oskare100 Posted January 3, 2007 Share Posted January 3, 2007 Hello,I'm having two problems with my login "check" script. The first problem is that nothing is inserted in the login_logs_tbl and the ip_logs_tbl. The second problem is that the "$new_num_logins = $current_num_logins[0] + 1;" part doesn't work, it just inserts "1" all the time regardless of the $current_num_logins[0]. I would also appreciate any feedback on the login script itself. Structure and content and so on.. Here is the code;[code=php:0]<?phpinclude 'db_info.php';// Connect to server and select databse.mysql_connect("$sqlhost", "$sqlusername", "$sqlpassword")or die("cannot connect");mysql_select_db("$db_name")or die("cannot select DB");// username and password sent from signup form$vusername=$_POST['vusername'];$vpassword=$_POST['vpassword'];$sql="SELECT * FROM $user_tbl WHERE username='$vusername' and password='$vpassword'";$result=mysql_query($sql);// Mysql_num_row is counting table row$count=mysql_num_rows($result);// If result matched $vusername and $vpassword, table row must be 1 rowif($count==1){$sql3="SELECT user_id FROM $user_tbl WHERE username='$vusername' and password='$vpassword'";$result3=mysql_query($sql3);$vuserid = mysql_fetch_array($result3);// Register $myusername, $mypassword and redirect to file "login_success.php"session_register("vusername");session_register("vpassword");// The current time (for logs)$date = date("H:i:s M j, Y");// The current unix timestamp (for logs)$timestamp = time();// Log the login in the ip log table$sql5="INSERT INTO $login_logs_tbl (user_id, ip, logged_date, logged_timestamp) VALUES(".$vuserid[0].", '".$_SERVER['REMOTE_ADDR']."', $date, $timestamp)";$result5=mysql_query($sql5);// Set the latest login in the user table$sql8="UPDATE $user_tbl SET (latest_login_date, latest_login_timestamp) VALUES ($date, $timestamp) where user_id = ".$vuserid[0]."";$result8=mysql_query($sql8);// Add 1 to the number of logins in the user table$sql2 = "select num_logins from $user_tbl where user_id = '$vuserid'";$result2 = mysql_query($sql2) or die( mysql_error() );$current_num_logins = mysql_fetch_array($result2);$new_num_logins = $current_num_logins[0] + 1;$sql9="UPDATE $user_tbl SET num_logins = '$new_num_logins' where user_id = ".$vuserid[0]."";$result9=mysql_query($sql9); echo "$new_num_logins";// Check if the IP is already logged in the database$sql22 = "select user_id from $ip_logs_tbl where user_id = ".$vuserid[0]." and ip = '".$_SERVER['REMOTE_ADDR']."'";$result22 = mysql_query($sql22) or die( mysql_error() );$row = mysql_fetch_array($result22);if ($row['user_id'] == ".$vuserid[0].") { // It's an old ip for that user - change the latest login date$sql12="update $ip_logs_tbl set (latest_date, latest_timestamp) values ($date, $timestamp) where ip = '".$_SERVER['REMOTE_ADDR']."'";$result11=mysql_query($sql12); }else { // It's a new IP for that user - log it$sql10="INSERT INTO $ip_logs_tbl (ip, user_id, latest_date, latest_timestamp) VALUES('".$_SERVER['REMOTE_ADDR']."', ".$vuserid[0].", $date, $timestamp)";$result10=mysql_query($sql10); // And add 1 to the number of different IPs in the user table$sql4 = "select num_ips from $user_tbl where user_id = ".$vuserid[0]."";$result4 = mysql_query($sql4) or die( mysql_error() );$current_num_ips = mysql_fetch_array($result2);$new_num_ips = $current_num_ips[0] + 1;$sql11="UPDATE $user_tbl SET num_ips = '$new_num_logins' where user_id = ".$vuserid[0]."";$result11=mysql_query($sql11);} echo "logged in";}else {echo "Wrong Username or Password";}?>[/code]Thanks,/Oskar Quote Link to comment Share on other sites More sharing options...
metrostars Posted January 3, 2007 Share Posted January 3, 2007 I'm still figuring this out but 1 point. That login will leave your database open to a hacker using SQL insertion. If he put 'OR 1='1 in there it would return as having rows.[code]<?phpinclude 'db_info.php';// Connect to server and select databse.mysql_connect("$sqlhost", "$sqlusername", "$sqlpassword")or die("cannot connect");mysql_select_db("$db_name")or die("cannot select DB");// username and password sent from signup form$vusername=$_POST['vusername'];$vpassword=$_POST['vpassword'];$sql="SELECT * FROM $user_tbl WHERE username='$vusername' and password='$vpassword'";$result=mysql_query($sql);// Mysql_num_row is counting table row$count=mysql_num_rows($result);// If result matched $vusername and $vpassword, table row must be 1 rowif($count==1){$sql3="SELECT user_id FROM $user_tbl WHERE username='$vusername' and password='$vpassword'";$result3=mysql_query($sql3);$vuserid = mysql_fetch_array($result3);// Register $myusername, $mypassword and redirect to file "login_success.php"session_register("vusername");session_register("vpassword");// The current time (for logs)$date = date("H:i:s M j, Y");// The current unix timestamp (for logs)$timestamp = time();//assign variables$userid = $vuserid['user_id']; //try naming this to the value of the recordset instead of the array number $insIP = $_SERVER['REMOTE_ADDR'];// Log the login in the ip log table$sql5="INSERT INTO $login_logs_tbl (user_id, ip, logged_date, logged_timestamp) VALUES($userid, '$insIP', '$date', $timestamp)";$result5=mysql_query($sql5) or die(mysql_error());// Set the latest login in the user table$sql8="UPDATE $user_tbl SET (latest_login_date, latest_login_timestamp) VALUES ($date, $timestamp) WHERE user_id = '$userid'";$result8=mysql_query($sql8);// Add 1 to the number of logins in the user table$sql2 = "select num_logins from $user_tbl where user_id = '$vuserid'";$result2 = mysql_query($sql2) or die( mysql_error() );$current_num_logins = mysql_fetch_array($result2);$new_num_logins = $current_num_logins['userid'] + 1;$sql9="UPDATE $user_tbl SET num_logins = '$new_num_logins' where user_id = $userid";$result9=mysql_query($sql9) or die(mysql_error); echo "$new_num_logins";// Check if the IP is already logged in the database$sql22 = "select user_id from $ip_logs_tbl where user_id = ".$vuserid[0]." and ip = '".$_SERVER['REMOTE_ADDR']."'";$result22 = mysql_query($sql22) or die( mysql_error() );$row = mysql_fetch_array($result22);if ($row['user_id'] == ".$vuserid[0].") { // It's an old ip for that user - change the latest login date$sql12="update $ip_logs_tbl set (latest_date, latest_timestamp) values ($date, $timestamp) where ip = '".$_SERVER['REMOTE_ADDR']."'";$result11=mysql_query($sql12); }else { // It's a new IP for that user - log it$sql10="INSERT INTO $ip_logs_tbl (ip, user_id, latest_date, latest_timestamp) VALUES('".$_SERVER['REMOTE_ADDR']."', ".$vuserid[0].", $date, $timestamp)";$result10=mysql_query($sql10); // And add 1 to the number of different IPs in the user table$sql4 = "select num_ips from $user_tbl where user_id = ".$vuserid[0]."";$result4 = mysql_query($sql4) or die( mysql_error() );$current_num_ips = mysql_fetch_array($result2);$new_num_ips = $current_num_ips[0] + 1;$sql11="UPDATE $user_tbl SET num_ips = '$new_num_logins' where user_id = ".$vuserid[0]."";$result11=mysql_query($sql11);} echo "logged in";}else {echo "Wrong Username or Password";}?>[/code]I'm still a relative newb to this so forgive me if i've done somthing embarrasing. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.