Simple login

PHP
1

Hey, i want a simple (but reasonable safe) login script…im not protecting the crown jewels or anything…

From the form, i have process.php using:

<?
session_start();

$server = " ";
$username = " ";
$password = " ";
$db_name = " ";
$username2 = mysql_real_escape_string($_POST['username']);
$password2 = mysql_real_escape_string($_POST['password']);
$db = mysql_connect($server,$username,$password) or DIE("Connection to database failed");
mysql_select_db($db_name) or DIE("Database not known");
$login = mysql_query("SELECT * FROM user_md5 WHERE username = '{$username2}' AND password = MD5('{$password2}')");
$rowcount = mysql_num_rows($login);
if ($rowcount == 1) {
$_SESSION['username2'] = $username2;
header("Location: ok.php");
}
else
{
header("Location: login.php");
}
?>

…however i keep getting redirected to login.php…whats the obvious blunder!?

many thanks

2

Feel free to adapt as necessary. :slight_smile:


<?php
#default location
$location = 'http://www.example.com/login.php';

if(false === empty($_POST['username']) && false === empty($_POST['password'])){
    #build sql
    $sql = sprintf(
        "SELECT id FROM user WHERE username = '&#37;s' AND password = MD5('%s') LIMIT 1",
        mysql_real_escape_string($_POST['username']),
        mysql_real_escape_string($_POST['password'])
    );
    #execute sql
    $result = mysql_query($sql);
    #if user record found
    if(1 === mysql_num_rows($result)){
        #get user info
        $user = mysql_fetch_assoc($result);
        #store user info
        session_start();
        $_SESSION['user_id'] = $user['id'];
        #set new location
        $location = 'http://www.example.com/ok.php';
    }
}
#send user to location
header(sprintf('Location: %s', $location));
exit;
?>