Share some code so we can see what you're doing and then we can share some insights ;)

Ok, I think this is the page that is causing the problem.

<?php

if (isset($_POST['username'])&&isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];

$password_hash = md5($password);

if (!empty($username)&&!empty($password)) {

$query = "SELECT `id` FROM `users` WHERE `username`=`$username` AND `password`=`$password_hash`";
if ($query_run = mysql_query($query)) {
$query_num_rows = mysql_num_rows($query_run);

if ($query_num_rows==0) {
echo 'Invalid username/password combination.';
} else if ($query_num_rows==1){
$user_id = mysql_result($query_run, 0, 'id');
$_SESSION['user_id']=$user_id;
header('Location: login.php');
}
}

} else {
echo 'You must supply a username and password';
}

}

?>

<form action="<?php echo $current_file; ?>" method="POST">
Username: <input type="text" name="username"> Password: <input type="password" name="password">
<input type="submit" value="log In">
</form>

I can't get it to echo 'Invalid username/password combination.'; or
log in.

Can you change the if/else for the rows check so it's like:

if (!$query_num_rows) {
echo 'Invalid username/password combination.';
} else {
$user_id = mysql_result($query_run, 0, 'id');
$_SESSION['user_id']=$user_id;
header('Location: login.php');
}

In case you have the same account multiple times. And add an exit after the redirect header.

That didn't make any difference, I also get the following error
"Notice: Undefined index: HTTP_REFERER in C:\xampp\htdocs\2\databases\login\core-inc.php on line 5"

for:

<?php
ob_start();
session_start();
$current_file = $_SERVER['SCRIPT_NAME'];
$http_referer = $_SERVER['HTTP_REFERER'];

function loggedin() {
if (isset($_SESSION['user_id'])&&!empty($_SESSION['user_id'])) {
return true;
} else {
return false;
}
}


?>

Anyone know what I am doing wrong here. Sorry, I really am quite noob.

Maybe you need to post the whole code as the problem could be elsewhere.

If some server variables aren't set you can check that before assignment.

$http_referer = isset($_SERVER['HTTP_REFERER'])?$_SERVER['HTTP_REFERER']:'';

How do I change the settings of my server variables, and how do I want them set?

And can someone possible show me somewhere I can get the code for a login page.

Hi. Looking over your code, it looks like you have a good start. I wouldn't give up on it yet. I usually echo things as I write code to make sure the variables are being passed correctly. And try using mysql_error() after you do a query so you can trouble shoot bad queries.

$query_run = mysql_query($query)or die(mysql_error());
If($query_run)
{ do something }
//echo the $user_id and the $query_num_rows to make sure they are being set.
$user_id = mysql_result($query,0);//no need to specify the 'id' as you already did that in the query.
echo $user_id;//if it's empty, something above that line is broken.
echo 'User id: '.$user_id;

Hope this helps.

Do not forget to filter what user are typing to not be hacked. For example this is a function (includes multiple PHP functions).

// my function
function MyCustomizedFunction($string){
$string = substr($string,0,40); // cut the number of characters
$string = strip_tags($string); // get rid of html,php code that may be malicious 
$string = htmlentities($string); // convert symbols that may be malicious 
$string = htmlentities($string,ENT_QUOTES);
$string = mysql_real_escape_string($string);
return $string;
}


// here i use the function that i have built
$password = MyCustomizedFunction($_POST['password']); 

Thanks a lot, for hacking I have done the following:

$query = "INSERT INTO `users` VALUES ('','".mysql_real_escape_string($username)."', '".mysql_real_escape_string($password_hash)."','".mysql_real_escape_string($firstname)."', '".mysql_real_escape_string($surname)."')";

adding the real_escape_string, will that be enough? I also limited the characters with php and the html form.

[edited by: eelixduppy at 12:50 pm (utc) on Apr 20, 2012]
[edit reason] fixed side scroll [/edit]