this changed code gets the user's details from the database
-you forgot to connect to the database,
-when you created the encrypted password you use an Undefined constant 'SALT'
-You did not create the table?
-your form's action send another file but you check the posted values in login.php
-you might see the usage of cookie.
<BR><STRONG><img src="theme/<?php echo $theme;?>/i/key.png"> Login</STRONG>
<?php
ob_start();
if (!empty($_COOKIE["uId"]))
//If they are logged in, they don't need to be here
header("Location: " . SITE_PATH . "/index.php");
if (empty($_POST['login'])) {
//If the post hasn't been submitted, then show the forms
echo '<BR><p><form method="post" action="login.php">
<b>Username:</b><input class="field" type="text" name="username"><br />
<br />
<b>Password:</b><input class="field" type="password" name="password"><br />
<input class="submit" type="submit" name="login" value="Login"><p>
</form>
<br>
<a href="index.php?action=forgot">Forgot Password?</a> | <a href="index.php?action=register">Register</a>';
} else {
/*
Make sure you connect to the database
*/
$hostname='localhost'; //// specify host, i.e. 'localhost'
$user='root'; //// specify username
$pass=''; //// specify password
$dbase='test'; //// specify database name
$connection = mysql_connect("$hostname" , "$user" , "$pass")
or die ("Can't connect to MySQL");
$db = mysql_select_db($dbase , $connection) or die ("Can't select database.");
//secure the input
$username = mysql_real_escape_string($_POST['username']); //where you define secure function?
$password = $_POST['password'];
//make sure the fields arn't empty
if (empty($username) OR empty($password)) {
echo 'You left a field empty';
} else {
/*
make sure you created the users table!
CREATE TABLE `users` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(50) NOT NULL,
`password` varchar(50) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
*/
//make sure the user exists
$user = mysql_query("SELECT * FROM `users` WHERE username = '$username'");
if (($usez = mysql_num_rows($user)) == 0) {
echo 'user doesnt exist';
} else {
//Encrypt the password to check with the encrypted one currently in the database
$encpass = md5($password ); // SALT???
//Find the user
$superquery = mysql_query("SELECT * FROM `users` WHERE `username` = '{$username}' AND `password` = '{$encpass}'") or die(mysql_error());
if (mysql_num_rows($superquery) ==1) {
//If the user is found, set the cookies
$one_row=mysql_fetch_assoc($superquery); //lets fetch the user's details
$cookieTime=time()+3600; /* expire in 1 hour , you put into the cookie, but you did not define its value */
setcookie("uId", $one_row["id"], $cookieTime); //this value comes from the database, this is the user's id!
setcookie("username", $username, $cookieTime);
setcookie("password", $encpass, $cookieTime);
/* Do not print to the display if you use header location method after that! */
// echo 'Success, you are now logged in.';
header("Location: index.php");
} else {
echo 'Failure';
}
}
}
}
?>
