HELP user login always returns with success?? wont check db

i have a index.php page that contains a form and I want it to display the proper error. based on the info it gets from my login.php file. As soon as it loads though, it always displays “successful login” even when no information is entered. I have attached the files. PLEASE HELP

index.php -------

<?php
error_reporting(E_ALL | E_STRICT);
ini_set('display_errors', True);

session_start();
?>

<html>
<head>
	<title>My login</title>
</head>
<body>
	<div></div>
	<?php if (isset($_SESSION['username'])) { ?>
	You are now logged in
	<a href="logout.php">Logout</a>
	<?php } ?> 
	<form action="login.php" method="post">
		username: <input name="username" type="text" />
		password: <input name="password" type="password" />
		<input type="submit" />
	</form>
	
	<!-- Output Error -->
	<?php if (in_array('error',$_SESSION)) echo $_SESSION['error']; unset($_SESSION['error']); ?>
</body>
</html>

login.php ----

<?php
session_start();

$db_host = 'localhost';
$db_user = 'root';
$db_pass = '';
$db_db = 'users';



if (isset($_POST['username']))
{
	// Mysql Connection
	$db_link = mysql_connect($db_host, $db_user, $db_pass)
		or die('MySQl Connection Error:'.mysql_error());
	mysql_select_db($db_db)
		or die('MySQL Error: Cannot select table');
	
	$username = mysql_real_escape_string($_POST['username']);
	$password = mysql_real_escape_string($_POST['password']);
	
	// MySQL Query
	$result = mysql_query("SELECT * FROM users 
		WHERE username = '$username' AND password = '$password' ");
		
	if(!$result) {
		$_SESSION['error'] = '<span style="color: red">Login Failed</span>';
	} else {
		// Mysql fetch row results
		$row = mysql_fetch_assoc($result);
		
		$_SESSION['userid'] = $row['id'];
		$_SESSION['username'] = $username;
		$_SESSION['error'] = 'Login successful<br> Welcome, '.$username;
	}
	mysql_close($db_link);

}

header('Location: ./')
?>

ADMIN EDIT: Added the php CODE tags for readability

Hello infinity1111,

looking through your code, you always initalise the session variable providing a user has posted that field. You may want to pickup a specific variable, maybe “loggedin” or some such.

Also, on a security note: I wouldn’t set the password in a session string. Sessions can be cloned and that information may become avaliable.

-Miles

Sponsor our Newsletter | Privacy Policy | Terms of Service