0

Having a problem with my login script, earlier, it was working fine, but now its just letting anybody log in, even if the records arent in the database :s i cant seem to think where it is going wrong

session_start();
mysql_connect("localhost","razorsh1","********"); 
mysql_select_db("razorsh1_page"); 
if(isset($_SESSION['loggedin']))
{
    echo("<center>Dude, youve already logged in,  <a href='acp.php'>Proceed to heaven</a></center>");
} 
if(isset($_POST['submit']))
{
   $name = mysql_real_escape_string($_POST['username']);
   $pass = mysql_real_escape_string($_POST['password']); 
   $mysql = mysql_query("SELECT * FROM users WHERE name = '{$name}' AND password = '{$pass}'"); 
   if(mysql_num_rows($mysql) < 1)
   {
     echo("<center>Password was an epic fail!</center>");
   } 
   $_SESSION['loggedin'] = "YES"; 
   $_SESSION['name'] = $name; 
   echo("<center>W00p we have success!   <a href='acp.php'>Proceed to heaven</a></center>"); 
}
echo "  <center><form type='adminlogin.php' method='post'>
&nbsp;
&nbsp;
&nbsp;
&nbsp;
  <table width='381' height='90' border='1' cellpadding='0' cellspacing='0'>
    <tr>
      <td height='22' colspan='2' align='center' bgcolor='#990033'>Admin Login</td>
    </tr>
    <tr>
      <td width='192' height='22'>Username</td>
      <td width='183'><input type='text' name='username' id='username' /></td>
    </tr>
    <tr>
      <td height='22'>Password</td>
      <td><input type='password' name='password' id='password' /></td>
    </tr>
    <tr>
      <td height='22' colspan='2' align='center'><input type='submit' name='submit' id='submit' value='Submit' /></td>
    </tr>
  </table>
</form></center>";

Anyone see whats wrong with it? Its logging out fine, just letting anyone in

3
Contributors
2
Replies
3
Views
6 Years
Discussion Span
Last Post by vibhaJ
0

Yes. there is no condition for setting session in your code.
So use else for setting session values.

if(isset($_POST['submit']))
{
   $name = mysql_real_escape_string($_POST['username']);
   $pass = mysql_real_escape_string($_POST['password']); 
   $mysql = mysql_query("SELECT * FROM users WHERE name = '{$name}' AND password = '{$pass}'"); 
   if(mysql_num_rows($mysql) < 1)
   {
     echo("<center>Password was an epic fail!</center>");
   } 
   else
   {
	   $_SESSION['loggedin'] = "YES"; 
	   $_SESSION['name'] = $name; 
	   echo("<center>W00p we have success!   <a href='acp.php'>Proceed to heaven</a></center>"); 
   }
}
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.