You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test'' at line 1
When test is a user.
Login.php >
<?php
session_start();
include "./global.php";
?>
<html>
<head>
<title>Login - Fantasy Core Forums</title>
</head>
<style type="text/css">
body{
background-color:#373737;
color:#FAFAFA;
font-family:Tahoma, Geneva, sans-serif;
font-size:10pt;
margin-top:0px;
}
#holder{
background-color:#000;
width:71%;
color:#A5A5A5;
font-family:"Trebuchet MS", Arial, Helvetica, sans-serif;
border:solid 1px #000;
padding-bottom: 10px;
padding-left: 10px;
padding-right: 10px;
padding-top: 10px;
text-align:left;
}
#userinfo{
width:99%;
font-family:"Trebuchet MS", Arial, Helvetica, sans-serif;
font-size:10px;
color:#333;
background-color:#F6F6F6;
border: 1px solid #333;
text-align:left;
padding: 3px;
padding-right: 3px;
}
a {
font-size: 10px;
text-decoration: none;
}
a:link {
text-decoration: none;
}
a:visited {
text-decoration: none;
}
a:hover {
text-decoration: none;
}
a:active {
text-decoration: none;
}
</style>
<body>
<center>
<?php include "./header.php" ?>
<div id="holder">
<div id="userinfo">
<?
if($_SESSION['uid']){
echo "Sorry, You are already logged in. Please <a href=\"logout.php\">Logout<\a> or go to the <a href=\"index.php\">Index</a>.\a";
}else {
if(!$_POST['submit']){
echo "<table border=\"0\" cellspacing=\"3\" cellpadding=\"0\">\n";
echo "<form method=\"post\" action=\"./login.php\">\n";
echo "<tr><td><font color=\"#4A4A4A\"><b>Username:</b></font></tr></td><tr><td><input type=\"text\" name=\"username\"></td></tr>\n";
echo "<tr><td><font color=\"#4A4A4A\"><b>Password:</b></font></tr></td><tr><td><input type=\"password\" name=\"password\"></tr></td>\n";
echo "<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"></td><tr></form>\n";
}else {
$user = mss($_POST['username']);
$pass = $_POST['password'];
if($user && $pass){
$query = "SELECT id FROM `users` WHERE `username`'".$user."'";
$res = mysql_query($query) or die(mysql_error());
if(mysql_num_rows($res) > 0){
$query2 = "SELECT id FROM `users` WHERE `username`='".$user."' AND `password`='".md5($pass)."'";
$res2 = mysql_query($query2) or die(mysql_error());
if(mysql_num_rows($res2) > 0){
$row = mysql_fetch_assoc($res2);
$_SESSION['uid'] = $row['id'];
echo "You have successfully Logged in as ".$user;
}else {
echo "The Username or Password You have Entered is Incorrect.\n";
}
}else {
echo "The Username that You have entered does not exist.\n";
}
}else {
echo "Please Fill in all fields correctly.\n";
}
}
}
?>
</div>
</div>
</center>
</body>
</html>
and
global.php >
<?php
$con = mysql_connect("localhost","username","password") or die(mysql_error());
$db = mysql_select_db("database",$con);
function mss($value){
return mysql_real_escape_string(trim(strip_tags($value)));
}
?>
Please inspect this code, and tell me about any errors.
P.S If There is anything more you'd like to know about, please tell me.