Hi
My mate has a website and she has found recently that every now and then a user complains saying they have logged into the site but it logs them into another users account.
The script used is:
<?
require_once("conn.php");
$q1 = "SELECT * FROM members WHERE email='$email' AND password=SHA('$password') AND active =''";
$r1 = mysql_query($q1) or die(mysql_error());
if(mysql_num_rows($r1) == '1')
{
//ok
$a1 = mysql_fetch_array($r1);
$_SESSION[id] = $a1[id];
$_SESSION[email] = $a1[email];
$_SESSION[username] = $a1[username];
if(!empty($remember)){
setcookie("copname", $_SESSION['username'], time()+60*60*24*300, "/");
setcookie("coppass", $_SESSION['id'], time()+60*60*24*300, "/");
$set='yes';
}
if($a1[proscore]==0){
header("location:index.php?m=l&set=$set&ne=y");
}else{
header("location:$page?m=l&set=$set&ne=y");
}
exit();
}
else
{
header("location:$page?m=n");
exit();
}
Can anyone help with this issue please, I'd really appreciate it?
Cheers
PHP Session - Logging into wrong account
Moderator: General Moderators
-
goldensparrow01
- Forum Newbie
- Posts: 2
- Joined: Mon Apr 18, 2011 1:39 pm
Re: PHP Session - Logging into wrong account
First of all, you are vulnerable to SQL injection.
Second, maybe the problem is not in the login script, but in the script after login (where you check who is the current user?)
Second, maybe the problem is not in the login script, but in the script after login (where you check who is the current user?)
-
goldensparrow01
- Forum Newbie
- Posts: 2
- Joined: Mon Apr 18, 2011 1:39 pm
Re: PHP Session - Logging into wrong account
Thanks for quick reply.
I'll read up about SQL Injection.
Code for main page is:
Cheers
I'll read up about SQL Injection.
Code for main page is:
Code: Select all
<?
if(isset($_SESSION[id])){?>