They could be guessing people's passwords, although that seems a bit unlikely. =/
Code: Select all
// User is logging in from index.php or login.php
if($_POST['action'] == "loggingin")
{
$uname = strtolower(mysql_real_escape_string(strip_tags($_POST['username'])));
$password = md5(mysql_real_escape_string(strip_tags($_POST['password'])));
$unencrypted = $_POST['password'];
$result = mysql_query("SELECT id FROM users WHERE username = '$uname' AND password = '$password'");
$affected_rows = mysql_num_rows($result);
if($affected_rows == 1)
{
$result = mysql_query("SELECT id, activated, username AS uuname FROM users where username = '$uname'", $sqlconnect);
if ($myrow = mysql_fetch_assoc($result))
{
if ($myrow['activated'] != "y")
{
die("You have not yet activated your account. Please click on the activation link that was sent to your email when you signed up");
}
if($_POST['rememberme'] == "true")
{
setcookie("id", $myrow['userid']);
setcookie("username", $myrow['uuname']);
$userpass = md5($myrow['uuname'].$myrow['id']);
setcookie("userpass", $userpass);
setcookie("username2", $myrow['uuname'], 31536000);
setcookie("userpass2", $unencrypted, 31536000);
} ELSE
{
setcookie("id", $myrow['userid']);
setcookie("username", $myrow['uuname']);
$userpass = md5($myrow['uuname'].$myrow['id']);
setcookie("userpass", $userpass);
setcookie("username2", "", time()-1);
setcookie("userpass2", "", time()-1);
}
function microtime_float()
{
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
$time_start = microtime_float();
mysql_query("UPDATE users SET lastactive = '$time_start' WHERE username = '$uname'");
$date = date("F jS");
$date2 = date("g:i A");
$date3 = "$date at $date2";
mysql_query("UPDATE users SET lastlogin = '$date3' WHERE username = '$uname'");
header("Location: showme.php?u=$uname");
} else
{
echo "Sorry, no records were found! perhaps you have not yet <a href=\"index.php\">registered</a>.";
}
} else
{
setcookie("username2", "", 31536000);
setcookie("userpass2", "", 31536000);
header ("Location: login.php?login=error");
}
}