Help with Sessions and Login pages

creativkook

I have a script for a log in that works on another database and site, but doesn't seem to agree with the one I'm trying to get it set up on. Basically what it is doing is not recognizing either the username or password, thus not letting me past the login page. Can anyone tell me what can be causing this problem and what I need to do to fix it? Here's the code:

<?php

$username = $POST['username'];
$password = $POST['password'];

if(isset($_POST['login']))
{
require("dbheader.php");

$person = mysql_query("SELECT * FROM cafeusers WHERE username = $username AND password = MD5('$password')");

if(mysql_num_rows($person) > 0)
{
session_start();

$_SESSION['userid'] = $person['userid'];

header("location: home.php");
}
else
{
$error = true;
}
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="style2.css" rel="stylesheet" type="text/css" />
<title>Login Page</title>
</head>

<body>

<?php

if($error == true)
{
echo("<p>Username or password invalid.</p>");
}

<p>Username: <input type="text" name="username" value="<?=$_POST['username'];?>" /></p>
<p>Password: <input type="password" name="password" /></p>

</form>

</div>

</body>

</html>

MrPotatoes

please use the PHP tags bro

[php]
[/php] tags 😃

m37h0d

I dont think header location works when using sessions, try using meta refresh.

creativkook

Ok, here's the error I'm getting.

Unknown column 'marisav' in 'where clause'

'marisav' being the username. I know that it's in the table because I have checked a few times. Anyway, help is appreciated.

I think you can use headers in sessions because it worked before, but I will try a meta refresh. Thanks!

makeshift

it has to be like

 $query = "SELECT * FROM users  WHERE username='" . $whatever . "'";
 // note the SINGLE QUOTES around the username. this is because your username is probably a VARCHAR() and you're trying to give it without quotes.

fasho.

bradgrafelman

Just to elaborate, when you give MySQL a string value in a comparison or insert statement, you must surround it in quotes, either double or single.

Otherwise, it thinks you're trying to give it a numeric type (assuming you uses numbers and possibly a decimal) OR a column name. Using the quotes tells MySQL it's a string.