php - login script redirects user no matter what -

i'm making login page website connects mysql database stores login details. when submit form redirects information regardless of whether or not login valid. i'm confused wrong.

my form:

<form name="login" action="edit_profile/index.php" method="post"> //redirects page regardless of has been submitted     <fieldset>         <legend>please enter login details</legend>         <label for="username">username</label>         <input id="username" name="username" type="text" value="" required/><br>          <label for="password">password</label>         <input id="password" name="password" type="password" value="" required/><br>         <input type="submit" value="submit"/>     </fieldset> 

the php script:

<?php require_once "connectdb.php";?> <?php     if(isset($_post["submit"])){         $username=$_post["username"];         $password=$_post["password"];          $query=mysql_query("select * login_details username='".$username."'and password='".$password."'");         $numrows=mysql_num_rows($query);     if($numrows!=0) {          while($$row=mysql_fetch_asoc($query)) {             $dbusername=$row["username"];             $dbpassword=$row["password"];         }          if($user == $dbusername && $pass == $dbpassword) {             session_start();             $_session["user_session"]=$user;             echo "<pre>";             print_r($_session);             echo '</pre>';             }         } else {             echo "invalid username or password!"; //does not echo         } } ?> 

there few things wrong code.

one of conditional statement

if(isset($_post["submit"])){...} 

your submit button not bear name attribute

<input type="submit" value="submit"/> 

modify read as

<input type="submit" name="submit" value="submit"/> 

then while($$row remove 1 of $

and mysql_fetch_asoc has typo, should read mysql_fetch_assoc

while($row=mysql_fetch_assoc($query))

plus, posted code seems missing closing </form> tag.

• you should check action , make sure indeed right url php.

• you should space out and in username='".$username."'and may cause issue username='".$username."' and, just in case.

then have line:

if($user == $dbusername && $pass == $dbpassword) 

$user , $pass @ point undefined, may have wanted use $username , $password respectively.

add error reporting top of file(s) find errors.

<?php  error_reporting(e_all); ini_set('display_errors', 1);  // rest of code 

sidenote: error reporting should done in staging, , never production.

• also add or die(mysql_error()) mysql_query().

---

footnotes:

i noticed may storing passwords in plain text. if case, highly discouraged.

i recommend use crypt_blowfish or php 5.5's password_hash() function. php < 5.5 use password_hash() compatibility pack.

your present code open sql injection. use mysqli prepared statements, or pdo prepared statements. password storage, use crypt_blowfish or php 5.5's password_hash() function. php < 5.5 use password_hash() compatibility pack.

• ircmaxell posted answer yesterday using password_hash() , password_verify()
• have look: https://stackoverflow.com/a/29778421/