Posted by Alvaro G. Vicario on 07/24/06 19:32

*** chsadaki@hotmail.com escribió/wrote (24 Jul 2006 06:45:12 -0700):
> $user = $_POST[username];
> $pass = $_POST[password];

Unquoted strings are constants that you must define this way:

define('foo', 'bar');
echo foo; // prints bar

You probably mean:

$user = $_POST['username'];
$pass = $_POST['password'];

> $q = mysql_query("SELECT * FROM admin WHERE username = '$user' and
> password =PASSWORD('$pass')");

I suggest you read this article about SQL Injection:

http://en.wikipedia.org/wiki/SQL_Injection


> if(mysql_num_rows($q)==0){
> echo "Acces denied. User not allowed to connect.";
> mysql_close();
> }

You're retrieving all the row data when all you need is knowing whether the
record exists. It's not good programming practice and, believe me, it's far
easier to learn the right way from the beginning than changing your habits
afterwards. I suggest you either get the primary key.

> else
> {
> echo
> "<script>window.location.replace('administrator2.php')</script>";
> }

I presume you're aware of the fact that you must also protect
"administrator2.php" or anyway will be able to bypass the login screen.

> so if any body has an idea about this problem please tell me about it.

The first test you must do is printing all strings on screen:

echo '<pre>';
var_dump($_POST);
var_dump($q);
echo '</pre>';

If SQL query looks OK, paste it in your favourite MySQL front end check if
it returns the expected result.

Also, check whether mysql_query() returned a result resouce or FALSE, don't
use the value blindly.


--
-+ http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
++ Mi sitio sobre programación web: http://bits.demogracia.com
+- Mi web de humor con rayos UVA: http://www.demogracia.com
--

[Back to original message]