Need help, login just redirects to host homepage

I am unsure what happens in the code. Maybe one of you can see what's wrong with it?



<?php

if (isset($_POST['submitted'])) {

$user = $_POST['userlog'];
$pass = $_POST['passlog'];

$abc = mysqli_connect('mysql16.***************','a2527189_main2','fusiongtxo0');

mysqli_select_db($abc, 'a2527189_main2');

$query = mysqli_query($abc, "SELECT * FROM MEMBERS WHERE USERNAME ='" . $user . "'") or die ("User does not exist!");

$query2 = mysqli_num_rows($query);

if ($query2 == 0) {

echo "Username does not exist";

echo "<form action=\"{$_SERVER['PHP_SELF']}\" method=\"POST\">

<input type=\"username\" size=\"18\" value=\"username\" id=\"userlog\" name=\"userlog\" />
<input type=\"password\" size=\"18\" value=\"password\" id=\"passlog\" name=\"passlog\" />
<input type=\"submit\" value=\"Submit\" id=\"submitted\" />

</form>";

}

else {

while($row = mysqli_fetch_array($query, MYSQLI_ASSOC)) {

if ($user == $row['USERNAME'] && $pass == $row['PASSWORD']) {

echo "Welcome: " . $user . "";
setcookie('user',$user,time()+3600);
setcookie('pass',$pass,time()+3600);



}

else {

echo "Username or Password does not exist";

echo "<form action=\"{$_SERVER['PHP_SELF']}\" method=\"POST\">

<input type=\"username\" size=\"18\" value=\"username\" id=\"userlog\" name=\"userlog\" />
<input type=\"password\" size=\"18\" value=\"password\" id=\"passlog\" name=\"passlog\" />
<input type=\"submit\" value=\"Submit\" id=\"submitted\" />

</form>";
}
}
}
}

else {

?>

<form action="{$_SERVER['PHP_SELF']}" method="POST">

<input type="username" size="18" value="username" id="userlog" name="userlog" />
<input type="password" size="18" value="password" id="passlog" name="passlog" />
<input type="submit" value="Submit" id="submitted" />

</form>

<?php

}

?>

<form action="{$_SERVER['PHP_SELF']}" method="POST">



Try printing / echo'ing that in php for a start..


<form action="<? print $_SERVER['PHP_SELF']; ?>" method="POST">

Quoted from http://php.net/manual/en/reserved.variables.php by "Typer85 at gmail dot com"

Note the manual entry for PHP_SELF states the following:

"The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar."

However I did some vigorous testing on three different machines and this note is not always true. The results are given below:

Given a URL of http://www.example.com/Info.php/Page/Home

Apache 2.2.4/Win32/PHP 5.2.2/Apache 2.0 Handler
----> PHP_SELF = Info.php/Page/Home

Apache 1.3.37/Unix/PHP 5.2.2/CGI
----> PHP_SELF = Info.php

Apache 1.3.33/Unix/5.1.4/FastCGI
----> PHP_SELF = Info.php

To be completely honest, I am not sure why this is the case; perhaps there is a setting in Apache to modify this option, but in either case take careful consideration of this note.


Seems like you fall in the last 2 categories. If that's the case, replace $_SERVER['PHP_SELF'] in your code with an absolute path.

Also, pls look into securing your code.

Also please don't show us your mysql connection user and password as you have above - just leave those blank or put something like <username> <password> in their place.

Next:

//PHP.net manual doesn't appear to have this function - use mysql_select_db() instead or see:
//http://uk.php.net/manual/en/mysqli.select-db.php
mysqli_select_db($abc, 'a2527189_main2');

//Secondly, $abc is passed as an optional 2nd parameter:
mysql_select_db('a2527189_main2', $abc);


Even more:

//Again, unable to find mysqli_query on php.net - use mysql_query() instead or see:
//http://uk.php.net/manual/en/mysqli.query.php
$query = mysqli_query($abc, "SELECT * FROM MEMBERS WHERE USERNAME ='" . $user . "'") or die ("User does not exist!");

//Note we don't need the mysql resource parameter - You can use it but not needed
$query = mysql_query("SELECT * FROM MEMBERS WHERE USERNAME ='" . $user . "'") or die ("User does not exist!");


Next up: Queries

A Query is the actual SQL string: select from <table> where ..

//This is a result so call it a $Result not a $query - otherwise you'll get confused
$query = mysqli_query($abc, "SEL");

//Same again - this isn't a query it's a returned result
$query2 = mysqli_num_rows($query);


The reason i say about the name of queries is that quite easy to use another variable inside a loop called $query and then overwrite the $query variable that the loop was working from - EG:


while ($row = mysql_fetch_array($query))
{
//Do lots of stuff here and then..
$query = "select * from somewhere_else";
$query = mysql_query($query); //Hang, we've just broken our loop
}


Finally mysqli is in the format of an object so you need to create and use like this:

$mysqli = new mysqli("localhost", "my_user", "my_password", "test");

/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}

/* return name of current default database */
if ($result = $mysqli->query("SELECT DATABASE()")) {
$row = $result->fetch_row();
printf("Default database is %s.\n", $row[0]);
$result->close();
}

Seems like you fall in the last 2 categories. If that's the case, replace $_SERVER['PHP_SELF'] in your code with an absolute path.

No it just wasn't in <? ?> tags and had no print / echo statement.