logging into wrong account

goldensparrow

My mate has a website and she has found recently that every now and then a user complains saying they have logged into the site but it logs them into another users account.

The script used is:

<?
require_once("conn.php");

if(mysql_num_rows($r1) == '1')
	{

	//ok
	$a1 = mysql_fetch_array($r1);

	$_SESSION[id] = $a1[id];
	$_SESSION[email] = $a1[email];
	$_SESSION[username] = $a1[username];


if(!empty($remember)){
      setcookie("copname", $_SESSION['username'], time()+60*60*24*300, "/");
      setcookie("coppass", $_SESSION['id'], time()+60*60*24*300, "/");

$set='yes';
   }


if($a1[proscore]==0){
		header("location:index.php?m=l&set=$set&ne=y");
}else{

	header("location:$page?m=l&set=$set&ne=y");
}
		exit();
	}
	else
	{
	header("location:$page?m=n");
		exit();	
	}


}

Can anyone help with this issue please?

Cheers

bradgrafelman

Welcome to PHPBuilder! When posting PHP code, please use the board's [noparse]

..

[/noparse] bbcode tags as they make your code much easier to read and analyze.

As for your problem, you're missing the most important part of the code; where is the actual SQL query?

goldensparrow

Thanks for the info.....I missed out a bit of the code on the post:

<?
require_once("conn.php");

 $q1 = "SELECT * FROM members WHERE email='$email' AND password=SHA('$password') AND active =''";
 $r1 = mysql_query($q1) or die(mysql_error());

if(mysql_num_rows($r1) == '1')
 {

 //ok
 $a1 = mysql_fetch_array($r1);

 $_SESSION[id] = $a1[id];
 $_SESSION[email] = $a1[email];
 $_SESSION[username] = $a1[username];


if(!empty($remember)){
 setcookie("copname", $_SESSION['username'], time()+60*60*24*300, "/");
 setcookie("coppass", $_SESSION['id'], time()+60*60*24*300, "/");

$set='yes';
 }


if($a1[proscore]==0){
 header("location:index.php?m=l&set=$set&ne=y");
}else{

 header("location:$page?m=l&set=$set&ne=y");
}
 exit();
 }
 else
 {
 header("location:$page?m=n");
 exit(); 
}

bradgrafelman

Do you have a PRIMARY or UNIQUE index on the 'email' field?

goldensparrow

Thanks for the quick reply.....I've checked the database and the email is not set as primary nor unique.