-2

I'm a newcomer to PHP and am trying to do a login/session for a user. I keep getting errors. Any Help would be greatly appreciated. 

   <?php session_start();     
  include('./config.php');
  $email=$_POST['email'];
  $email=htmlspecialchars($email);
  $Password=$_POST['password'];
  $Password=htmlspecialchars($Password);
  $ip=$_SERVER['REMOTE_ADDR'];
  $result = mysql_query("SELECT * FROM member WHERE email='$email' AND password='$Password'") or trigger_error(mysql_error());
  $count = mysql_num_rows($result);
  while($row = mysql_fetch_array($result)){
$logfirstname=$row['firstname'];
$loglastname=$row['lastname'];
$logid=$row['id'];
$logemail=$row['email'];
$logphone=$row['phone'];
$logbiz=$row['biz_id'];
$logdate=$row['date_joined'];
$logaddress=$row['address'];
$logsponsored=$row['sponsored'];
  }
 if ($count>0){
$_SESSION['auth']=1;
$_SESSION['id']=$logid;
$_SESSION['biz']=$logbiz;
$_SESSION['name']=$logfirstname." ".$loglastname;
$sess=$logfirstname." ".$loglastname;
if ($logsponsored === "1") { $_SESSION['sponsored']=1;}
mysql_query($result);
mysql_close();
session_regenerate_id();
$sid=session_id();

 include('./config.php');   
$loginr=mysql_query("INSERT INTO login (sessionid, memberid, username, IPAddr,    LogInTime, Status, name)
VALUES ('$sid', '$logid', '$email', '$ip', NOW(), 'On', '$sess')");
mysql_query($loginr);
mysql_close();

  header("Location: controlpanel.php");
   exit();
  }else{
  header('Location: login.php?fail=1');
  exit();
  }

 ?>`
the_
  • 1,183
  • 2
  • 30
  • 61
  • 7
    Learn the magic of indentation please. And if you need help with a problem it MIGHT help if you let us know WHAT the problem is .. – Naatan Jan 16 '11 at 04:23
  • 4
    And the error message is? Should we guess? When you go to the doctor and tell him you're not feeling well, you expect him to just pull a magical potion out of his bag that'll fix whatever's ailing you, without knowing anything about what the ailment really is? – Marc B Jan 16 '11 at 04:23
  • would advise against writting login-system yourself because you are newbie. See my post below.. – Alfred Jan 16 '11 at 05:38

2 Answers2

4

1 - $email=htmlspecialchars($email);

This is not how you sanitize text for SQL queries. This will somewhat prevent XSS attacks, but does NOTHING for SQL injection. Use mysql_real_escape_string() instead.

2 - while($row = mysql_fetch_array($result)){

Presumably only a single row would be returned, so there's no point in doing this within a loop. Just fetch a single row WITHOUT the while loop.

3 - if ($count>0){

wouldn't it be smarter to this BEFORE you try to retrieve a row? You can do the entirety of the fetching/session populating within this if() instead

4 - mysql_query($result);

At the point you execute this, $result is either boolean FALSE (the original query call failed), a mysql query result statement handle. it is NOT a query string, so your query call will fail

5 - mysql_query($loginr);

See #4 - $loginr is either "false", or a statement handle. Why do the query twice?

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • Hey thanks for helping with this... I know it was a sucky question sorry about that...I should have gave the errors I got...Anyways I did what you said and it worked. Thanks! – the_ Jan 16 '11 at 05:11
1

As you mentoined you are a newbie and I would strongly encourage you against writing your own login/authentication system in PHP because too much things can go wrong(security breach). I would advise you to use lightopenid which is very easy to use instead.

Community
  • 1
  • 1
Alfred
  • 60,935
  • 33
  • 147
  • 186