I am having a small issue with the following, even when i type in the correct information it still redirects me to the error page.
can you see any issues?
<?php
$login = "SELECT * FROM tbl_user_account WHERE user_account_username = '".$username."' AND user_account_password = '".$password."'";
$result = mysql_query($login);
if (!$result)
{
header('Location: login.php?error=1');
}
else
{
$sqlupdate = "UPDATE tbl_user_account SET user_account_last_login = '".$now."', user_account_last_login_ip = '".$ip."' WHERE user_account_username ='".$username."' AND user_account_password = '".$password."'";
setcookie("logincookie", $username, time()+3600);
header('Location: profile.php');
}
mysql_free_result($result);
?>
Hi Russell, If you're not
Hi Russell,
If you're not previously sanitising $username and $password; you should always use mysql_escape_string() around any variables that you are using to construct an SQL statement. With these in place, I would then add some debug code to print out the SQL that is being generated as well as the MySQL error message; for example:
<?php$login = "SELECT * FROM tbl_user_account WHERE user_account_username = '".mysql_escape_string($username)."' AND user_account_password = '".mysql_escape_string($password)."'";
print $sql;
$result = mysql_query($login);
if (!$result) print mysql_error();
?>
The error message will normally indicate the problem; or if there is no error (indicating that no rows were found matching the WHERE clause) use the SQL that is printed out to double check for and create if necessary a row in tbl_user_account containing the appropriate values...
Hope this helps!
Cheers,
David.