PHP Session - Logging into wrong account

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
goldensparrow01
Forum Newbie
Posts: 2
Joined: Mon Apr 18, 2011 1:39 pm

PHP Session - Logging into wrong account

Post by goldensparrow01 »

Hi

My mate has a website and she has found recently that every now and then a user complains saying they have logged into the site but it logs them into another users account.

The script used is:

<?
require_once("conn.php");

$q1 = "SELECT * FROM members WHERE email='$email' AND password=SHA('$password') AND active =''";
$r1 = mysql_query($q1) or die(mysql_error());

if(mysql_num_rows($r1) == '1')
{

//ok
$a1 = mysql_fetch_array($r1);

$_SESSION[id] = $a1[id];
$_SESSION[email] = $a1[email];
$_SESSION[username] = $a1[username];


if(!empty($remember)){
setcookie("copname", $_SESSION['username'], time()+60*60*24*300, "/");
setcookie("coppass", $_SESSION['id'], time()+60*60*24*300, "/");

$set='yes';
}


if($a1[proscore]==0){
header("location:index.php?m=l&set=$set&ne=y");
}else{

header("location:$page?m=l&set=$set&ne=y");
}
exit();
}
else
{
header("location:$page?m=n");
exit();
}

Can anyone help with this issue please, I'd really appreciate it?

Cheers
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: PHP Session - Logging into wrong account

Post by Darhazer »

First of all, you are vulnerable to SQL injection.
Second, maybe the problem is not in the login script, but in the script after login (where you check who is the current user?)
goldensparrow01
Forum Newbie
Posts: 2
Joined: Mon Apr 18, 2011 1:39 pm

Re: PHP Session - Logging into wrong account

Post by goldensparrow01 »

Thanks for quick reply.

I'll read up about SQL Injection.

Code for main page is:

Code: Select all

<? 
if(isset($_SESSION[id])){?>
Cheers
Post Reply