login.php

A website for keeping track of wishes for your character in WoW Users are able to make a user accoun

<?php
session_start();
include "conn.inc.php";
include "magickey.inc.php";

if (isset($_POST['submit'])) //HAS COME FROM A LOGIN ATTEMPT
{
	//LOOKUP NAME/PASS
	$s_username = addslashes($_POST['username']);
	$s_password = addslashes($_POST['password']);
	$query = "SELECT username, password FROM users " .
			"WHERE username = '" . $s_username . "' " . 
			"AND password = (PASSWORD('" . $s_password . "'))"; //sanitise
	$result = mysql_query($query) or die(mysql_error());
	
	if (mysql_num_rows($result) == 1) 
	{ //DB HIT + UNIQUE
		$_SESSION['user_logged'] = $_POST['username']; //sanitise?
		$_SESSION['magickey'] = $magickey;
		
		if ($_POST['cookie'] == "yes")
		{
			$token = mt_rand();
			$s_session_user_logged = addslashes($_SESSION['user_logged']);
			$tokenquery = "UPDATE users SET logintoken = '".$token."' WHERE username = '". $s_session_user_logged ."' LIMIT 1;";
			$tokenresult = mysql_query($tokenquery) or die(mysql_error());
			setcookie("wishlogin", $_SESSION['user_logged']."__".$token."__".$magickey, time()+60*60*24*60 );
		}
		
		$s_redirect = htmlentities($_POST['redirect']);
		header ("Refresh: 5; URL=" . $s_redirect . "");
		echo "You are being redirected to your original page request!<br />";
		echo "(If your browser doesn't support this, <a href=\"" . $s_redirect. "\">click here</a>)";
		//SEND TO ORIGINAL REQUESTED PAGE
	} 
	else 
	{ //NO DB ENTRY FOR THAT NAME/PASS
?>
		<html>
			<head>
				<title>WoW-Wish: login</title>
				<link rel="stylesheet" href="wish.css">
			</head>
		<body>
			<?php include "header.inc.php"; ?>
			<p>
				Invalid Username and/or Password<br />
				Not registered? 
				<a href="register.php">Click here</a> to register, or <a href="index.php">go home</a>.<br />
				<?php include "login.form.inc.php"; ?>
			</p>
		</body>
		</html>
<?php
	}
} 
else //INITIAL VISIT TO PAGE, ASK TO LOGIN
{
	if (isset($_GET['redirect'])) //IS IT A REDIRECT
		{ $redirect = $_GET['redirect']; }//sanitise
	else 
		{ $redirect = "index.php"; }
?>
<html>
	<head>
		<title>WoW-Wish: login</title>
		<link rel="stylesheet" href="wish.css">
	</head>
	<body>
		<?php include "header.inc.php"; ?>
		<p>
			Login below by supplying your username/password...<br />
			Or <a href="register.php">click here</a> to register, or <a href="index.php">go home</a>.<br />
			<?php include "login.form.inc.php"; ?>
		</p>
	</body>
</html>
<?php
}
?>