oops guess it wont let you view the code, well here is the raw code

<?php

include 'functions.php';

if (loggedin())
{
   header("Location: profile.php");
   exit();
}

if ($_POST['login'])
{
 //get data
 $username = $_POST['username'];
 $password = $_POST['password'];
 $rememberme = $_POST ['rememberme'];

 if ($username&&$password)
 {

 $login = mysql_query("SELECT * FROM users WHERE username='$username'");
 while ($row = mysql_fetch_assoc($login))
 {

       $db_password = $row['password'];
       if (md5($password)==$db_password)
          $loginok = TRUE;
       else
          $loginok = FALSE;

       if ($loginok==TRUE)
       {

          if (rememberme=="on")
             setcookie("username", $username, time()+7200);
          else if (rememberme=="")
               $_SESSION['username']=$username;

          header("Location: profile.php);
          exit();

       }
       else
           die("Incorrect username/password combination.");

 }
 }
 else
     die("Please enter a username and password.");

}

?>



<form action="login.php" method="POST">
Username:<br />
<input type="text" name="username"><p />
Password:<br />
<input type="password" name="password"><p />

<input type="checkbox" name="rememberme"> Remember me<br />
<input type="submit" name="login" value="Log in"
</form>

When posting PHP code, please use the board's [noparse]

..

[/noparse] bbcode tags as they make your code much easier to read and analyze.

As for your issue, now that I've added those bbcode tags note that the color coding (something you should also be seeing in your code editor of choice!) is incorrect after the header() statement a few lines up. Looking at that line:

header("Location: profile.php); 

you'll note that there is a missing ending quote to close the string.

The problem lies on this line:

header("Location: profile.php);

You never close the string, also see header():

HTTP/1.1 requires an absolute URI as argument to » Location: including the scheme, hostname and absolute path...

Edit: Damn you BG!

Derokorian;10997258 wrote:

Edit: Damn you BG!

takes a bow I even glanced down at the "Currently Active Users Viewing This Thread:" section, noticed someone other than the OP was viewing the thread, and quickly finished/posted my reply. :p

However, if we're also going to talk about non-parse errors, we might as well address a much bigger one...

@: Note that user-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize it such as with a function like [man]mysql_real_escape_string/man (for string data) or by using prepared statements.

Also note that the entire [man]mysql[/man] extension (e.g. any functions that begin with 'mysql_') has been deprecated in favor of the newer, 'improved' extension called [man]MySQLi[/man].

EDIT: Also also... Welcome to PHPBuilder!

Good gravy boats, Thank you! I can't wait till I am more proficient so I can help people like me, lol, and not have to ask ?'s about stupid mistakes I am making. I cannot tell you how much I appreciate your help guys! I am so stoked to start learning this stuff. Programming is really fascinating to me and I am now getting much more work doing website's that require this stuff. You may very well be asked for a snail mail addy so I can send you some delicious home made organic thank yous.

I will re-read the notations you made and start researching those corrections you suggested. Luckily I am not concerned about safety just yet, as much as making this work, but as soon as it works, that will be directly my next mission is securing everything tight. One recommendation I was given was not to use sessions, only cookies for safety. If you guys have a thought on that I would love to hear it. I am a little at the mercy of the tutorial I build from, which again makes me excited to understand the code better so I can program to my own taste... anyways, going to read and stare at code and call my server to get mysql right and all that goodness. AGAIN THANK YOU GUYS!

Aright, so I fixed the " error, and then came up with an error in my functions, which was due to the mysql_connect being set to localhost, as the guy in the tutorials... so I changed it to the mysql addy on my server and now the page won't display at all. I get the problem loading page screen.

darn, now it's doing something else, hold response

I get the problem loading page screen.

What page? There is no equivalent message / redirect in the code you provided. Btw this code has at least 2 more parse errors, which are here:

              if (rememberme=="on") 
                 setcookie("username", $username, time()+7200); 
              else if (rememberme=="") 

should have a $ in front of rememberme.

K, fixed those $'s.

I believe my error now has to do with my mysql_connect... I am seeing that this is where you were saying you should not put user data.

I am going to make sure I can get this to work, then I will follow that link and re-arrange the code to make it more secure!

Where do you connect to mysql? There is no call to mysql_connect in that script. If its in functions.php consider putting it in its own file called mysql_conn.php (or something similar) so its more obvious what the file contains later when you have to change something in the future.

You should check that connect completed successfully and if not find out why not. Have a look at the manual for mysql_connect and there are some examples of how to do this.

Again, you should really use mysqli especially if you are just learning. Its better to learn it the right way than have to re-learn later. If you are reading a tutorial based on the old extension, I suggest you use the PHP manual (at php.net) instead, its very well documented and has proven the best learning tool I've found for PHP.

Also, you shouldn't post you log-in credentials on a public forum.
Mod Note: Please obfuscate his log in credentials O_o

Word, yah, luckily this pword and all else is pretty temporary so I don't mind people seeing it too much. As soon as it works, I'll probably change everything and put in that safety feature through functions and all that good stuff.

Yah, as soon as you guys said that I was thinking I better get hip to the new connect, so I'll go change that now.

so can I just replace mysql with mysqli ?

Well here's a simple mysqli_ example:
mysqli_connect()
mysqli_query()

// MySQL Server settings
$server = 'localhost';
$user = 'user';
$pass = 'pass';
$dbname = 'mydatabase';

/**
 * Procedural MySQLi
 */
// First we connect
$conn = mysqli_connect($server,$user,$pass,$dbname);

// Check connect failed
if( !$conn ) 
{
   // if it did stop here and tell us why
   die('There was a problem connecting to MySQL:<br>('.mysqli_errno($conn).') '.mysqli_error($conn));
}

// Define a query to run
$query = "SELECT * FROM `table` WHERE `col` = 'value'";

// Query the database
$result = mysqli_query($conn,$query);

// Check if the query failed
if( !$result ) 
{
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($conn).') '.mysqli_error($conn));
}

// Check if there are results
if( mysqli_num_rows($result) > 0 ) 
{

   // Loop through the resulting rows
   while( $row = mysqli_fetch_assoc($result) ) 
   {
      // output a column
      echo $row['col'];
   }
}
else
{
   // No results
   echo 'No results found';
}

// Close the connection
mysqli_close($conn);


/**
 * Object-Oriented MySQLi
 */
// First we connect
$conn = new mysqli($server,$user,$pass,$dbname);

// Check if the connection failed
if( $conn->connect_error ) 
{
   die('There was a problem connecting to MySQL:<br>('.$conn->errno.') '.$conn->error);
}

// Define a query to run
$query = "SELECT * FROM `table` WHERE `col` = 'value'";

// Query the database
$result = $conn->query($query);

// Check if the query failed
if( !$result ) 
{
   die('There was a problem executing the query ('.$query.'):<br>('.$conn->errno.') '.$conn->error);
}

// Check if there are results
if($result->num_rows > 0 ) 
{

   // Loop through the resulting rows
   while( $row = $result->fetch_assoc() ) 
   {
      // output a column
      echo $row['col'];
   }
}
else
{
   // No results
   echo 'No results found';
}

// Close the connection
$conn->close();

Okay, I've only been out of the conversation for a little over an hour and already have a lot of catching up to do. Apologies in advance for the length of this post...

code-a;10997260 wrote:

You may very well be asked for a snail mail addy so I can send you some delicious home made organic thank yous.

A verbal (well, I guess 'written' since I probably won't hear you from where I live) 'thank-you' is quite enough, especially considering that posting personal details isn't allowed on the forums (for better or worse, unfortunately).

code-a;10997260 wrote:

Luckily I am not concerned about safety just yet, as much as making this work, but as soon as it works, that will be directly my next mission is securing everything tight.

Be careful with that mindset; I can't count the number of times I've heard promises of "Oh we'll work that in at the end before this release..." that are either a) completely forgotten, or b) intentionally overlooked ("Ah, well, we really need to get this out the door... can't we just worry about that in the next revision?" - insert endless loop here).

code-a;10997260 wrote:

One recommendation I was given was not to use sessions, only cookies for safety.

That's about the exact opposite of the truth.

Session data is (only) stored on the server. The only piece of information stored on the client-side of things is the session ID (which gets propagated most often through a cookie, optionally through the query string in the URL). As such, users can't modify session data; the only risk, then, is "session hijacking" where they somehow are able to determine someone else's session ID value and "hijack" their session by duplicate that ID value in their requests. More info on that can be found by Google'ing "PHP session hijacking" I'm sure.

code-a;10997260 wrote:

I am a little at the mercy of the tutorial I build from

Change "a little" to "fully" and I think you've nailed a common problem. Just remember, it doesn't take any intelligence or experience whatsoever to write up your own tutorial and post it on the Internet, so YMMV (greatly).

code-a;10997260 wrote:

I believe my error now has to do with my mysql_connect... I am seeing that this is where you were saying you should not put user data.

Not at all.. at least, that isn't what I was referring to in my reply above. And besides, you won't likely ever need user-supplied data just to connect to your MySQL server anyway.

What I was referring to was using user-supplied data in the actual SQL queries you send to the server.

code-a;10997260 wrote:

<?php

//session
session_start();

Is there really whitespace before the opening '<?php' tag? If so, you should remove it, as that should cause errors when you try to call [man]session_start/man since that whitespace is considered as output.

code-a;10997260 wrote:

//login check function
function loggedin()
{
 if (isset($_SESSION['username'])||isset($_COOKIE['username']))
 {
    $loggedin = TRUE;
    return $loggedin;
  }
}

Er... that seems quite misleading. All I have to do to be considered "logged in" is manufacture a cookie named 'username' and give it any value I want?

code-a;10997260 wrote:

It is not letting me log in, and I have been having trouble with my server logging into phpmyadmin too.

Well that's understandable, since you can't "log in" to phpMyAdmin anyway; phpMyAdmin is just a PHP application that provides a GUI to access a MySQL server. The only credentials you would give phpMyAdmin are the ones it needs to make a connection to the MySQL server.

code-a;10997260 wrote:

It's saying there is an error in the user/pword, and I have tried the phpmyadmin login info. Did not work.

If you are able to access your MySQL server via phpMyAdmin using a set of credentials, then those same credentials will work in your own PHP application (which is no different than phpMyAdmin at a higher level - both are simply PHP applications making a connection to a MySQL server).

code-a;10997272 wrote:

Yah, as soon as you guys said that I was thinking I better get hip to the new connect, so I'll go change that now.

Just to clarify, note that the [man]MySQLi[/man] extension is an entire new library of functions - not just a difference in connecting to a MySQL DB.

And to pick up a question posted while I was replying...

code-a;10997274 wrote:

so can I just replace mysql with mysqli ?

Not really, no; there are additional differences between the two extensions, such as the number and order of required parameters for various functions (especially the corresponding _query() functions).

Check! You guys are so awesome, I am going to try to spend some hours reading for the rest of the afternoon and catching up with this info before I ask you guys any more ?'s!

Again, thank you so much!

So for right now my code is;

<?php

include 'functions.php';

if (loggedin())
{
   header("Location: profile.php");
   exit();
}

if ($_POST['login'])
{
 //get data
 $username = $_POST['username'];
 $password = $_POST['password'];
 $rememberme = $_POST ['rememberme'];

 if ($username&&$password)
 {

 $login = mysql_query("SELECT * FROM users WHERE username='$username'");
 while ($row = mysql_fetch_assoc($login))
 {

       $db_password = $row['password'];
       if (md5($password)==$db_password)
          $loginok = TRUE;
       else
          $loginok = FALSE;

       if ($loginok==TRUE)
       {

          if ($rememberme=="on")
             setcookie("username", $username, time()+7200);
          else if ($rememberme=="")
               $_SESSION['username']=$username;

          header("Location: profile.php");
          exit();

       }
       else
           die("Incorrect username/password combination.");

 }
 }
 else
     die("Please enter a username and password.");

}

?>



<form action="login.php" method="POST">
Username:<br />
<input type="text" name="username"><p />
Password:<br />
<input type="password" name="password"><p />

<input type="checkbox" name="rememberme"> Remember me<br />
<input type="submit" name="login" value="Log in"
</form>

but rather than showing the form (login.php), it directly goes to "you must supply username and password"

Well for one, none of your die() statements begins with the text "you must supply," so I'm guessing you meant that you're seeing the "Please enter a username and password." message?

Also, how were you trying to access the page? Did you type in the URL for it directly, or were you simply refreshing a window/tab you already had open? If the latter, are you sure you weren't re-sending some POST data with each refresh?