<?php $name = $_POST['name']; $pass = $_POST['password']; $connid = mysql_connect ('localhost' , 'DBUSER' , 'DBPASS'); mysql_select_db ("laughsap_jokes"); $dbuser = mysql_query ("SELECT username FROM users WHERE username LIKE $name WHERE password LIKE $pass") or die("Login failed."); $dbpass = mysql_query ("SELECT password FROM users WHERE username LIKE $name WHERE password LIKE $pass");
if
($name == $dbname && $pass == $dbpass)
{ print "Login Successful"; setcookie ("laplogin", "Logged in", time( ) + 500000);
}
else
{ print "Login failed."; } ?>


It's a login script, but I fear I've done my SQL Queries incorrectly. Some help would be appreciated.

At first glance, it looks Ok...

However, you might want to consider testing it on a secret page so that no one can try anything malicious.

But, if that does actually query the database correctly, and it gets you to login, I can still ensure you that it's not a very secure method at all. If you do set it up and give me the link, I could easily use an SQL injection - wouldn't even have to be a blind injeciton.

I recommend setting up a object-oriented login. Found this link that shows what to do and everything's implemented very well for a public script.

http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/

But if you only need a login to identify people, then that might not be worth the effort. However, if you use it for any kind of administrativ perposes, you should use the one I linked.

My administrative "panel" will be much more secure; this is just so people can login to submit content. I have been running it on a test page, and it always takes the "Die" road or, if it's not there, shows an error.

Edit: I posted it on PHP Freaks, and this is what they gave me and which works beautifully.
<?php
$connid = mysql_connect ('localhost' , 'DBUSER' , 'DBPASS');
mysql_select_db ("DB");
// make sure you escape any user input
$name = mysql_real_escape_string($_POST['name']);
$pass = mysql_real_escape_string($_POST['password']);
// select the username and password that match $name and $pass limit the query by 1
$sql = "SELECT `username`, `password` FROM users WHERE `username`='$name' AND `password`='$pass' LIMIT 1";
$result = mysql_query ($sql, $connid) or die("Unable to find username/password in database.");
// check that the query returned 1 result, if it did its a successful login!
if(mysql_num_rows($result) == 1)
{
setcookie ("lap", "$name", time() + 3600);
echo "Login Successful! Your username is $name. You will remain logged in for one hour. You may click the logout button to end your session early.";
}
else // not successful!
{
echo "Login failed.";
}
echo $name;
?>

instead of all this mysql hoo-ha, why don't you use xml? i can't give a script right now, but when i do, ill give it to you.

You need single quotes round the username and password in your select statement.

Major bump!

Please don't post in threads which haven't been posted in for more than a month.

:locked: