Problem with login script

doobster

Ok I have the following code to check a email and password entered from a previous form. Currently the way the code is I receive an invalid user name and password because when it does the check to see if $email and $passwd are "" it results in true, which it should not be.

So to check the variables I added an echo to display these two variables. When I use the echo I do not get the invalid login or password because the values are correct, but of course I receive the invalid header message because of the echo.

<?php 

session_start();

if ($QUERY_STRING == 'logout') {
echo("<head><title>$title</title><meta http-equiv=\"Refresh\" content=\"1;URL=$self_url\"></head><body><font 
face=\"$fontface\" color=\"red\"><span style=\"font-size:250%\">$title</span><br><span style=\"font-size:150%\">Logging 
out...</span></font></body></html>");
   unset($HTTP_SESSION_VARS);
   session_destroy();
   exit;   

}

global $sess_name, $sess_passwd, $sess_data;
session_register("sess_name");
session_register("sess_passwd");
session_register("sess_data");
include('dbvars.php');

mysql_connect($db_host, $db_user, $db_pwd);
mysql_select_db($db_name);

//echo("$email<br>$passwd");

if (!isset($HTTP_SESSION_VARS["sess_name"]) || !ereg($self_name, $HTTP_REFERER)) {

    if ($email == "" || $passwd == "") {
       echo("<head><title>$title</title><meta http-equiv=\"Refresh\" content=\"1;URL=$self_url\"></head><body><font 

face=\"$fontface\" color=\"red\"><span style=\"font-size:250%\">$title</span><br><span style=\"font-size:150%\">Invalid user 

name or password.</span></font></body></html>");
           unset($HTTP_SESSION_VARS);
           session_destroy();
           exit;
        }

    global $email, $passwd;
    $sess_name = $email;
    $sess_passwd = $passwd;
    header("Location: $PHP_SELF?".SID);
    exit;

}
else {
   $res = mysql_query("select * from user where email='$sess_name'");

   if (mysql_num_rows($res) == 0) {
      echo("The email address entered does not exist!");
      unset($HTTP_SESSION_VARS);
      session_destroy();
      exit;
   }
   else {
      $saved_pass = mysql_result($res, 0, "passwd");

  if ($saved_pass != $sess_passwd) {
     echo("The password you have entered is not correct.");
     unset($HTTP_SESSION_VARS);
     session_destroy();
     exit;
  }

  $saved_ac = mysql_result($res, 0, "ac");

  if ($saved_ac != 0) {
     echo("Your account has not yet been activated. Please click the activation link found in the registration email.");
     unset($HTTP_SESSION_VARS);
     session_destroy();
     exit;
  }

  echo("Login successful. <a href=test.php>Click me for session test</a>");

  echo("<br><a href=$PHP_SELF?logout>Logout</a>");

   }
}

mysql_close;
?>

doobster

Nobody knows?