i'm making a login system linked with a database, i want to show an html file after the data get checked from the database.so, i used (the include method) an it shows me the html file in the console not on web page.
i've tried to use (require method) and tried to change it to php file and still doing the same.
<?php
$dbsevername = "127.0.0.1";
$dbusername = "root";
$dbpassword = "**************";
$dbname = "loginsystem";
$dbport = '3306';
$username = $_POST['username'];
$password = $_POST['password'];
$_SESSION["favcolor"] = "green";
$conn = mysqli_connect($dbsevername, $dbusername, $dbpassword,$dbname);
$sql = "SELECT * FROM passwords where username='$username' and password='$password';";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result); // = 2
if ($resultCheck > 0) {
while($row = mysqli_fetch_assoc($result)){
if ($row['username'] == $username && $row['password'] == $password) {
include("true.html");
}
}
}else {
include("false.html");
}
mysqli_close($conn);
?>
i want to open the (true.php) or (false.php) when the data get checked.
I would rename to HTML files to PHP.
Is this actually your code? Just checking because if the files are a remote URL this makes a difference.
You are using a while loop to include a HTML file that will only ever have 1 result. There are better methods of doing this but regardless this should work and isn't the issue here. Any errors?
Try
include './true.php';
instead of
include ("true.html");
i want to open the (true.php) or (false.php) when the data get checked.
I think you are making a common rookie oversight here, because at the moment you only check if the data is correct and don't handle anything else:
I've commented through your code below to demonstrate what I mean
//if there is at least 1 result then check the data otherwise include false
if ($resultCheck > 0) {
//while we go through the results check each one
while($row = mysqli_fetch_assoc($result)){
//if the username and password match include true.html
//however you don't break out of the loop, you keep checking
//if you have decided to include true you should use break;
if ($row['username'] == $username && $row['password'] == $password) {
include("true.html");
}
//otherwise do what? this should say else include false and then should probably break out the loop here as the
//this will not fall through into the else block below as that is based on the parent condition
//so you will never include a false in this loop - only if there were 0 rows to begin with
//this means that eventually, whenever our loop finishes we will skip
//down to the next executionable line which is marked with !!!
}
}else {
include("false.html");
}
//!!!
there are some other glaring problems with your code, such as you seem to be storing passwords in pain text in your database, these should be hashed and verified, so you should never be able to just see if a password row == an input, i suggest googling php functions password_hash and password_verify
You also shouldn't be using a while loop, within your login system you must have a unique username and password combination so you should only ever return 1 row - if you have more than 1 row how can you confirm who they are? So you should be using whatever the mysqli equivalent of pdo->fetch() is (i don't know offhand because i only use pdo)
which brings me on to the fact that you should be using prepared statements to combat sql injection, at the moment this login system could be easily used to give someone full access to all your usernames and passwords, which are all stored in plain text.
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
if ($uid == null){
header("Location: ../index.php?message=ERROR 001 - Username or Password can not be
blank!");
exit();
}
if ($pwd == null){
header("Location: ../index.php?message=ERROR 001 - Username or Password can not
be blank!");
exit();
}
if ($stmt = $link->prepare("SELECT password FROM users WHERE username=?")) {
$stmt->bind_param("s", $uid);
$stmt->execute();
$stmt->bind_result($pass);
$stmt->fetch();
$stmt->close();
}
if (!$stmt) {
header("Location: ../index.php?message=ERROR 003 - Connection to the database could
not be established!");
exit();
}
$hash_pwd = $pass;
if ($hash_pwd == crypt($pwd, $hash_pwd)){
$decrypt = 1;
}else{
$decrypt = 0;
}
if ($decrypt == 0){
include ("false.html");
exit();
} else {
$stmt = $link->prepare("SELECT id FROM users WHERE username='$uid' AND password=?");
$stmt->bind_param("s", $hash_pwd);
$stmt->execute();
$stmt->bind_result($id);
$stmt->fetch();
$stmt->close();
$_SESSION['id'] = $id;
include ("true.html");
}
This should work better. You'll have to change your database relevant details. I've given you a start with storing a session variable of ID.
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 2 years ago.
Improve this question
I dont really know whats really happening but I cant login even I enter the right UserID and Password it still doesnt make me go to my home page. I dont really know what are the error becasue it doesnt show up it just say "incorrect Credentials". am I missing something?
here is my code:
<?php
include "includes/config.php";
session_start();
if (isset($_POST['loginbutton'])) {
$username = mysqli_real_escape_string($con, $_POST['user']);
$password = mysqli_real_escape_string($con, $_POST['password']);
$sql_query = "SELECT * FROM tbl_useraccounts WHERE employee_id = '$username' AND password ='$password' LIMIT 1";
$result = mysqli_query($con, $sql_query);
$row = mysqli_fetch_array($result);
$passwordhashed = password_verify($password, $row['password']);
if ($passwordhashed) {
if ($_SESSION['usertype'] == 'Admin') {
$_SESSION['username'] = $username;
echo "<script>alert('Successfully logged in!');</script>";
header('location: HomeForAdmin.php');
die();
} elseif ($_SESSION['usertype'] == 'SuperAdmin') {
$_SESSION['username'] = $username;
echo "<script>alert('Successfully logged in!');</script>";
header('location: HomeForSuperAdmin.php');
die();
} else {
echo "<script>alert('Incorrect username and password!');document.location='login2.php'</script>";
}
} else {
echo "<script>alert('Incorrect credentials!');document.location='login2.php'</script>";
}
$_SESSION['username'] = $row['employee_id'];
$_SESSION['password'] = $row['password'];
$_SESSION['usertype'] = $row['usertype'];
$_SESSION['first_name'] = $row['FirstName'];
$_SESSION['last_name'] = $row['LastName'];
}
Prepared statements
Prepared statements are used to protect SQL queries against malicious/malformed user input.
The general layout of a prepared statement is as follows:
PDO
// Define database connection parameters
$db_host = "127.0.0.1";
$db_name = "name_of_database";
$db_user = "user_name";
$db_pass = "user_password";
// Create a connection to the MySQL database using PDO
$pdo = new pdo(
"mysql:host={$db_host};dbname={$db_name}",
$db_user,
$db_pass,
[
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_EMULATE_PREPARES => FALSE
]
);
// The SQL query using ? as a place holder for the variable we want to insert
$sql = "SELECT column_1, column_2, column_3 FROM table WHERE column_x = ?";
// Prepare the query structure
$query = $pdo->prepare($sql);
// Run the query binding $variable to the ?
// i.e. the query becomes:
// SELECT * FROM table WHERE column = "$variable"
$query->execute([$variable]);
// Fetch the first/next row into the $result variable
$result = $query->fetch(PDO::FETCH_ASSOC); // Access like: $result["column_1"];
// Other way to fetch data...
# $result = $query->fetch(PDO::FETCH_NUM); // Access like: $result[0];
# $result = $query->fetchAll(); // Access likeL $result[0]["column_1"];
# $result = $query->fetchObject(); // Access like: $result->column_1;
mysqli
// Define database connection parameters
$db_host = "127.0.0.1";
$db_name = "name_of_database";
$db_user = "user_name";
$db_pass = "user_password";
// Make connection to the database
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli($db_host, $db_user, $db_pass, $db_name);
// The SQL query using ? as a place holder for the variable we want to insert
$sql = "SELECT column_1, column_2, column_3 FROM table WHERE column_x = ?";
// Prepare the query structure
$query = $mysqli->prepare($sql);
// Bind the STRING $variable to the ? placeholder in the SQL
$query->bind_param("s", $variable);
// Run the query
$query->execute();
// Store the result
$query->store_result();
// Bind the returned values
$query->bind_result($column_1, $column_2, $column_3);
// Fetch the first/next row
$query->fetch();
//Access as a standard PHP variable...
echo $column_1;
PHP redirects
Using redirects like the following won't work because you can't output data to the page (echo) and then cause a redirect.
echo "<script>alert('Successfully logged in!');</script>";
header('location: HomeForSuperAdmin.php');
Session ifs
The following checks to see if the value in $_SESSION["usertype"] is set to Admin or SuperAdmin.
if ($_SESSION['usertype'] == 'Admin'){
// Additional code...
}
elseif ($_SESSION['usertype'] == 'SuperAdmin'){
// Additional code...
}
The issue here is that as we are only now logging in there shouldn't be a value in that variable!
There would only be a value there if the user was already logged on. In your code it should actually be written as:
if ($row['usertype'] == 'Admin'){
// Additional code...
}
elseif ($row['usertype'] == 'SuperAdmin'){
// Additional code...
}
LIMIT in your SQL
You don't need to use limit in your SQL query for two reasons:
The username field should be unique (i.e. there is only one corresponding row)
You're not accessing the row in a loop you are only taking the first row. So even if there was multiple rows returned you'd only see one.
Flow
Bear in mind that, for the most part, we don't want to have a dozen nested if statements in our programs it makes it complicated to follow and is harder to debug, maintain, etc.
if(expression a){
if(expression b){
if(expression c){
// Some extra random code...
if(expression d){
// Some code to work with...
}
else{
// Some code...
}
}
else{
// Some code...
}
}
else{
// Some code...
}
}
else{
// Some code...
}
Instead, if we streamline the code so that it runs from top to bottom then it tends to be easier to follow:
if(expression a){
// Do something...
}
if(expression b){
// Do something else...
}
Obviously this isn't always possible - sometimes it makes more sense to nest(!) - but going too many levels with if statements can be very tricky to work with.
In your case though you're using if statements to check specific conditions have been met and if they haven't then the code should stop executing and display an error or redirect...
if(username and password have not been entered){
echo "ERROR: Username and Password are empty";
exit;
}
// If the user didn't input values then we would never get this far...
if(user doesn't exist in database){
echo "ERROR: Username doesn't exist!";
exit;
}
// If the user doesn't exist in the database then we never get this far...
if(password matches){
echo "Success! The user is logged on.";
}
Adjusted code
include "includes/config.php";
session_start();
// Check to see if the user is already logged on. If they are then
// we want to redirect them to an error page.
if(isset($_SESSION["username"])){
header("location:errorpage.php?error_code=1");
exit;
}
// Assign POST variables to PHP variables. If the POST variables
// don't exist (haven't been submitted) then set the value to NULL
// so that we can use it in the IF statement easily.
$username = $_POST['user'] ?? NULL;
$password = $_POST['password'] ?? NULL;
// Check to make sure that the user has entered something into the
// username and password fields. If they haven't then we're going
// to handle them with a redirect.
if(!$username || !$password){
header("location:errorpage.php?error_code=2");
exit;
}
$user_sql = "
SELECT password, usertype, FirstName, LastName
FROM tbl_useraccounts
WHERE employee_id = ?
";
$user_query = $pdo->prepare($user_sql);
$user_query->execute([$username]);
// Get the user from the database. If the username doesn't exist then
// redirect the user to approriate error page.
if( !($user = $user_query->fetchObject() ){
header("location:errorpage.php?error_code=3");
exit;
}
// If the user does exist then we verify the password supplied by the user
// against the one stored in the database. If it doesn't match then we'll
// redirect them to an approriate error page.
if(!password_verify($password, $user->password)){
header("location:errorpage.php?error_code=4");
exit;
}
// Set the usertype and username to the sesson SUPER GLOBAL.
// You don't need to set all of the variables (name etc.)
// if you need them get them from the database at the time!
$_SESSION["usertype"] = $user->usertype;
$_SESSION["username"] = $username;
//Redirect the user to the appropriate admin page
$usertype_redirect_locations = [
"Admin" => "adminpage.php",
"SuperAdmin" => "superadminpage.php"
];
header("location:{$usertype_redirect_locations[$user->usertype]}");
I want to redirect users to different page based on their role using PHP. But, the problem is, whoever the user, they'll always redirected to the same page (page where the first if-statement referred).
here's the code
<?php
include("config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
$myusername = mysqli_real_escape_string($db,$_POST['username']);
$mypassword = mysqli_real_escape_string($db,$_POST['password']);
$sql = "SELECT * FROM user WHERE username = '$myusername' and password = '$mypassword'";
$result = mysqli_query($db,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$active = isset($row['active']);
$count = mysqli_num_rows($result);
$role = isset($row['role']);
if($role == 'admin'){
$link = 'admin.php';
}
elseif($role == 'user'){
$link = 'user.php';
}
elseif($role == 'expert'){
$link = 'expert.php';
}
else{
$link = '404.php';
}
if($count == 1) {
$_SESSION['username'] = $myusername;
header("Location: ".$link."");
exit();
}else {
$error = "Your Login Name or Password is invalid";
}
}
?>
So, if i replace admin.php on the first if statement with another page, the users will be redirected there. I've followed solutions from different case, but it didnt work.
This line
$role = isset($row['role']);
Sets $role to true or possibly false but it definitely does not set it to the contents of $row['role']
I would suggest removing that line completely it is not necessary as your if/elseif/else covers all the possible options quite nicely.
It is also totally unnecesary to move a value from the $row array into a scalar variable so this would be simpler
//$role = isset($row['role']);
if($row['role'] == 'admin'){
$link = 'admin.php';
} elseif($row['role'] == 'user'){
$link = 'user.php';
} elseif($row['role'] == 'expert'){
$link = 'expert.php';
} else{
$link = '404.php';
}
Unfortunately I have to mention that: Your script is at risk of SQL Injection Attack
Have a look at what happened to Little Bobby Tables Even
if you are escaping inputs, its not safe!
Use prepared parameterized statements
It is also very dangerous storing plain text password on your database. The most likely attack vector on your database is internal staff. Therefore all passwords shoudl be HASHED. PHP provides password_hash()
and password_verify() please use them.
I'm performing a query to check if a user exists before adding it to the database. If that result comes back then die and echo 'username already exists' but if it comes back empty then add the new user to the database.
For some reason it just adds a new user to the database anyway.
//If post was
if (isset($_POST['submit'])) {
// Check if username is blank
if (!isset($_POST['username']) || empty($_POST['username'])) {
echo "Username was blank<br />";
die();
} else {
$username = mysqli_real_escape_string($connection, $_POST['username']);
}
// Check if password is blank
if (!isset($_POST['password']) || empty($_POST['password'])) {
echo "Password was blank<br />";
die();
} else {
$password = mysqli_real_escape_string($connection, $_POST['password']);
$password2 = md5($password);
//echo $password;
}
// Check if email is blank
if (!isset($_POST['email']) || empty($_POST['email'])) {
echo "Email was blank<br />";
die();
} else {
$email = mysqli_real_escape_string($connection, $_POST['email']);
//$password = md5($password);
//echo $password;
}
//Check to see if username alread exsists
$query_check = "SELECT * FROM users WHERE user = '$username' LIMIT 1";
$result_check = mysqli_query($connection, $query_check);
if(count(mysqli_fetch_array($result_check)) === 1) {
echo "Username exists.";
die();
} else {
$query = "INSERT INTO users (user, pass, email) VALUES ('$username','$password2','$email');";
$result = mysqli_query($connection, $query);
if($result){ // returned TRUE, e.g. in case of a DELETE sql
$_SESSION["username"] = $username;
header("Location: ../profile.php");
} else { // returned FALSE
//echo "Error: " . mysqli_error($connection);
echo "Error during register <a href='../register.php'>Back To Register</a>";
die();
}
}
} else {
header("Location: ../index.php");
}
After taking a few minutes testing your code, found that you're using the wrong function.
mysqli_fetch_array():
Fetch a result row as an associative, a numeric array, or both
You're trying to fetch an associative array.
As opposed to mysqli_num_rows():
Gets the number of rows in a result
Replace (and which seems to have been taken from FĂ©lix's answer)
if(count(mysqli_fetch_array($result_check)) === 1)
with
if(mysqli_num_rows($result_check) == 1)
or
if(mysqli_num_rows($result_check) > 0)
Your original post contained:
if(mysqli_fetch_array($result_check) === 1)
which still stands to be the wrong method.
I even said to use mysqli_num_rows() in a comment, but nothing was said about it:
if(mysqli_num_rows($result_check) >0) and make sure $username is defined. We don't know how/where if it is even defined.
Now, if THAT fails, then your form element isn't named, and/or something else in your form is failing you.
I.e.: <input type="text" name="username">
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.
Regarding using MD5.
That isn't considered safe to use anymore, as far as password hashing goes.
That technology is old and is considered broken.
For password storage, use CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
For PHP < 5.5 use the password_hash() compatibility pack.
Pulled from ircmaxell's answer which uses PDO with prepared statements and password_hash():
Just use a library. Seriously. They exist for a reason.
PHP 5.5+: use password_hash()
PHP 5.3.7+: use password-compat (a compatibility pack for above
All others: use phpass
Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.
$dbh = new PDO(...);
$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);
$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);
And on login:
$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
if (password_verify($_POST['password'], $users[0]->password) {
// valid login
} else {
// invalid password
}
} else {
// invalid username
}
Footnotes:
I noticed you are using headers.
You should add exit; after each header. Otherwise, your code may want to continue executing.
header("Location: ../profile.php");
exit;
and do the same for the other one also.
You're also using sessions. session_start(); isn't present in your posted and will fail if it isn't included; an insight.
here
if(mysqli_fetch_array($result_check) === 1) {
the value returned by mysqli_fetch_array won't be an integer but an array. You seem to want to count it:
if(count(mysqli_fetch_array($result_check)) === 1) {
In the case somehow two users would have been inserted for whatever reason, checking if count is greater than 0 may prevent a third one being inserted:
if(count(mysqli_fetch_array($result_check)) > 0) {
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
This is my attempt at a basic mysqli php login script (im only learning, so please dont be too harsh).
Can anyone see why it would be bringing up 0 rows every time and failing to login?
<?php
$con = mysqli_connect("localhost","user","pass","database");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL, Please contact an Administrator";
}
$username = mysqli_real_escape_string($_POST['username']);
$password = mysqli_real_escape_string($_POST['password']);
$query = "SELECT * FROM users WHERE user_name='$username' AND pass_phrase='$password'";
$result = mysqli_query($con, $query);
$row_cnt = mysqli_num_rows($result);
if (!$row_cnt == 0) {
echo "Usename/Password Combination Failed";
} else {
echo "Welcome " . $_POST['username'];
}
mysqli_close($con);
?>
You need to pass DB connection to mysqli_real_escape_string() as an added parameter.
What you're presently using:
$username = mysqli_real_escape_string($_POST['username']);
$password = mysqli_real_escape_string($_POST['password']);
What you should be using:
$username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, $_POST['password']);
Plus, if if (!$row_cnt == 0) doesn't work after making those changes, try a reverse approach:
I.e.:
$row_cnt = mysqli_num_rows($result);
if ($row_cnt > 0) {
echo "Welcome " . $_POST['username'];
} else {
echo "Usename/Password Combination Failed";
}
Consider adding or die(mysqli_error($con)) to mysqli_query() to signal errors in code.
Sidenote:
I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.
I recommed you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
For PHP < 5.5 use the password_hash() compatibility pack.
Footnotes:
Consider looking into using:
Prepared statements, or PDO with prepared statements, they're much safer.
Try removing ! or == 0 from your if condition at the bottom. Or even better:
if ($row_cnt) {
// Welcome
} else {
// Notify about authentication failure
}
Also, it's a good practice to hash your password/pass phrase.
This is very basic approach for login, assuming you have user table with id, username, and password :
<?php
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
$errors = array();
if(!$_POST['username']) //check if username has been filled
{
$errors[] = 'bla bla text for empty username notice';
}
else
{
$username = mysqli_real_escape_string($conn, trim($_POST['username']));
}
if(!$_POST['password'])//check if password has been filled
{
$errors[] = 'bla bla text for empty password notice';
}
else
{
$password = mysqli_real_escape_string($conn, trim($_POST['username']));
}
if(empty($errors)) //no errors appears
{
$query = "SELECT * FROM tablename WHERE user_name = '$username' AND password = SHA1('$password')";
$result = #mysqli_query($conn, $query);
if(mysqli_num_rows($result) == 1)
{
//if one database row (record) matches the input:
// Start the session, fetch the record and insert the three values in an array
session_start();
$_SESSION = mysqli_fetch_array($result, MYSQLI_ASSOC);
header("direct to after login page");
}
else
{
// No match was made
$errors[] = 'Sorry no record match with the data you have submitted';
}
}
else
{
// If there was a problem.
echo mysqli_connect_error($conn);
}
}
You need to fix the quoting in your query. Right now you are trying to login as a user with user name $username and password $password and most likely no such combination exists. Also unless you are allowing two users to have the same username you should just query based on the username and then compare the hashed password provided with the stored hashed password.
I'm new to PHP and programming in general, but am working on doing a login. I've got the signup page completed, and my database populates the records fine. However, when this code gets output it says I have 0 rows from the mysql_num_rows($result);... when, it should be coming back successfully showing 1 row when I input the correct username/password. Whether I put in a successful user/pass combo or not, it outputs the same.
I appreciate any help you can provide, code is listed below:
$SQL = "SELECT * FROM account WHERE username = $username AND password = md5($password)";
$result = mysql_query($SQL);
$num_rows = mysql_num_rows($result);
echo $result;
echo $num_rows;
// CLOSE CONNECTION
mysql_close($db_handle);
// COMPARE $num_rows TO SEE IF A SUCCESSFUL LOGIN, THEN DIRECT TO MEMBERS PAGE
if ($result) {
if ($num_rows > 0) {
session_start();
$_SESSION['login'] = "1";
header ("Location: page1.php");
}
else {
$error_message = "Login failed. Please try again.";
echo $num_rows;
EDIT: Complete rewrite
Try this:
<?php
$host = "host";
$user = "user";
$password = "password";
$database = "database";
$username = 'jack'; /* Insert $_Post [''] here with username variable you pass. You could sanitize and validate with for example filter_var (), clean (), etc */
$password_user = 'password from jack'; // same here.
$link = mysqli_connect($host, $user, $password, $database);
IF (!$link){
echo ("Unable to connect to database!");
}
ELSE{
$query = "SELECT * FROM account WHERE username ='$username' AND password = md5('$password_user')";
$result = mysqli_query($link, $query);
$num_rows = mysqli_num_rows($result);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);
// COMPARE $num_rows TO SEE IF A SUCCESSFUL LOGIN, THEN DIRECT TO MEMBERS PAGE
if ($row) {
session_start();
$_SESSION['login'] = "1"; // pleae not that 1 is converted into a string value
$_SESSION['username'] = $username; // added username, just to test.
header ("Location: page1.php");
}
else {
$error_message = "Login failed. Please try again.";
echo $error_message;
}
// CLOSE CONNECTION
mysqli_close($link);
}
?>
Sample data:
CREATE TABLE account (
id INT auto_increment primary key,
username VARCHAR(30),
password VARCHAR(50)
);
INSERT INTO account(username, password)
VALUES
("bob", md5('password from bob')),
("jack", md5('password from jack')),
('joe', md5('password from joe'));
SQL FIDDLE DEMO
Sample page1
<?php
session_start();
$login = $_SESSION['login'];
$username = $_SESSION['username'];
echo '<h1>It WORKS, <i>'.$username.'</i>!!!</h1>';
?>
Important to note is that I have used the MYSQLI library instead of the MYSQL library. If you have more than one column in you table you should select your output per column. For example, $result['id'].
I found that you didn't escape variable in and out in you SQL statement. I have to note that I didn't debug the part below COMPARE $num_rows TO SEE IF A SUCCESSFUL LOGIN, THEN DIRECT TO MEMBERS. I think you can manage that on your own.
W.R.T. the santization and validation you have to do some more work. I don't know how you data is past via the user login in form. Let say you will use POST. In that case you can start at the top of you page with first retrieving all the posted variable using $_POST. Then filter them to make sure you code in is not open for SQL injection. E.g. $username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);