Hi there,
If i try to login with the script below without any username or password, it logs me in as a user that is already in the database! Cant see why it would do that though when it should just show an error... There is another page, but that is just a form with no predeffined values that will affect the form!
Fet
PHP Code:
<? session_start();
ob_start();
$username=$_REQUEST['username'];
$password=base64_encode($_REQUEST['password']);
$sql_reg="select * from tbl_register where username='".$username."' and password='".$password."' and status='1'";
$fet=mysql_query($sql_reg) or die("The Following error occired: <br>".mysql_error());
if(mysql_num_rows($fet)>0)
{
$_SESSION['user']=$username;
ob_start();
header("location:home.php");
exit;
}
else
{
$msg=1;
}
?>
1. You haven't logged out a previous user (expired the session cookie and destroyed the session), so it's using that existing session.
2. You have a row in your users table with empty values for user and password.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Upon further review, are you sure that code runs without error? "password" is a reserved word in MySQL (the password() function), so I would expect your mysql_query() call to throw an error since you have not back-quoted the `password` column name.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Reply With Quote
Bookmarks