login script doesn't work

I've created a login script, but it's not working. I enter in my correct username and password, but it gives me my error message. I'm not sure why, but I think it's because my password isn't being converted to sha1 properly, therefore the database can't read it.


session_start();
require("../connect.php");

if (isset($_POST['submit']))
{
if ($_POST['username'] != '' && $_POST['password'] != '')
{
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string(sha1($_POST['password']));

$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
$rs = mysql_fetch_assoc($sql);
$ip = $_SERVER['REMOTE_ADDR'];
$browser = $_SERVER['HTTP_USER_AGENT'];

if (isset($_POST['remember']))
{
setcookie("cookiename", $username, time()+60*60*24*100, "/");
setcookie("cookiepass", $password, time()+60*60*24*100, "/");
}

if (!$sql)
{
echo "<p class=\"hack\">Username and password could not be found.<br /><img src=\"../images/queryerror.jpg\" alt=\"\" /></p>";
exit;
}

$count = mysql_num_rows($sql);

if ($count == 1)
{
$_SESSION['username_session'] = $username;
$_SESSION['status_session'] = $rs['status'];
$_SESSION['ip_session'] = $ip;
$_SESSION['browser_session'] = $browser;
$_SESSION['db_logged_in'] = true;
header("Location: ../panel.php");
}
else
{
echo "<p class=\"hack\">Stop hacking!<br /><img src=\"../images/hackerror.jpg\" alt=\"\" /></p>";
exit;
}
}
}
else
{
echo "<p class=\"hack\">You are not suppose to be in here.<br /><img src=\"../images/hackerror.jpg\" alt=\"\" /></p>";
exit;
}


I'm receiving the "Stop hacking!" message.

Your query could be failing but you aren't doing any error checking. Change this
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
to this
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'") or die(mysql_error());
Also make sure the password field in your database allows enough characters to fit your whole password. Another thing, posting the actual form might help as well.

you could change the following:


if (!$sql)
{
echo "<p class=\"hack\">Username and password could not be found.<br /><img src=\"../images/queryerror.jpg\" alt=\"\" /></p>";
exit;
}

$count = mysql_num_rows($sql);

if ($count == 1)
{
$_SESSION['username_session'] = $username;
$_SESSION['status_session'] = $rs['status'];
$_SESSION['ip_session'] = $ip;
$_SESSION['browser_session'] = $browser;
$_SESSION['db_logged_in'] = true;
header("Location: ../panel.php");
}


to:


if (!$sql)
{
echo "<p class=\"hack\">Username and password could not be found.<br /><img src=\"../images/queryerror.jpg\" alt=\"\" /></p>";
exit;
} else {
$_SESSION['username_session'] = $username;
$_SESSION['status_session'] = $rs['status'];
$_SESSION['ip_session'] = $ip;
$_SESSION['browser_session'] = $browser;
$_SESSION['db_logged_in'] = true;
header("Location: ../panel.php");
exit;
}


IMO the rest seems un-needed. Just my 2 cents.

If you want to keep your code the same without change, you forgot exit; after header("Location: ../panel.php");