[RESOLVED] Whats wrong with this?

Sayian

Feedback on why this wont work please..

if(isset($_POST['login'])) {

$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT `user_id`,`username`,`password` FROM `shocc_users` WHERE `username` = '$username'";
$query = mysql_query($sql) or die(' Selection of user login info failed because ' . mysql_error());
$array = mysql_fetch_array($query);

	if($array['password'] = $password) {
		session_regenerate_id();
		$logged_user = $array['username'];
		$_SESSION['username'] = $logged_user;
		$_SESSION['userid'] = $array['user_id'];
		header("Location: /index.php");
	} else {
		header("Location: /login.php?login=invalid");
		exit();
	}

}

leatherback

'why this wont work'?

What do you mean? Do you get errors? Which ones?
Do you get output? What is it
Do you get other output then expected?

What do you expect to get?

thorpe

what does not work meen? are you getting errors... what?

Sayian

Sorry , allow me to clear up what i meant by wont work ...

i Should of stated that , but failed to , kinda busy right now.

When im submitting the form , it's fowarding me to the /login.php?login=invalid , location. which tells me validation of the information from the database has failed.

Ive checked the code i wrote , and i dont see any problems with the syntax

all information in mysql is correct , and verified.

Im just stuck on possible reasons why this wont work....... and i dont wanna do somthing like

" Select * from shocc_users where username = and pass = "
if(mysql_num_rows) ... blah blah .. you get the point

I want to validate that the password submitted is truley the password in the DB , not just if it returns rows ..

leatherback

Sayian wrote:
Sorry , allow me to clear up what i meant by wont work ...

i Should of stated that , but failed to , kinda busy right now.

Hm.. Yeah. Kinda busy here myself, maybe I should post half of the answer, so you can wonder what I mean to say?

Anyway.

You rquery:

$sql = "SELECT user_id,username,password FROM shocc_users WHERE username = '$username'";

add: AND 'password' = '$password'

If that returns rows, it is an exact match. You do not need to do a double check.

Otherwise:

this:
if($array['password'] = $password) {
should be
if($array['password'] == $password) {

you can also place echo "passed 1"; statements in your code,m adn check where the error occurs, and echo out the qwuery, so you know what is asked from the database.

Sayian

Thats true , i just always thought it was more secure to verify that the password submitted is truley the password returned from the array , but i guess that way is the same ... still trying to learn different techniques for validating information..

as for my lack of stating the error .... well , everyone makes mistakes ... next time ill be sure to include that info

thanks for your help man