Need help!!

[TheMafia!]

ok, i have a validation script but i need help ,

every thing works on the script but when i register an account and go to my hotmail to confirm it, it says you have activated you account but when i login with the password that i used it dont let me login ,

here is the validate scrpit

<?php
session_start();
require "mysql.php";
global $c;
if ( $_GET['act'] == 'val')
{
$q=mysql_query("SELECT * FROM validating WHERE vdID='{$_GET['token']}'", $c);
if (!mysql_num_rows($q))
{
die("Invalid account");
}
$r=mysql_fetch_array($q);
$password = strip_tags($_POST['vdPASSW']);
$password=md5($password);
$username=($r['vdUSERN']);
$email=($r['vdEMAIL']);
$money=($r['vdMONEY']);
mysql_query("INSERT INTO users (userid, username, login_name, userpass, level, money, 
   goldbars, donatordays, user_level, energy, maxenergy, will, maxwill, brave, 
   maxbrave, hp, maxhp, location, gender, signedup, email, bankmoney, 
   Steps) VALUES('', '{$username}', '{$username}', md5('{$_POST['password']}'), 1, 
   100, 0, 0, 1, 12, 12, 100, 100, 5, 5, 100, 100, 1, 'Male', unix_timestamp(), 
   '{$email}', -1, 10)", $c);
      $i=mysql_insert_id($c);

      mysql_query("INSERT INTO userstats VALUES($i,10,10,10,10,10,10)",$c); 
mysql_query("DELETE FROM validating WHERE vdID='{$_GET['token']}'", $c);
print "Account validated!

[url='login.php']> Login[/url]";
}
else
{
mysql_query("DELETE FROM validating WHERE vdID='{$_GET['token']}'", $c);
print "Registration Cancelled.";
}
?>

 

does any one know how to fix this so i can login with the password that i used

[Floydian]

Re: Need help!!

You have far bigger problems than that. You have completely opened the door to sql injection there TheMafia...

There's tons of posts about securing that sort of thing, so I'll leave it to you to search for mysql_real_escape_string in the forum and the php site.

$q=mysql_query("SELECT * FROM validating WHERE vdID='{$_GET['token']}'", $c);

Is one of the lines susceptible to the inject. Wide open....