$query = "SELECT * FROM " userinfo "WHERE " username='$username' and pword='$pword';

should be
$query = "SELECT * FROM userinfo WHERE username='$username' AND pword='$pword'";

//Ok, great...that cleared the error...now i have a new problem...
you can see that if they have a bad login, i want it to say "bad login" and prompt the login page again, but when i entered actual valid credentials, it just cleared the form fields and kept me on the same page...it did not send me to the index.html page like i want....
any ideas?

$query = "SELECT * FROM userinfo WHERE username='$username' and pword='$pword'";

$result = mysql_query($query);

if (mysql_num_rows($result)!= 1) {
$error = "Bad Login";
include 'loginpage.php';

} else {
$_SESSION['username'] = '$username';
include 'index.html';
}

Echo out your mysql_num_rows value to ensure it really is 1.

Also don't forget to mysql_real_escape_string() your username and password variables to prevent less than honest people from doing bad things :-)

JAG

sorry, im still getting the hang of PHP (coming over from years of ASP only....)

"Echo out your mysql_num_rows value to ensure it really is 1. "

do you mean:

$mysql_num_rows = 1;

is that it?

Like this:

$query = "SELECT * FROM userinfo WHERE username='$username' and pword='$pword'";

$result = mysql_query($query);

echo "How many results: ".mysql_num_rows($result);
die();

if (mysql_num_rows($result)!= 1) {
$error = "Bad Login";
include 'loginpage.php';

} else {
$_SESSION['username'] = '$username';
include 'index.html';
}

That will at least tell you if the number is what you expect. I'm guessing it will be 0.

JAG

Unfortunately that did not work....and i dont expect you to do my programming for me...
So, if you have time....check the entire page to see what i am doign wrong....your addition only brough up the echo page, and did not pass the user to the index.html page.

<?php

//Database Information

$dbhost = "localhost";
$dbname = "name";
$dbuser = "user";
$dbpass = "password";

//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

session_start();
$username = $_POST['username'];
$pword = md5($_POST['pword']);

$query = "SELECT * FROM userinfo WHERE username='$username' and pword='$pword'";

$result = mysql_query($query);

echo "How man results: ".mysql_num_rows($result);
die();

if (mysql_num_rows($result)!= 1) {
$error = "Bad Login";
include 'loginpage.php';

} else {
$_SESSION['username'] = '$username';
include 'index.html';
}

?>

I hope this helps you.

if (mysql_num_rows($result) > 0) {
$_SESSION['username'] = $username;
include 'index.html';
} else {
$error = "Bad Login";
include 'loginpage.php';
}

JAG's addition was a temporary diagnostic aid to help you see what was going on, and it looks like it did what it was supposed to: print the number of records and stop.
So the point is, what was the number?
If it was zero, then your name and md5'd password aren't a row in the database table.

If it was non-zero (hopefully 1) then something is likely wrong with the index.html page. You might try redirecting to it with:
header("Location: index.html\n\n");
exit();

instead of including it. Comment or remove the echo and die lines.

What JAG was saying earlier is that you should do this:
$username = mysql_real_escape_string($_POST['username']);
$pword = md5(mysql_real_escape_string($_POST['pword']));

to safeguard against sql injection.

Oops. Yes. I put a die() in there so you could see the number without anything else happening. Was the number it showed 0 or 1?

JAG