Aside from things already mentioned...
PHP Code:
$password = md5($_POST['password'];
should be
PHP Code:
$password = md5($_POST['password']);
However, the whole script is really sloppy...
PHP Code:
if ( $_POST['username'] != "" AND $_POST['password'] != "" )
would be better/faster as
PHP Code:
if (isset($_POST['username']) && isset($_POST['password']))
PHP Code:
$username = htmlspecialchars($username);
$username = stripslashes($username);
Is useless if you are going to dump the data into a query anyway...
PHP Code:
if($username == htmlspecialchars($username) && $username == stripslashes($username)){
go on to the query
}else{
exit with an error, because clearly it isn't a valid password and either a typo or an attempt at subverting the server.
}
If this is required, you have some serious problems with the database. Entires should be checked for uniqueness going into the DB, not coming out... perhaps a unique ID would be a good addition? It is also a good idea to check for duplicate entires as well for just in case. Never make assumptions... always account for the unexpected... if conditions met a very specific requirement approve them, otherwise else to a failure.
Other points are inefficiencies and the fact that this script does not secure the page in question... but at least it should work now.
cheers,
catch
Reply With Quote