Sciptnoob, welcome to WebmasterWorld!
I like putting the header in double quotes instead of single.
But not sure of what you actually get, are you sent anywhere?
Are you sure that the success.html file is located at the same level as your posted script?
Further you should not use <?
But use <?php
the short tag is pretty much deprecated and with php6 will be a "no no"
The scary thing is that you accept POST values in your DB query without checking that the posted values are the expected one,
You are calling for trouble!
For example if your ID is only numerical make sure that $_POST only contains numbers.
Same with password, if passwd is only lower, upper case and numerical than you should check if the POST value is what you expect.
To keep your DB safe you should use before $query: mysql_real_escape_string() function [us3.php.net]
example: $passwd=mysql_real_escape_string($passwd);
Keep in mind that a DB conn has to be established prior using using that function,
so use it after your connection two lines.
come back with more info, we will be happy to help you.

Thanks for the reply, henry0.

To answer your first question, no, I'm not getting sent anywhere when either of the conditions are true, just getting the error message "Parse error: parse error, unexpected T_STRING". That's what I was hoping to fix :) Was I anywhere close to having the right command when I put in "header('location..."?

Regarding your other suggestions/fixes, both ID and password are varchar, but how would I go about checking to see if the "posted values are the expected ones"?

I have also inserted the 'mysql_real_escape_string' per your suggestion; thanks for that.

Again, sorry to be asking such rudimentary questions, but I'm basically relying on online tutorials and forums such as this for support, as I was thrown into this project head-first without any knowledge of php whatsoever.

I look forward to your response!

I have only one min
for the header try removing the space after ":"
for the rest I will later post a couple of filters
unless anyone jump in before I'll be back

File session handler allows only for alpha numerical characters
So you need to check for a-z A-Z and 0-9 range.
Everything else is considered to be an intrusion tentative
Using a SESSION called $id
if(!preg_match('/^[a-z0-9]*$/i', $id))
{
echo”<h3>Intrusion tentative</h3>”;
exit();
}
else
{
// rest of script
}
Note: The exclamation mark "!" negates preg_match
So we check for anything not allowed, remove the question mark and check for the reverse.
The “I” makes it case insensible.
and the function exit() stop anything to be executed and going further.

Since password must be in most cases alpha numerical you may use the same regular expression.
Checking for alpha only then remove 0-9
Allowing for more like punctuation and spaces and dash
if(!preg_match('/^[a-z0-9\-\,\.\ ]*$/i', $id))
etc … got the idea...

One two cent throw. :-)

if(!preg_match('/^[a-z0-9]*$/i', $id))

* means "zero or more of the preceding pattern." So a password could be blank and would still match. What you want is one or more.

if(!preg_match('/^[a-z0-9]+$/i', $id))

Rocknbil,
you are definitively the regex resident.
I guess I'll retire
long live to WebmasterWorld!

Oh, no I'm not. I may know a thing or two but struggled with regexps for years. And still do. :-)

Thank you both for your help. I've definitely learned a lot just from this thread, not to mention the rest of the forum.

Turns out that my issue was a blank line, as PHP apparently interprets those as echo statements? Anyway, I learned that I couldn't have any blank spaces before my header statement, so I took those out and everything worked!

Thanks again for your help, and I'm sure that you'll be hearing from me again in the near future.

I know this is from a week ago, but you said you were just thrown into this and trying to learm, so I figured while I was reading through the forum a bit I'd go ahead and make some comments.

<?
include("dbinfo.inc.php");
mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$id=$_POST['id'];
$passwd=$_POST['passwd'];
$query="SELECT * FROM useraccounts WHERE id='$id' and passwd='$passwd'";
$result=mysql_query($query);
$numrows=mysql_numrows($result);
mysql_close();

IF ($numrows==0){
//echo "Invalid Username or Password";
header('location: failedlogin.html');
}else{
//echo "Thank you, " . $id . "!";
header('location: success.html');
}

?>

1.) Variables within single quotes should NOT be expanded by PHP.

"Unlike the two other syntaxes, variables and escape sequences for special characters will not be expanded when they occur in single quoted strings."

[us.php.net...]
(Yes, they were not technically variables within '', because the '' were within a "" string, but it's good practice... I thought it should break with the localhost not being a string...)

2.) localhost SHOULD be a string. IOW 'localhost'
[us.php.net...]

Along with what the other posters have said, to me it looks like your quoting patterns are missing or backward...

<?php

include('dbinfo.inc.php');
mysql_connect('localhost',$username,$password);
@mysql_select_db($database) or die( 'Unable to select database');
$id=$_POST['id'];
$passwd=$_POST['passwd'];
$query="SELECT * FROM useraccounts WHERE id='".$id."' and passwd='".$passwd."'";
$result=mysql_query($query);
$numrows=mysql_numrows($result);
mysql_close();

if ($numrows==0){
//echo "Invalid Username or Password";
header('location: failedlogin.html');
}else{
//echo "Thank you, " . $id . "!";
header('location: success.html');
}

?>

The problem you were having with the header was NOT a blank line... (I use them often before setting headers.) It was most likely because you had an error and output was sent to the browser before you tried to set the header. A blank line is NOT equal to echo, so there was another issue... My guess from the error you quoted, is it was not having the localhost quoted.