In the case of your currentuser variable, it only holds a placeholder for the results of your query, NOT the actual results. If you wanted the results, you need to pull them from this resource link by using something like mysql_fetch_array or the like...
There are several ways to do a secure login, but the easiest way is to simply check whether you returned a single row from your query. If it did, then you know the database was able to find a match.
On your login2.php page change it to this:
<?php include "layout.php";
include "connect.php";
$currentuser = @("
SELECT * from userlogin where username = '$HTTP_POST_VARS[username]' AND password = '$HTTP_POST_VARS[password]'");
$rows = @mysql_num_rows($currentuser);
if($rows == 1)
{
echo "You are now logged in!"; }
?>
You'll notice a few changes from the previous code:
1) I changed the variables to read from the POST variable array than from the auto populated ones PHP creates. (This avoids problems from multiple logins from the same computer - if you set a cookie with the same name as the variable in the login2 script (username or password in this case), the username will get set to the cookie value and not the login form you provided... Thus it is always good to NOT rely on PHP populating the variables for you).
2) I changed the checking mechanism to see if there were any rows returned from the query. I also checked for just 1 result since you shouldn't have multiple results returned if your database is set up correctly. (something needs to be unique)
3) I added the @ sign in front of the PHP functions to suppress any error messages. It is good for development, but you want to be sure you have them in place so that if you do any re-directs, it won't stop you when an error is generated. (for instance when you try and pull the results from an empty query)
Take Care,
John Cornett
