Thread: help completing this code

this is my checkuser.php page! I have a login.php page which has a textbox with username and password fields on it. Is this correct?

PHP Code:

<?PHP 
mysql_connect (localhost, username,  password); 
mysql_select_db (Table); 

$result = mysql_query ("select username, password, access_level from Members where username = $username");

if(($username==$mysql_username) && $password ==$mysql_password) {  
setcookie("access_level",$mysql_access_level,time() + 3600);  
header("Location: page.php"); }  
else { header("Location: login.php"); }

let me know if it has any problems

Originally posted by kiwis
this is my checkuser.php page! I have a login.php page which has a textbox with username and password fields on it. Is this correct?

PHP Code:

<?PHP 
mysql_connect (localhost, username,  password); 
mysql_select_db (Table); 

$result = mysql_query ("select username, password, access_level from Members where username = $username");

if(($username==$mysql_username) && $password ==$mysql_password) {  
setcookie("access_level",$mysql_access_level,time() + 3600);  
header("Location: page.php"); }  
else { header("Location: login.php"); }

let me know if it has any problems

Quite a few.

1) You're not using superglobals.
2) You're not surrounding text with quotes in the query.
3) Where does $_mysql_username come from?
4) You need to do a mysql_fetch_array() to get the record.

PHP Code:

mysql_connect (localhost, username,  password); 
mysql_select_db (Table); 

$users = mysql_query ("select username, password, access_level from Members where username = '" . $_POST['username'] ."' AND password = '" . $_POST['password'] . "'");

if ($user = mysql_fetch_array($users)) { 
    setcookie("access_level",$mysql_access_level,time() + 3600);  
    header("Location: page.php"); 
}  else { 
    header("Location: login.php"); 
} 


Also note that I put password checking in the query as well. This will remove the need for an extra if-statement later.