Hi there,
If i try to login with the script below without any username or password, it logs me in as a user that is already in the database! Cant see why it would do that though when it should just show an error... There is another page, but that is just a form with no predeffined values that will affect the form!

Fet


<? session_start();
ob_start();
$username=$_REQUEST['username'];
$password=base64_encode($_REQUEST['password']);
$sql_reg="select * from tbl_register where username='".$username."' and password='".$password."' and status='1'";
$fet=mysql_query($sql_reg) or die("The Following error occired: <br>".mysql_error());
if(mysql_num_rows($fet)>0)
{
$_SESSION['user']=$username;
ob_start();
header("location:home.php");
exit;
}
else
{
$msg=1;
}
?>

The first possibilties that come to mind:

1. You haven't logged out a previous user (expired the session cookie and destroyed the session), so it's using that existing session.

2. You have a row in your users table with empty values for user and password.

Upon further review, are you sure that code runs without error? "password" is a reserved word in MySQL (the password() function), so I would expect your mysql_query() call to throw an error since you have not back-quoted the `password` column name.