include_once("includes/session.include.php");
include_once("includes/mysql.include.php");
include_once("includes/functions.include.php");
switch($action){
case "login":
if(!isset($_SESSION['un']) && !isset($_SESSION['pw'])) {
$MEMBER = mysql_query("SELECT * FROM users WHERE un='$un'");
if(@mysql_num_rows($MEMBER)>0){
$MEMBER = mysql_fetch_array($MEMBER);
if($MEMBER[pw] == "$pw"){
session_register('un');
session_register('pw');
} else {
$ERROR = "<font size=\"1\" face=\"Verdana\"><b>Error</b>: The password you entered is incorrect. <a href=\"?\">Retry?</a></font>";
}
} else {
$ERROR = "<font size=\"1\" face=\"Verdana\"><b>Error</b>: Incorrect user. <a href=\"join.php\">Signup?</a> - <a href=\"?\">Retry?</a></font>";
}
}
break;
case "logout":
session_unset();
session_destroy();
break;
}
if(isset($_SESSION['un']) && isset($_SESSION['pw'])) {
$MEMBER2 = mysql_query("SELECT * FROM users WHERE un='$un'");
$MEMBER = mysql_fetch_array($MEMBER2);
if($MEMBER[pw] != $pw){
session_unset();
session_destroy();
}
}


Every time I run this code at www.rankmygame.com
or any other server it lag loads then crashes to a 404

If I remove this it works but when it crashes it never shows me why. Its like it loops then thinks the page isnt responding so it goes to a page could not be displayed...

Please please help...

Some BG Info

There is a session start file and a mysql db connect file...both these also work fine..I have other sites on my server which work fine but dont use this type of code to auth and start session...
Thank you...

I can see a few problems with the above code.

1. You do not have a default: case for your switch.
2. What is $action?
3. Why do you have the same code outside the switch and inside the switch?
4. No error checking

1) a default case isnt required when you want only a set amount of options.
2) $action is called when a user enters a username and password in any site page and hits login. It refreshes the page w/$action containing the var.
3)Thats for all those script kiddies who like to use mysql injection -Ive tried taking that out it doesnt seem to affect it.
4)Give an example of how to error check that section of code. The only places I see a point of error handling is after the mysql queries but they work. Its something else throwing it off...

and
5) Id appreciate it if ya could help me not critique me...I didnt write the code myself otherwise Id know where the error was. Im just fixing it for a friend. IIf you want to see the whole header code please pm or email or AIM/YIM/MSN me and ill set it up for ya.

I don't see how that prevents SQL injection, but anyway, I will stop critiquing.

First thing, turn up your error reporting (use error_reporting(E_ALL)). This will point out things such as :

$MEMBER = mysql_query("SELECT * FROM users WHERE un='$un'");

What is $un? Shouldn't that be $_SESSION['un']

Similarly

if($MEMBER[pw] == "$pw"){

1. Change $MEMBER[pw] to $MEMBER['pw']
2. What is $pw? Shouldn't that be $_SESSION['pw']?
3. Is the password stored as a hash in the database? If so, make sure you are comparing the right bits. Comparing the plain-text with the hash will always return false.

Second thing I would do is to make sure that $_SESSION is populated. print_r $_SESSION. I assume you have session_start() in session.include.php.

I also would not use session_register but simply set $_SESSION['foo'] = "bar";

I would also print out $action or otherwise verify that it contains what I expect.

I don't see how you can verify that the mysql bits work, as you seem to be supressing any error messages with @. Just for my sake, add mysql_error() checks. You would not know if $MEMBER was a valid result resource because mysql_num_rows() is supressing errors.

By critiquing you, I'm trying to help you by pointing out areas where you can use some help.

I got it fixed...The Switch Codes were removed and replaced with good old if statements as he should have done in the first place...Also a quick note any time i try calling
anything resembling

if(!isset($_SESSION['un']) && !isset($_SESSION['pw']))

is when it messes up the script.
My Php version is 4.3 so be careful maybe it is a bug in the php im not sure...I will post here if I get any more info on it. Thx

There is no bug that I am aware of that effects that statement. Make sure you have a session_start() in that page somewhere.