PHP Login Script Question.. Please Help.

[brainbug]

I'm trying to use a simple PHP Login script for my website. But I am facing a problem with login.

Okay, here are the two files I used.

------------------------------------------------------------------------------------
[file=loginform.php] - the form where we enter username and password]
------------------------------------------------------------------------------------

<form name="login-form" id="login-form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
  <fieldset>
  <legend>Please login:</legend>
  <dl>
	<dt>
	  <label title="Username">Username:
	  <input tabindex="1" accesskey="u" name="username" type="text" maxlength="50" id="username" />
	  </label>
	</dt>
  </dl>
  <dl>
	<dt>
	  <label title="Password">Password:
	  <input tabindex="2" accesskey="p" name="password" type="password" maxlength="15" id="password" />
	  </label>
	</dt>
  </dl>
  <dl>
	<dt>
	  <label title="Submit">
	  <input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" />
	  </label>
	</dt>
  </dl>
  </fieldset>
</form>

------------------------------------------------------------------------------------
[login.php] the file which processes the login form
------------------------------------------------------------------------------------

<?php
if (!session_is_registered('loginid') || !session_is_registered('username'))
{
	// user is not logged in.
	if (isset($_POST['cmdlogin']))
	{
		// retrieve the username and password sent from login form
		// First we remove all HTML-tags and PHP-tags, then we create a md5-hash
		// This step will make sure the script is not vulnernable to sql injections.
		$u = strip_tags($_POST['username']);
		$p = md5(strip_tags($_POST['password']));
		//Now let us look for the user in the database.
		$query = sprintf("SELECT loginid FROM login WHERE username = '%s' AND password = '%s' LIMIT 1;",
			mysql_real_escape_string($u), mysql_real_escape_string($p));
		$result = mysql_query($query);
		// If the database returns a 0 as result we know the login information is incorrect.
		// If the database returns a 1 as result we know  the login was correct and we proceed.
		// If the database returns a result > 1 there are multple users
		// with the same username and password, so the login will fail.
		if (mysql_num_rows($result) != 1)
		{
			// invalid login information
			echo "Wrong username or password!";
			//show the loginform again.
			include "loginform.php";
		} else {
			// Login was successfull
			$row = mysql_fetch_array($result);
			// Save the user ID for use later
			$_SESSION['loginid'] = $row['loginid'];
			  // Save the username for use later
			$_SESSION['username'] = $u;
			  // Now we show the userbox
			show_userbox();
		}
	} else {
		 // User is not logged in and has not pressed the login button
		 // so we show him the loginform
		include "loginform.php";
	}
} else {
	 // The user is already loggedin, so we show the userbox.
	show_userbox();
}
?>

------------------------------------------------------------------------------------
Database Info: Table contains three fields namely loginid, username and password
------------------------------------------------------------------------------------

The Problem:
The login form was supposed to check the username and password fields; and login. But I get redirected to the loginform page; with the message 'Wrong Username or Password' Any ideas folks? Please.

 

[Shazer2]

Why so complicated? That's my question.

In answer to your question, why not just do a simple SQL statement like so,

$sql = mysql_query("SELECT * FROM tblname WHERE username='$username' AND password='$password'");
$count = mysql_num_rows($sql)

if ($count == 1) {
    session_register("username");
    session_register("password");
    header("location:index.php");
} else {
    echo "Incorrect username or password";
}

Of course you need to set $username and $password to $_POST['username'] and $_POST['password'].