Login script doesn't insert row and calculate right + feedback on the scrip itse

[oskare100]

Hello,
I'm having two problems with my login "check" script. The first problem is that nothing is inserted in the login_logs_tbl and the ip_logs_tbl. The second problem is that the "$new_num_logins = $current_num_logins[0] + 1;" part doesn't work, it just inserts "1" all the time regardless of the $current_num_logins[0].

I would also appreciate any feedback on the login script itself. Structure and content and so on..

Here is the code;
[code=php:0]<?php
include 'db_info.php';
// Connect to server and select databse.
mysql_connect("$sqlhost", "$sqlusername", "$sqlpassword")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from signup form
$vusername=$_POST['vusername'];
$vpassword=$_POST['vpassword'];

$sql="SELECT * FROM $user_tbl WHERE username='$vusername' and password='$vpassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $vusername and $vpassword, table row must be 1 row

if($count==1){
$sql3="SELECT user_id FROM $user_tbl WHERE username='$vusername' and password='$vpassword'";
$result3=mysql_query($sql3);
$vuserid = mysql_fetch_array($result3);

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("vusername");
session_register("vpassword");

// The current time (for logs)
$date = date("H:i:s M j, Y");

// The current unix timestamp (for logs)
$timestamp = time();

// Log the login in the ip log table
$sql5="INSERT INTO $login_logs_tbl (user_id, ip, logged_date, logged_timestamp) VALUES(".$vuserid[0].", '".$_SERVER['REMOTE_ADDR']."', $date, $timestamp)";
$result5=mysql_query($sql5);

// Set the latest login in the user table
$sql8="UPDATE $user_tbl SET (latest_login_date, latest_login_timestamp) VALUES ($date, $timestamp) where user_id = ".$vuserid[0]."";
$result8=mysql_query($sql8);

// Add 1 to the number of logins in the user table
$sql2 = "select num_logins from $user_tbl where user_id = '$vuserid'";
$result2 = mysql_query($sql2) or die( mysql_error() );
$current_num_logins = mysql_fetch_array($result2);
$new_num_logins = $current_num_logins[0] + 1;
$sql9="UPDATE $user_tbl SET num_logins = '$new_num_logins' where user_id = ".$vuserid[0]."";
$result9=mysql_query($sql9);
echo "$new_num_logins";

// Check if the IP is already logged in the database
$sql22 = "select user_id from $ip_logs_tbl where user_id = ".$vuserid[0]." and ip = '".$_SERVER['REMOTE_ADDR']."'";
$result22 = mysql_query($sql22) or die( mysql_error() );
$row = mysql_fetch_array($result22);
if ($row['user_id'] == ".$vuserid[0].") {

// It's an old ip for that user - change the latest login date
$sql12="update $ip_logs_tbl set (latest_date, latest_timestamp) values ($date, $timestamp) where ip = '".$_SERVER['REMOTE_ADDR']."'";
$result11=mysql_query($sql12);

}
else {
// It's a new IP for that user - log it
$sql10="INSERT INTO $ip_logs_tbl (ip, user_id, latest_date, latest_timestamp) VALUES('".$_SERVER['REMOTE_ADDR']."', ".$vuserid[0].", $date, $timestamp)";
$result10=mysql_query($sql10);

// And add 1 to the number of different IPs in the user table
$sql4 = "select num_ips from $user_tbl where user_id = ".$vuserid[0]."";
$result4 = mysql_query($sql4) or die( mysql_error() );
$current_num_ips = mysql_fetch_array($result2);
$new_num_ips = $current_num_ips[0] + 1;
$sql11="UPDATE $user_tbl SET num_ips = '$new_num_logins' where user_id = ".$vuserid[0]."";
$result11=mysql_query($sql11);

}
echo "logged in";
}
else {
echo "Wrong Username or Password";
}
?>
[/code]

Thanks,
/Oskar

[metrostars]

I'm still figuring this out but 1 point. That login will leave your database open to a hacker using SQL insertion. If he put 'OR 1='1 in there it would return as having rows.

[code]<?php
include 'db_info.php';
// Connect to server and select databse.
mysql_connect("$sqlhost", "$sqlusername", "$sqlpassword")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from signup form
$vusername=$_POST['vusername'];
$vpassword=$_POST['vpassword'];

$sql="SELECT * FROM $user_tbl WHERE username='$vusername' and password='$vpassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $vusername and $vpassword, table row must be 1 row

if($count==1){
$sql3="SELECT user_id FROM $user_tbl WHERE username='$vusername' and password='$vpassword'";
$result3=mysql_query($sql3);
$vuserid = mysql_fetch_array($result3);

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("vusername");
session_register("vpassword");

// The current time (for logs)
$date = date("H:i:s M j, Y");

// The current unix timestamp (for logs)
$timestamp = time();

//assign variables

$userid = $vuserid['user_id']; //try naming this to the value of the recordset instead of the array number
$insIP = $_SERVER['REMOTE_ADDR'];

// Log the login in the ip log table
$sql5="INSERT INTO $login_logs_tbl (user_id, ip, logged_date, logged_timestamp) VALUES($userid, '$insIP', '$date', $timestamp)";
$result5=mysql_query($sql5) or die(mysql_error());

// Set the latest login in the user table
$sql8="UPDATE $user_tbl SET (latest_login_date, latest_login_timestamp) VALUES ($date, $timestamp) WHERE user_id = '$userid'";
$result8=mysql_query($sql8);

// Add 1 to the number of logins in the user table
$sql2 = "select num_logins from $user_tbl where user_id = '$vuserid'";
$result2 = mysql_query($sql2) or die( mysql_error() );
$current_num_logins = mysql_fetch_array($result2);
$new_num_logins = $current_num_logins['userid'] + 1;
$sql9="UPDATE $user_tbl SET num_logins = '$new_num_logins' where user_id = $userid";
$result9=mysql_query($sql9) or die(mysql_error);
echo "$new_num_logins";

// Check if the IP is already logged in the database
$sql22 = "select user_id from $ip_logs_tbl where user_id = ".$vuserid[0]." and ip = '".$_SERVER['REMOTE_ADDR']."'";
$result22 = mysql_query($sql22) or die( mysql_error() );
$row = mysql_fetch_array($result22);
if ($row['user_id'] == ".$vuserid[0].") {

// It's an old ip for that user - change the latest login date
$sql12="update $ip_logs_tbl set (latest_date, latest_timestamp) values ($date, $timestamp) where ip = '".$_SERVER['REMOTE_ADDR']."'";
$result11=mysql_query($sql12);

}
else {
// It's a new IP for that user - log it
$sql10="INSERT INTO $ip_logs_tbl (ip, user_id, latest_date, latest_timestamp) VALUES('".$_SERVER['REMOTE_ADDR']."', ".$vuserid[0].", $date, $timestamp)";
$result10=mysql_query($sql10);

// And add 1 to the number of different IPs in the user table
$sql4 = "select num_ips from $user_tbl where user_id = ".$vuserid[0]."";
$result4 = mysql_query($sql4) or die( mysql_error() );
$current_num_ips = mysql_fetch_array($result2);
$new_num_ips = $current_num_ips[0] + 1;
$sql11="UPDATE $user_tbl SET num_ips = '$new_num_logins' where user_id = ".$vuserid[0]."";
$result11=mysql_query($sql11);

}
echo "logged in";
}
else {
echo "Wrong Username or Password";
}
?>[/code]

I'm still a relative newb to this so forgive me if i've done somthing embarrasing.