Login Script Problems

[munkynpunky]

hey guys,

I have a script which is :

PHP Code:

<?php
include "connection.php";

// Connect to server and select databse.
if (!$con)
  {
  die('Could not connect: ' . mysql_error() );
  }
  mysql_select_db($db, $con);

// username and password sent from signup form 
$user=$_POST['myusername']; 
$pass=$_POST['password']; 

$sql="SELECT * FROM our_info WHERE username='$user' and password='$pass'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $user, $pass and redirect to file "failed.html"
session_register("$user");
session_register("$pass"); 
header("location:../main.php");
}
else {
header("location:../failed.html");
}
?>

and then on the next page i have this:

PHP Code:

<?  
session_start(); 
$t = date("h:i:s", time()); 
$_SESSION['admin_login_time'] = $t; 
$_SESSION['myusername'] = $user; 
if(!session_is_registered(myusername)){ 
header("location:index.php"); 
} 
?>

Why doesnt it display the $user and how do i get it to show the login time rather than the current time?

[munkynpunky]

can anyone help?

[Twey]

session_register() is pretty much deprecated now. Just call session_start() and write to the $_SESSION array.

Code:

$user=$_POST['myusername'];  
$pass=$_POST['password'];  
 
$sql="SELECT * FROM our_info WHERE username='$user' and password='$pass'";

SQL injection vulnerability. You forgot to validate your input.

Code:

header("location:../main.php");

The value of the Location header must be an absolute URL.