details and then press submit, it just refreshes the page, even when i put the wrong details in it still does the same..

 

<?php
session_start();
include_once"config.php";
if (strip_tags($_GET['logout']) == "yes"){
session_destroy();
}elseif (isset($_SESSION['username'])){
header("Location: index2.php");
exit();
}

if ($_POST['Submit'] && strip_tags($_POST['username']) && strip_tags($_POST['password'])){
$username = addslashes(strip_tags($_POST['username']));
$password = addslashes(strip_tags($_POST['password']));

$ip = $REMOTE_ADDR;




///check INFO

$sql = mysql_query("SELECT * FROM allmembers WHERE username='$username' AND password='$password' LIMIT 1");


$login_check = mysql_num_rows($sql);
$inf = mysql_fetch_object($sql);
if ($login_check == "0"){
$message="You could not be logged in";
}elseif ($login_check != "0"){


if ($login_check > "0"){
if ($inf->status == "Dead"){
include_once"dead.php";
exit();

}
if ($inf->status == "Banned"){
$encoded=md5(strtolower($username));
header("Location: banned.php?banned=$username&encoded=$encoded");
exit();

}

        session_register('username');
        $_SESSION['username'] = $inf->username;




         $timestamp = time()+60;
mysql_query("UPDATE allmembers SET online='$timestamp' WHERE username='$username'");

mysql_query("UPDATE allmembers SET l_ip='$ip' WHERE username='$username'");



        header("Location: members.php");

} else {
    $message= "You could not be logged in.<br />";

}}}

$total_regged=mysql_num_rows(mysql_query("SELECT * FROM allmembers"));
$admins=mysql_num_rows(mysql_query("SELECT * FROM allmembers WHERE userlevel='2'"));
$mods=mysql_num_rows(mysql_query("SELECT * FROM allmembers WHERE userlevel='1'"));
$iti=mysql_fetch_object(mysql_query("SELECT * FROM site_stats WHERE id='1'"));
$most=$iti->online;
?>

 

Thats all the php code for my login system.

Thanks for your help.

[PFMaBiSmAd]

Writing, testing, and debugging code does not consist of you writing it, trying it, then posting only one relevant part of it on a help forum with the expectation that it is enough information for someone else to be able to find what is wrong with it.

 

You must investigate what your code is doing when it executes on your server and with the data values you are putting into it and with the data that is in your database. No one but you can do that because it requires access to your server and your code and your data.

 

Based on the symptom, your form either does not submit to the code you posted, it does not submit the data you think it does, or it does submit something but the code you did post is causing a redirect back to the from page.

 

There are literally a dozen different things that could cause the symptom you described. Pin down at what step your code is doing what you expect and at what step it is not. Have you even echoed any of the $_POST variables to see if they have the expected values in them?

[dean7]

Ill try that now.. I did think that was the relevant bit of code that the error would be in.. I havent been using php that long thats why i don't think about echoing the $_POST variables or anything.

[mrMarcus]

if ($_POST['Submit'] && strip_tags($_POST['username']) && strip_tags($_POST['password']))

 

don't do that .. do this:

 

if (isset ($_POST['Submit']))

 

and do other testing with this condition.

 

and from a simple glance, you're writing your code to the tune of having register_globals() on ($ip = $REMOTE_ADDR;), as well as magic_quotes() (addslashes()).

 

if you have access to your php.ini file, set 'magic_quotes_gpc' to off, and do the same for register_globals, within your php.ini file.

 

then change:

 

$ip = $_SERVER['REMOTE_ADDR'];

 

and...

 

$username = mysql_real_escape_string (strip_tags ($_POST['username'])); //you're better off creating a function that would scrub your incoming variables before they go to query;

 

doing the same for each $_POST variable (and $_GET/$_REQUEST if it ever arises).

 

pay attention to the deprecation of session_register() as issued by php.net .. you should take it out.

 

WARNING: This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.