[Resolved] faulty if statement??

helz

right, ive got a login page that throws the username into a session variable, i have another script called ismember.php that other scripts include into them to double check the a certified user is logged on, this script looks sound.
i added an extra if statement to check whether the username is something or nothing (using the !== thing) even when the username is nothing it still puts the flag to 1 to say this user is logged in, when they dont even have a username and password in the session variable... wierd no? heres the code:

require ("".$DOCUMENT_ROOT."/cgi-bin/connect.php");
$username = $_SESSION['user_name'];
$password = $_SESSION['pass_word'];
if (($username!=="") && ($password!=="")) {
	$result = mysql_query("SELECT username, password FROM ".$membertable." WHERE username = '".$username."' AND password = '".$password."' ");
		if (!$result) {$flag=0;} // if flag = 0 user not logged on
		else {$flag=1;} // if flag = 1 user is logged on...
} elseif (($username=="") && ($password=="")) {$flag=0;}
else {$flag=0;}

sarahk

if (($username!=="") && ($password!==""))

should be

if (($username!="") && ($password!=""))

if (!empty($username) && !empty($password))

however I'd make some other changes too

//$flag is set to 0 by default, only changes if validated.
$flag = 0;
// if your passwords aren't encrypted using md5() 
//then you should use urlencode to prevent hacking.
$password = urlencode($password);
if (!empty($username) && !empty($password)) 
{ 
  $sql = "SELECT `username`, `password` FROM `{$membertable}` WHERE `username` = '{$username}' AND password = '{$password}' ";
    $result = mysql_query( $sql); 
    if ($result) $flag=1; // if flag = 1 user is logged on... 
}

refs:
http://nz2.php.net/urlencode
http://www.php.net/md5

helz

well that works fine diddly dandy

thanks alot!!

ive always been looking for a better way to check if a variable is empty or not, and you just helped me with that!!

thanks again 😃