Php auth and register

Question

I have the following code for signing in and signing up:

<? 

$h='mysqlserver';
$u='user';
$G='password';
$n='batadasename';
session_start();

mysql_connect ($h, $u, $G);

mysql_select_db($n) or die('Cannot select database');

//logging in
if ($_POST['username']) {
$username=$_POST['username'];
$password=$_POST['password'];
if ($password==NULL) {
header("Location: index.php?acntion=empty");
}else{
$query = mysql_query("SELECT username,password FROM users WHERE username = '$username'") or die(mysql_error());
$data = mysql_fetch_array($query);
if($data['password'] != $password) {
header("Location: index.php?action=empty");
}else{
$query = mysql_query("SELECT username,password FROM users WHERE username = '$username'") or die(mysql_error());
$row = mysql_fetch_array($query);
$_SESSION["s_username"] = $row['username'];
header("Location: http://www.myweb.com/admin/");
}
}
}
else {
    header("Location: index.php?action=empty");
}

?>

And signing up:

<?


$h='mysqlserver';
$u='user';
$G='password';
$n='batadasename';

mysql_connect ($h, $u, $G);

mysql_select_db($n) or die('Cannot select database');

if (isset($_POST["username"])) {
$username = $_POST["username"];
$password = $_POST["password"];
$checkpassword = $_POST["cpassword"];
$email = $_POST["email"];

if($username==NULL|$password==NULL|$checkpassword==NULL|$email==NULL) {

header("Location: index.php?action=empty");
}else{

if($password!=$checkpassword) {
header("Location: index.php?action=notmatch");
}else{

$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");
$username_exist = mysql_num_rows($checkuser);
$checkemail = mysql_query("SELECT email FROM users WHERE email='$email'");
$email_exist = mysql_num_rows($checkemail);
if ($email_exist>0|$username_exist>0) {
header("Location: index.php?action=aleradyuse");
}else{

$query = "INSERT INTO users (username, password, email) VALUES(‘$username’,'$password’,'$email’)";


$query = 'CREATE TABLE users(
id INT NOT NULL AUTO_INCREMENT,
PRIMARY KEY(id),
username VARCHAR(30) NOT NULL,
password VARCHAR(20) NOT NULL,
email VARCHAR(40) NOT NULL)';
$result = mysql_query($query);
mysql_query($query) or die(mysql_error());
header("Location: success.php?action=checkmail-validation")

}
}
}
}
?>

Index are where the form is, and this code is from "login.php" and "signup.php" which are on different directories.

I just want to know what do you think and what can I improve the code in. Then, if you know how to restrict files and then also log out, I'll be glad to use your code. Thank you.

Answer 1

• The first and foremost thing is, use MySQLi or a PDO rather than just MySQL.
• Filter your queries to prevent SQL injection.