Logging In TroubleSo I

[dturnbull]

So I have this Login Script, but the problem is I can only log into one of the test accounts. When i try the others the content after echo [b]'<b>Logged in Successfully</b>';[/b] doesn't appear.

Please Help.

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]<?php

session_start(); // start session.

# Login Script
# WiiBuddies.com
include("header.html");
require_once("mysql.php");

$username = $_GET['username'];
$password = $_GET['password'];

$rs = mysql_query("select count(*) as count from user where username='$username' and password='$password'");

if (mysql_num_rows($rs) == 1)
{
echo '<b>Logged in Successfully</b>';

$logged = "SELECT id, username, password, friend_code, location, email, about FROM user";
$result = mysql_query($logged);

$query = "SELECT id, friend_code, username, email, location, about FROM user WHERE username='$username' AND password='$password'";
$result = mysql_query($query);

while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
echo "<p><b>Change Username</b> <br />
<form action='change_username.php'><input name='hiddenField' type='hidden' name='id' value='{$row['id']}' />
New Username: <input type='text' name='changeusername'>
<input type='submit' value='Change Username'>
</form>
<p><u>Current Username</u><br /> {$row['username']}<p>" .


"<b>Change Friend Code</b> <br />
<form action='change_fc.php'>
<input type='text' name='changefc'>
<input type='submit' value='Change Friend Code'>
</form>
<p><u>Current Friend Code</u><br /> {$row['friend_code']}<p>" .


"<b>Change Email</b> <br />
<form action='change_email.php'>
<input type='text' name='changeemail'>
<input type='submit' value='Change E-Mail'>
</form>
<p><u>Current E-Mail</u><br /> {$row['email']}<p>" .


"<b>Change Location:</b><br />
<form action='change_location.php'>
<input type='text' name='changelocation'>
<input type='submit' value='Change Location'>
</form>
<p><u>Current Location</u><br />{$row['location']}<p>" .


"<b>Change About:</b><br />
<form action='change_username.php'>
<textarea name='changeabout' cols='60' rows='4'></textarea><br />
<input type='submit' value='Change About'>
</form>
<p><u>Current About Message</u><br /> {$row['about']}<p>";
}

}
else
{
echo 'password username did not match';
}
?>[/quote]

[.josh]

okay first off, never ever ever EVER input a $_GET variable directly into your sql query. that's just BEGGING someone to completely and utterly destroy your database. use method='post' in your form and do lots of things like stripslashes and stuff to the variables.

2nd: this:
[code]
$rs = mysql_query("select count(*) as count from user where username='$username' and password='$password'");
[/code]
and this:
[code]
$query = "SELECT id, friend_code, username, email, location, about FROM user WHERE username='$username' AND password='$password'";
$result = mysql_query($query);
[/code]

should be condensed into this (at the same place as the first one):
[code]
$rs = mysql_query("select * from user where username='$username' and password='$password'");
[/code]

3rd: this:
[code]
$logged = "SELECT id, username, password, friend_code, location, email, about FROM user";
$result = mysql_query($logged);
[/code]
needs to be removed altogether, as it serves no purpose whatsoever.

4th: .... you know what, you need to go look at the tutorials man. no offense, but there are just too many mistakes in your script. go find a login/user validation script tutorial. there are some in the tutorial sections.

[448191]

This is not wrong:
[code]
$query = "SELECT id, friend_code, username, email, location, about FROM user WHERE username='$username' AND password='$password'";
[/code]
True that if your not doing anything else with your query except sending to mysql there's no use spending a variable on it, but specifying all columns is not wrong...
The general consensus is that using * is slower.

I also have to recommend a tutorial, the script is clumbsy and you've missed some of the basics, like proper use of mysql_query(). Always halt your script if a query fails, it fails for a reason. Use "or die()" and "mysql_error()".

Secondly, [u][b]this script will fall victim to database injection if published.[/b][/u]
How?
Just open open an url like this:
[u]scriptfilename.php?username=someuser&password=whatever' OR 1=1 AND username ='someuser[/u]

This will create a pretty query like this:
[!--sql--][div class=\'sqltop\']SQL[/div][div class=\'sqlmain\'][!--sql1--][span style=\'color:blue;font-weight:bold\']SELECT[/span] id, friend_code, username, email, location, about [color=green]FROM[/color] [color=orange]user[/color] [color=green]WHERE[/color] username[color=orange]=[/color][color=red]'someuser'[/color] [color=blue]AND[/color] password[color=orange]=[/color][color=red]'whatever'[/color] [color=blue]OR[/color] 1[color=orange]=[/color]1 [color=blue]AND[/color] username [color=orange]=[/color][color=red]'someuser'[/color] [!--sql2--][/div][!--sql3--]

Since 'OR' has a higher precedence than 'AND', this query would get me logged in without knowing someusers' password!

Also, if I'd like, I could drop a table or two:
[u]scriptfilename.php?username=someuser&password=whatever'; DROP TABLE user[/u]

[!--sql--][div class=\'sqltop\']SQL[/div][div class=\'sqlmain\'][!--sql1--][span style=\'color:blue;font-weight:bold\']SELECT[/span] id, friend_code, username, email, location, about [color=green]FROM[/color] [color=orange]user[/color] [color=green]WHERE[/color] username[color=orange]=[/color][color=red]'someuser'[/color] [color=blue]AND[/color] password[color=orange]=[/color][color=red]'whatever'[/color]; [span style=\'color:blue;font-weight:bold\']DROP[/span] TABLE user [!--sql2--][/div][!--sql3--]

So it's a good idea to read up.