I have a login page that works fine on my local site, where you supply a username and password and it logs you in. If you don't, it bounces you back to the login page with a "Login Failed" message. However, my live site lets you login with correct credentails AND with bogus ones. Like "Apple" for username and "moocows" for password will work even though they are NOT in the database. They cannot create characters either since they aren't really logged in, it just sets the cookie to their username and the queries trying to get the username come back with nothing or an error.
Everything works fine if you login with proper credentials but how do I stop erroneous logins that do nothing? Here is the code:
$query = "SELECT user, password FROM usersv2 WHERE user = '$login_name'";
$result = mysql_query($query) or die("Failure to get everything");
// $name = mysql_result($result,0,"user");
while ($row = mysql_fetch_array($result)) {
$name = $row['user'];
$password = $row['password'];
}
if(isset($password)) {
if ($password != "") {
if ($password == $login_password) {
$_SESSION['member'] = $name;
$cookie_life = time() + 31536000;
setcookie('username', $login_name, $cookie_life);
$cookie_life = time() - 31536000;
setcookie('character_name', 'blah', $cookie_life);
header ("Location: main.php");
}
else {
$_SESSION['login_failed'] = "true";
header ("Location: login.php");
}
}
}
else {
$_SESSION['login_failed'] = "true";
header ("Location: login.php");
}
P.S. Btw, another related problem I have is when people login with the wrong capitalization on my site, it does the same thing as if they had logged in with erroneous credentials, which is wrong, it should have the "login failed" message just like my local server does correctly.
