Login script validation & sessions

The below login script does work. The form does not seem to be
submitting. I keep getting the username and password fields. [...]I'd appreciate it if someone could give me some pointers.

The below login script does work. The form does not seem to be
submitting. I keep getting the username and password fields. The
only errors I get are notices that email and password and undefined
indexes.

Here's the login script:
<?php
session_start();

// includes
include_once ("includes/common.php");
include_once ("includes/db_vars.inc");
//check to see isLoggedIn is True
if (!isset($_SESSION["isLoggedIn"])) {
?>
<!-- LOGIN FORM -->
<form method=post action="<?echo $_SERVER['PHP_SELF']?>">
<table cellpadding=2 cellspacing=0 border=0>
<td>Username:</td><td><input type="text" name="email"
size=10></td><tr>
<td>Password:</td><td><input type="password" name="password"
size=10></td><tr>
<td>&nbsp;</td><td><input type="submit" name="submit" value="Log
In"></td>
</table></form>
<?php
//connect to database
dbConnect('crc1');
$email = $_POST['email'];
$password = $_POST['password'];

Unnecessary use of vars.

$sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email'
AND password = md5('$password')"; ^^^

Function call within a string won't help =)
$sql = "
SELECT *
FROM crc1.tblusers
WHERE emailaddress = '{$_POST['email']}'
AND password = '" . md5($_POST['password']) . "'
";

echo $sql;
$result = mysql_query($sql) or die ("Error in query: $sql. " .
mysql_error());
while ($row=mysql_fetch_array($result)) {
if (mysql_num_rows($result)!= False) { ^^^^^

This doesn't return a boolean value, rather an INT.
if (mysql_num_rows($result) > 0) {

$isLoggedIn = TRUE;
session_register($email);
session_register($password);
session_register($isLoggedIn); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
See www.php.net for SESSION information.

header('location: http://localhost/app/mycrc/mycrc.php');
}// end if
}//end if
}else{
//debugging
echo ''.$_POST['email'].' <br/>'; ^^

???

What purpose are these serving? No need for them whatsoever.

echo ''.$_POST['password'].'<br/>';
echo 'Could not log you in.<br/>';
print_r ($_SESSION);
}//end if
?>

I'd appreciate it if someone could give me some pointers.

(Steve Fitzgerald) amazingly managed to produce the following with

$sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email'
AND password = md5('$password')";

^^^
Function call within a string won't help =)

"Ian.H [dS]" <ia*@WINDOZEdigiserv.net> writes:

(Steve Fitzgerald) amazingly managed to produce the following
with

$sql = "SELECT * FROM crc1.tblusers WHERE emailaddress =
'$email' AND password = md5('$password')";

^^^
Function call within a string won't help =)

md5() is a valid MySQL function, should work fine.
http://www.mysql.com/doc/en/Miscella...functions.html

"Ian.H [dS]" <ia*@WINDOZEdigiserv.net> writes:

(Steve Fitzgerald) amazingly managed to produce the following with

$sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email'
AND password = md5('$password')";

^^^
Function call within a string won't help =)

md5() is a valid MySQL function, should work fine.
http://www.mysql.com/doc/en/Miscella...functions.html

The below code authenticates my login, but my sessions are not
registering. In the debugging section I have print_r ($_SESSION); and
all that produces in Array (). Am I missing something?

<?php
session_start();

// includes
include_once ("includes/common.php");
include_once ("includes/db_vars.inc");
//check to see if this form has already been submitted
if (!isSet($_POST['submit'])){
?>
<!-- LOGIN FORM -->
<form method=post action="<?php echo $_SERVER['PHP_SELF']; ?>">
<table cellpadding=2 cellspacing=0 border=0>
<td>Username:</td><td><input type="text" name="email"
size=10></td><tr>
<td>Password:</td><td><input type="password" name="password"
size=10></td><tr>
<td>&nbsp;</td><td><input type="submit" name="submit" value="Log
In"></td>
</table></form>
<?php
}else{
//connect to database
dbConnect('crc1');
$email = $_POST['email'];
$password = $_POST['password'];
$sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email' AND
password = md5('$password')";
echo $sql;
$result = mysql_query($sql) or die ("Error in query: $sql. " .
mysql_error());
while ($row=mysql_fetch_array($result)) {
if (mysql_num_rows($result)!= False) {
$isLoggedIn = TRUE;
session_register("email");
session_register("password");
session_register("isLoggedIn");
//header('location: http://localhost/app/mycrc/mycrc.php');
}// end while
}//end if
echo '<br/>'.$_POST['email'].' <br/>';
echo ''.$_POST['password'].'<br/>';
print_r ($_SESSION);
}//end if
?>

Chris Morris <c.********@durham.ac.uk> wrote in message news:<87************@dinopsis.dur.ac.uk>...

"Ian.H [dS]" <ia*@WINDOZEdigiserv.net> writes:

(Steve Fitzgerald) amazingly managed to produce the following with
> $sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email'
> AND password = md5('$password')";
^^^
Function call within a string won't help =)

md5() is a valid MySQL function, should work fine.
http://www.mysql.com/doc/en/Miscella...functions.html

I corrected part of the problem by using $_SESSION instead of
session_register(). Now, the problem is that my code to validate if
$_SESSION["isLoggedIn"] has been set on the top of each of the pages
I'm trying to protect does not seem to work.

Here's the code:
<?php
session_start();
if (isSet($_SESSION['isLoggedIn']) != '1'){
header('location: http://localhost/login.php');
exit();
}else{
..rest of code
}
?>
I always get sent back to the login page.

Any suggestions?

if (isSet($_SESSION['isLoggedIn']) != '1'){
header('location: http://localhost/login.php');
exit();
}else{
..rest of code
}