php on member.php page session output "the implied username " worked in login.php but is not displaying in member.php

Question

php problem on member.php page session output "the implied username " worked in login.php but is not displaying in member.php

<html>

<form action="login.php" method="POST">
    Username: <input type="text" name="username"><p>
    Password: <input type="password" name="password">
              <input type="submit" name="submit" value="Login">
</form>

<a href='register'.php>Register Now</a>

</html

code above was index.html file

<?php

session_start();

$username = $_POST['username'];
$password = $_POST['password'];

if ($username&&$password)
    {

        $connect = mysql_connect("127.0.0.1","root","") or die ("Could not connect `to     database");
        mysql_selectdb("login") or die ("could not find database");
        $query = mysql_query("select * FROM users WHERE username='$username'");
        $numrows = mysql_num_rows($query);
        if($numrows !=0)
    {
    while ($row = mysql_fetch_assoc($query))
    {
        $dbusername = $row['username'];
        $dbpassword = $row['password'];

    }
    if ($username==$dbusername&&$password==$dbpassword)
    {
    echo $_Session['username']="$dbusername  ";
    echo ",  Login successful. <a href='member.php'>Click here to enter the Members area  

</a>";




    }
    else
        echo "Incorrect password";
    }
    else
        die ("That username does not exists");
    }
    else
        die ("Please enter a username and password");

?>  

code above is login.php where on the login page it displays "username" login successful and a link for click here go to the member area.

<?php

session_start();

if ($_SESSION['username'] = '$dbusername')
    {
  echo "Welcome, ".$_SESSION['username']."<br><<a href='logout.php'>Click here</a> to logout!<br>Click<a href='changepassword.php'> here</a> to change your password!";
    }
else
     die("You must be logged in to see this page");

above is code from member.php page

Here is the display output:

Welcome, $dbusername

Click here to logout! Click here to change your password!

My problem is it should read as follows:

Welcome, Johnny Click here to logout! Click here to change your password!

A solution would be great!

Answer 1

Where to start? Okay, this will not work as a secure login script. First off you are storing the password in raw form in the database, with no encryption. Next checking if a session variable exist is not the correct way to see if the user is logged in. You must check user credentials each time they change page, and preferably regenerate the session id.

$dbusername has no value on the second page. You are resetting the $_SESSION['username'] to $dbusername when you use the = sign.

Shouldbe:

if ($_SESSION['username']) 

or

if (isset($_SESSION['username']))

Here is a good place to start for hashing the password

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.