NEED HELP - User Login - PHPBuilder Forums

NEED HELP - User Login

C__Casey

I'm willing to pay someone to make this code work...$25 via PayPal for the first programmer who can make this work...I think this shouldn't take an experienced programmer more than 5 minutes to figure out...I'm frustrated...Also please leave your email address so I can pay you...

I have a database with users I have username, password and Credits fields...I need to limit the number of times a user can login to the member area to 5. I have most the code here I'm frustrated because I don't know why its working. Here is my code:

<?php require_once('Connections/xxx.php'); ?>
<?php
// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "http://www.yahoo.com";
  $MM_redirectLoginFailed = "http://xxx.com/login.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_Users, $Users);

  $LoginRS__query=sprintf("SELECT username, password FROM users WHERE username='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 

  $LoginRS = mysql_query($LoginRS__query, $Users) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";

$query = "SELECT Credits FROM users WHERE username= $loginUsername";
	$resultsc = mysql_query($query,$Users) or die(mysql_error()); 

if (!$resultc) { 
  echo '(No Credits found.)'; 
} 
else { 
  $row = mysql_fetch_row($resultc);
  $credits = $row[0];
  //if $credits is already over 5, just give output
  if ($credits > 5) { 
    echo "Your number of credits have exceeded the amount allowed"; 
    } 
    // if $credits is < 5, add 1 to $credits and update the db
    else {
      $credits++; 
      $sql = "Update users set Credits= " . $credits . " where username=" .$loginUsername;
      mysql_query($query);
    }
}

//declare two session variables and assign them
$GLOBALS['MM_Username'] = $loginUsername;
$GLOBALS['MM_UserGroup'] = $loginStrGroup;	      

//register the session variables
session_register("MM_Username");
session_register("MM_UserGroup");

if (isset($_SESSION['PrevUrl']) && false) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
}
  header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
  header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

The error message I keep getting after I try to login is

"Unknown column 'test2' in 'where clause'

***It should be noted 'test2' is a username in the database...i used this username to login on the login form

Bloodwine

not sure if it fixes your problem, but I would change:

$query = "SELECT Credits FROM users WHERE username= $loginUsername";

$query = "SELECT Credits FROM users WHERE username='$loginUsername'";

to avoid SQL injection attacks

I would say this might be your problem, but "test2" doesn't have any characters in them that needed to be escaped

EDIT: wait a tick, that might be the problem ... the whitespace between your equals and $loginUsername

The SQL query was resolving to "username= test2" ... probably thought test2 was a field rather than the value for username