Having a problem with my login script, earlier, it was working fine, but now its just letting anybody log in, even if the records arent in the database :s i cant seem to think where it is going wrong

session_start();
mysql_connect("localhost","razorsh1","********"); 
mysql_select_db("razorsh1_page"); 
if(isset($_SESSION['loggedin']))
{
    echo("<center>Dude, youve already logged in,  <a href='acp.php'>Proceed to heaven</a></center>");
} 
if(isset($_POST['submit']))
{
   $name = mysql_real_escape_string($_POST['username']);
   $pass = mysql_real_escape_string($_POST['password']); 
   $mysql = mysql_query("SELECT * FROM users WHERE name = '{$name}' AND password = '{$pass}'"); 
   if(mysql_num_rows($mysql) < 1)
   {
     echo("<center>Password was an epic fail!</center>");
   } 
   $_SESSION['loggedin'] = "YES"; 
   $_SESSION['name'] = $name; 
   echo("<center>W00p we have success!   <a href='acp.php'>Proceed to heaven</a></center>"); 
}
echo "  <center><form type='adminlogin.php' method='post'>
&nbsp;
&nbsp;
&nbsp;
&nbsp;
  <table width='381' height='90' border='1' cellpadding='0' cellspacing='0'>
    <tr>
      <td height='22' colspan='2' align='center' bgcolor='#990033'>Admin Login</td>
    </tr>
    <tr>
      <td width='192' height='22'>Username</td>
      <td width='183'><input type='text' name='username' id='username' /></td>
    </tr>
    <tr>
      <td height='22'>Password</td>
      <td><input type='password' name='password' id='password' /></td>
    </tr>
    <tr>
      <td height='22' colspan='2' align='center'><input type='submit' name='submit' id='submit' value='Submit' /></td>
    </tr>
  </table>
</form></center>";

Anyone see whats wrong with it? Its logging out fine, just letting anyone in

Recommended Answers

All 2 Replies

I think you need an else on line 17 before you show him as logged in.

Yes. there is no condition for setting session in your code.
So use else for setting session values.

if(isset($_POST['submit']))
{
   $name = mysql_real_escape_string($_POST['username']);
   $pass = mysql_real_escape_string($_POST['password']); 
   $mysql = mysql_query("SELECT * FROM users WHERE name = '{$name}' AND password = '{$pass}'"); 
   if(mysql_num_rows($mysql) < 1)
   {
     echo("<center>Password was an epic fail!</center>");
   } 
   else
   {
	   $_SESSION['loggedin'] = "YES"; 
	   $_SESSION['name'] = $name; 
	   echo("<center>W00p we have success!   <a href='acp.php'>Proceed to heaven</a></center>"); 
   }
}
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.