1st. Replace your $sql query with this $sql = sprintf("SELECT * FROM admin WHERE UserName = '%s' AND Password = '%s'", mysql_real_escape_string($UserName), mysql_real_escape_string($Password)); $result = mysql_query($sql) or die(mysql_error()); Ólafur Waage olafurw@xxxxxxxxx On Thu, Dec 18, 2008 at 3:56 PM, Terion Miller <webdev.terion@xxxxxxxxx> wrote: > Still this won't pass the session to the next page.... is there a way to > pass parameters in the url but mask them? maybe that would be easier, since > I do have code that works passing the adminID on the url ... > can a parameter be hashed after the fact? I tried echo-ing the fields on > the next page and they are not passing... > my code that still doesn't work: > > <?php > // start session > session_start(); > include("inc/dbconn_open.php") ; > $errs = error_reporting ('E_ALL'); > > if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else > {$UserName = '';} > if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else > {$Password = '';} > > $msg = ''; > > if (!empty($UserName)) { > > $sql = "SELECT * FROM admin WHERE UserName ='$UserName' and Password > ='$Password' " > or die(mysql_error()); > $result = mysql_query ($sql); > $row = mysql_fetch_object ($result); > If (mysql_num_rows($result) > 0) { > $_SESSION['AdminLogin'] = $row['AdminID']; > header ("Location: Main.php"); > } else { > $msg = "Invalid Login"; > } > } > > ?> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php