login script not working

This log in script was working fine, now it’s not.
It says “you must activate…” even for accounts that are already activated (checked database)

print_r($row) shows nothing.
Any ideas?[php]session_start();
require_once(“db_connect.php”);

<? if (isset($_SESSION['username']) && isset($_SESSION['password'])) { header("Location: https://www.caregivingsocal.com/members.php"); } if(isset($_POST['submit'])) { if(!$_POST['username']) die("Error: You must enter your username to log in."); if(!$_POST['password']) die("Error: You must enter a password to log in."); //set cookie if checked if(!empty($_POST['stay_in'])) { $joined =''.$_POST['username'].'[]'.md5($_POST['password']).''; setcookie('login_cookie', $joined, 2147483647, '/','www.caregivingsocal.com'); } // end if //verify user $get_user = mysql_query("SELECT * FROM mem WHERE username = '".$_POST['username']."' AND user_password = '".md5($_POST['password'])."'"); $q = mysql_fetch_object($get_user); if(!$q) die("Login Failure: Please verify your username and password are correct." . mysql_error()); $row = mysql_fetch_array($get_user); if ($row['activated'] == 0) { ?>

Sorry, you must activate your account first!

Didn't get your validation email? Click here to resend the validation email.

<?
die();

}
// set session variables
$_SESSION[‘logged_in’] = 1;
$_SESSION[‘username’] = $_POST[‘username’];
$_SESSION[‘password’] = $_POST[‘password’];
session_write_close();
Header(“Location: https://www.caregivingsocal.com/signin.php”);
} else {
//show login form
?>

Username:
Password:
Submit:
Remember Me
<? } // end else ?>[/php]

MOD EDIT: Changed code to php tags for readability

First of all, is the following code inside PHP tags:

[php]
session_start();
require_once(“db_connect.php”);
[/php]

Check to make sure they are in your code (the forum addes PHP tags by default, so please disregard those). I’m asking because I notice that you have PHP opening tags right after this piece of code.

Secondly: why use mysql_fetch_object() to see if the user exists? mysql_num_rows() will give you the exact number of rows returned and is probably the better option performance-wise :wink: It’s also better to validate using is_resource(), is_object() and/or is_array(), rather than checking the variable for a value that results to ‘false’ (as you’ll probably know, 0, ‘’, “”, null and false will all result to a negative condition).

Lastly, you’re not checking the values of the user input before using them in a SQL query. This is a possible security hole the size of which I could park a truck in :wink: Read up on SQL security on the php.net manual pages and the mysql.com pages. You’ll find some interesting information there.

Sponsor our Newsletter | Privacy Policy | Terms of Service