0
I have a script that checks usernames and passwords and it works fine when i put in a username and password ,but  when the form is empty and i submit it ,it still login the person.

I made some changes to the script,its still not working.Any help.
<?
session_start();
//session_destroy();


ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="msl"; // Database name
$tbl_name="signedup"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("You are not authorized to use this system.");
mysql_select_db("$db_name")or die("You are not authorized to use this system. Contact the administrator");

// Define $myusername and $mypassword
$username=$_POST['username'];
//$username=trim(username)
$password=$_POST['password'];
//$password=trim(password)
$password = sha1(password);

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
				
				$result=mysql_query($sql);
$qry_num = 0;
$qry_result = mysql_QUERY($sql);  //select query\
$qry_num = mysql_numrows($qry_result);
$i = 0;

while($i < $qry_num) 
							 
					{
	$_SESSION['myid'] = mysql_result($qry_result,$i,"id");
	$_SESSION['permission'] = mysql_result($qry_result,$i,"permission");
	$_SESSION['block'] = mysql_result($qry_result,$i,"block");
					$i++;
					}


		
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row

if($count==1 && $_SESSION['block']== YES)

{header("location: indexwarn.php");}

//if 1 is not == '' go to indexwarn.php
if('' != 1)

{header("location: indexwarn.php");}

else {
// Register $username, $password and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location: admin/mxz/index.php");
	}

ob_end_flush();
?>

Edited by accra: n/a

2
Contributors
1
Reply
2
Views
5 Years
Discussion Span
Last Post by diafol
0

session_register is deprecated
you strip $_POST before checking if magic quotes are active.
mysql_QUERY($sql) should be mysql_query($sql)
mysql_numrows(...) should be mysql_num_rows(...)
mysql_result() should be avoided if possible [http://php.net/manual/en/function.mysql-result.php]

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.