Jake,
given that I can't see what is in config.php time.php, I'll focus on your
index.php. I assume that the issues I point out will be applicable to
config and time also.
this:
<?
should be:
<?php
include("config.php");
include("time.php");
assuming that $SuBmIt and inout and username and password all come from your
log in form it should read something like:
<START>
if ($_POST["SuBmIT"])
{
// make sure posted variables are clean and are the kind you expect
if ($_POST["inout"] != "")
{
// add other validation here
}else{
$error[] = "inout not set";
}
if ($_POST["username"] != "")
{
// add other validation here
}else{
$error[] = "username not entered";
}
if ($_POST["password"] != "")
{
// add other validation here
}else{
$error[] = "password not entered";
}
if (count($error) == 0)
{
$sql = "SELECT * FROM `users` WHERE `uname` LIKE '%".
$_POST["username"]
."%'";
// insert code to strip out < and > signs and ;
// like this:
$sql = str_replace("<","",$sql);
$sql = str_replace(">","",$sql);
$sql = str_replace(";","",$sql);
// when we know that $sql is clean do the query
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
</END>
The preceding should do roughly the same as your following code. Note the
sql query should not use LIKE (which you're using) and you should use both
the username and the password, so something like this would be better
$sql = "SELECT * FROM `users` WHERE (`uname` = '". $_POST["username"] ."')
AND (`password` = '". md5($_POST["password"]) ."')";
You are encrypting your password correct?
<START>
if (($SuBmIt) && ($inout) && ($username) && ($password))
{
$result = mysql_query("SELECT * FROM `users` WHERE `uname` LIKE
'$username'");
$row = mysql_fetch_array($result);
</END>
This should get you firmly on the road. NOTE: I have not run the above
code, so might work, and it might not. Either way it's on you to sort out.
Hope this is helpful,
chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
