So i am creating a website with login facility and I want the user to be redirected to a page if the details entered match the info in the database. However it is not working. everytime i submit the info it just redirects me to previous page ( should do if details are wrong ). The password and email are correct I have done some debugging for that. it must lay with the sessions. Here is my code. checklogin - does the checking <?php include("connect.php"); $email = $_POST["email"]; $password = $_POST["password"]; $password = md5($password); $sql = "SELECT * FROM numbers"; $result = mysql_query($sql); while ($row3 = mysql_fetch_array($result, MYSQL_ASSOC)) { if(($password == $row3["password"]) && ($email == $row3["email"])) { $_SESSION["userid"] = $row3["id"]; header ('Location: control_panel.php'); //debug //echo $password; //$useridvar = $_SESSION["userid"]; //echo $useridvar; } if ($_SESSION["userid"]=="") { header ('Location: login.php'); //echo "hi"; } } ?> PHP: control_panel is the page the user should get directed too after a sucessful login. I dont really want to give you the whole page because its for a project I am working on and do not want to get in trouble for copyright. This is basically at the very top of the page. <?php if ($_SESSION["userid"]=="") { header ('Location: login.php'); } include('connect.php'); /* Copyright 2010-2011 All Rights Reserved. ****************************************** */ ?> PHP:
i think that your script is ok, you just need to add session_start(); at the top of every file in which you want to use sessions for login.
You need a WHERE clause in you mySQL query. And you also need a session_start(); on the very first line of each php page that uses the session. I have rewritten you code like so: <?php session_start(); include("connect.php"); $email = $_POST["email"]; $password = md5($_POST["password"]); $sql=" SELECT * FROM numbers WHERE password = '$password' AND email = '$email' LIMIT 1"; $result = mysql_query($sql); while ($row3 = mysql_fetch_array($result, MYSQL_ASSOC)) { if(($password == $row3["password"]) && ($email == $row3["email"])) {//if we find a match $_SESSION["userid"] = $row3["id"]; //store in session header ('Location: control_panel.php'); //redirect to control panel } else{//if not match found header ('Location: login.php'); //redirect back to login page } } ?> Code (markup):
You'll need to also escape any input via your db with 'mysql_real_escape_string()': $sql=" SELECT * FROM numbers WHERE password = '".mysql_real_escape_string($password)."' AND email = '".mysql_real_escape_string($email)."' LIMIT 1"; PHP: It also looks like your storing the password in raw text, use MD5 for better security.