This question already has answers here:
PHP Form not directing to correct pages
(4 answers)
Closed 9 years ago.
<?php
if ($_POST['submit'] == "submit")
{
$userName = $_POST['username'];
$passWord = $_POST['password'];
$db= mysql_connect("localhost", "root", "root");
if(!$db) die("Error connecting to MySQL database.");
mysql_select_db("onlineform", $db);
$checkUserNameQuery = "SELECT username FROM onlineformdata ORDER BY id DESC LIMIT 1";
$checkUserName = mysql_query($checkUserNameQuery);
$checkPassWordQuery = "SELECT password FROM onlineformdata ORDER BY id DESC LIMIT 1";
$checkPassWord = mysql_query($checkPassWordQuery);
$AdminChanges = "";
if (($userName == $checkUserName) && ($passWord == $checkPassWord))
{
$AdminChanges = "AdminChanges.php";
}
else
{
$AdminChanges = "InvalidLogin.html";
}
}
function PrepSQL($value)
{
// Stripslashes
if(get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote
$value = "'" . mysql_real_escape_string($value) . "'";
return($value);
}
?>
<html>
<head>
<title>Admin Login</title>
</head>
<body>
<form action = <?php echo PrepSQL($AdminChanges); ?> method="post">
username: <input type="text" name="username" />
password: <input type="text" name="password" /> <br/>
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
I'm having a problem where the form, when submitted, is being directed to the wrong places. It's a user verification page. If the username and password don't match the ones stored in the database, it should go to the Invalid Login page. If they do, they should go to the next part of the user verification website.
The form tag, before entering values, looks like this in the page source:
However, when the username & password are correct, it goes to the InvalidLogin.html page. When it's incorrect, the form reloads again and when I check the page source, it's the exact same code except now the form tag shows:
Any suggestions?
I think u got it wrong, the action tag is where the form sends the request, not where to go after it sends it.
Try using header('location: '.$AdminChanges); right after the user verification in order to redirect the page.
EDIT: Also remove the action tag of the form. By removing it the request will be sent to the same file you are working on.
<?php
if($_POST['username'] && $_POST['password']){
$username = $_POST['username']; // Escape this
$password = $_POST['password']; // Escape this
$searchQuery = mysql_query("SELECT id FROM onlineformdata WHERE username = '$userName' AND password = '$password' ORDER BY id DESC LIMIT 1");
if(mysql_num_rows($searchQuery)){
header('location:/adminPage.php'); // Go to this page if row exists in DB
}
else{
header('location:/invalidLoginPage.html'); //Go to this page if row doesn't exist in DB
}
exit; // So that it quite this page and goes to the desired one set in the "headers"
}
else{
//Not strictly needed... But you could be useful in some circumstances
}
?>
<html>
<head>
<title>Admin Login</title>
</head>
<body>
<form action='' method="post">
username: <input type="text" name="username" />
password: <input type="text" name="password" /> <br/>
<input type="submit" value="submit" />
</form>
</body>
</html>
This should get you started in the right direction. Don't forget to escape the username/password fields as you see fit.
The action part of the form is where the form is submitted to and so - in your case - that should be the same page. As Hristo said, you can leave it out/blank and it will default to submitting itself.
As for Marc B (he did ask a question after all); if you read the code you would see that the PrepSQL function actually adds single quotes around the string... As there are no quotes in the html this isn't wrong in anyway... So I don't see what the problem is there (aside from it not doing what he wanted it to).
With regards to multiple user accounts, so long as you don't allow the same username to be used by multiple users then there is only one record returned by the database... So again, there's no problem there.
Related
I had been researching a while and even got a hold of my hosting company for help but I have run into a problem with my PHP code and my database through my website. While the code that I have does hash the password that I enter, when I attempt to use the regular word password it comes up as incorrect. But if I copy and paste the hashed password, it works.
<?php
/* NEW.PHP
Allows user to create a new entry in the database
*/
// creates the new record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($email, $pass, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>New User</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
<?php
// if there are any errors, display them
if ($error != '') {
echo '<div style="padding:4px; border:1px soluser_id red; color:red;">'.$error.'</div>';
}
?>
<form action="" method="post">
<div>
<strong>Update User Info <br><br><br><br><br>Email: *</strong>
<input type="text" name="email" value="<?php echo $email; ?>" /><br/>
<strong>Password: *</strong> <input type="password" name="pass" value="<?php echo $pass; ?>" /><br/>
<p>* required</p>
<input type="submit" name="submit" value="Submit"> <br><br>Back to home?</div>
</form>
</body>
</html>
<?php
}
// connect to the database
include('connect-db.php');
// check if the form has been submitted. If it has, start to process the form and save it to the database
if (isset($_POST['submit'])) {
// get form data, making sure it is valuser_id
$email = mysql_real_escape_string(htmlspecialchars($_POST['email']));
$pass = mysql_real_escape_string(htmlspecialchars($_POST['pass']));
// check to make sure both fields are entered
if ($email == '' || $pass == '') {
// generate error message
$error = 'ERROR: Please fill in all required fields!';
// if either field is blank, display the form again
renderForm($email, $pass, $error);
} else {
// save the data to the database
mysql_query("INSERT users SET email='$email', pass=MD5('$pass')")
or die(mysql_error());
// once saved, redirect back to the view page
header("Location: view.php");
}
} else {
// if the form hasn't been submitted, display the form
renderForm('','','');
}
?>
As you can see it does hash it when I enter it into the database, but when I try to use the password the way it was originally spelled, it tells me it's the wrong one.
I would do the MD5 hashing on the PHP side. Print it before it goes into the database and try to compare it with the input given on the login form.
Also the htmlspecialchars is not needed in this case. Since your escaping is fine. If it would contain weird chars, it would match them against the database.
Also make sure your encoding type is set on both pages and make sure they're the same.
Without seeing your SELECT query in the login form I'd ask if you're MD5 hashing it when you select it as well?
mysql_query("SELECT * FROM users WHERE email='$email' AND pass=MD5('$pass')")
or die(mysql_error());
However, I agree that you shouldn't be using MD5 for password hashing. Check out http://php.net/manual/en/function.password-hash.php
I am building website with a login page. The login page has a html form as shown, the html file is below:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html" charset="UTF-8" />
<title>Login Page</title>
<link rel="stylesheet" type="text/css" href="/my-site/LoginPage/loginPageGraphics.css"/>
</head>
<body>
<form name="frmLogin" method="post" action="/my-site/LoginPage/login.php" accept-charset="UTF-8"/>
<div id="loginField">
<div>
<script type="text/javascript" src="/my-site/LoginPage/loginPageAction.js"></script>
<script type="text/javascript" src="/my-site/database/databaseActions.js"></script>
<p>
<input id="txtUsername" name="username" type="text" placeholder="username"/> <br/>
<input id="txtPassword" name="password" type="password" placeholder="password"/> <br/>
<input id="btnLogin" type="submit" value="Login"/>
<input type="hidden" name="query" value="SELECT ID, Fname, Lname, Username, Password, Type FROM user_accounts WHERE Username='$Username'"/>
</p>
</div>
<div> <!--This div block has no code behind it yet. It is just there for now.-->
<p>
<input id="btnCreateAccount" type="submit" value="Create Account" onclick="createAccount(txtUsername.value, txtPassword.value)"/> <br/>
Create admin account? <input id="chbCreateAdmin" type="checkbox"/>
</p>
</div>
</div>
</form>
</body>
</html>
When the submit button btnLogin is clicked, the form runs a php script, login.php
<?php //this is login.php
$Query = $_POST["query"]; //Query line from html form
$Username = $_POST["username"];
//This 'hard-coded' query is the exact same as the query line from html form
$Query1 = "SELECT ID, Fname, Lname, Username, Password, Type FROM user_accounts WHERE Username='$Username'"; //hard-coded query line
echo $Query;//There is only 1 difference between these two echos. This echo displays "... Username='$Username'"; //$Username is the variable that holds the entered user name
echo $Query1;// While this echo displays "... Username='TylerB'"; //TylerB is the entered username
if($Query === $Query1){
echo "true";
}elseif($Query == $Query1){
echo"true2";
}else{
echo"false"; //this one gets echoed
}
require "../database/dbConnection.php"; //the contents of this file is below. I am using require, as I want this php file to be re-usable.
/* |___> require "DB.php"; //The DB.php file holds the database login info
$conn = new mysqli($host, $user, $pass, $dbName); //Variables specified in DB.php
if($conn->connect_error){
die("Connection failed: " . $conn->connect_error);
}
$result = $conn->query($Query);
*/
/*$Query: $result has 0 num_rows
$Query1: $result has 1 num_rows (this is expected)
This information was found via var_dump($results); The lines of codes was removed a little while ago*/
if($result->num_rows > 0){ //If num_rows is equal to 1, no account with the entered username was found
while($row = $result->fetch_assoc()){
if($_POST["password"] === $row["Password"]){//If entered password matchs the selected account's password, login to home page
if($row["Type"] === "Admin"){//Purpose of this if statement is not relevant to the question. Just know, if login info is correct, user logins to a home page.
echo "go to admin home page";
}else{
echo "go to student home page";
}
}else{//if password is incorrect
echo "ERROR: Username or password was incorrect. Please enter the correct account information.";
}
}
}else{//if username is incorrect
echo "ERROR: Username or password was incorrect. Please enter the correct account information.";
}
?>
When I use the variable $Query1, the website runs correctly. However, when I use $Query, $result 's num_rows is 0. In otherwords, it didn't find an account with the username TylerB (despite that $Query1 does find an account with the username TylerB).
The only difference that echos between $Query1 and $Query at the end of the query line: (See top of login.php file for more info about these two variables)
echo $Query;//There is only 1 difference between these two echos. This echo displays "... Username='$Username'"; //$Username is the variable that holds the entered user name
echo $Query1;// While this echo displays "... Username='TylerB'"; //TylerB is the entered username
My questions...
Why are the two query variables giving two different query results? How do I fix this?
I suspect this is mainly revolving around the two slightly different echos for $Query and $Query1. Is the $Username in "... WHERE Username='$Username'" being queried instead of $Username's value? (I doubt this myself...)
If it is, how should I approach this? The query line that dbConnection.php requires needs to come from another source, otherwise it will be specific to the login page. Which is the exact opposite of my intentions - having dbConnection.php re-usable any wheres when a query is needed.
Versions/programs etc:
Sublime 3
Apache web server (all in one package from http://www.wampserver.com/en/ Used WAMPSERVER (64 BITS & PHP 5.6.15 $ PHP 7)
PHP 7
Google Chrome
MySQL
JS
CSS
Windows 10
---------------------------------------------EDIT-------------------------------
While there isn't as much re-usable code as I was going for. I can still work with what I have. However, regarding all the comments around safety and hacking... How safe is this code?
<form name="frmLogin" method="post" action="/my-site/LoginPage/login.php" accept-charset="UTF-8"/>
<div id="loginField">
<div>
<script type="text/javascript" src="/my-site/LoginPage/loginPageAction.js"></script>
<script type="text/javascript" src="/my-site/database/databaseActions.js"></script>
<p>
<input id="txtUsername" name="username" type="text" placeholder="username"/> <br/>
<input id="txtPassword" name="password" type="password" placeholder="password"/> <br/>
<input id="btnLogin" type="submit" value="Login"/>
</p>
</div>
<div>
<p>
<input id="btnCreateAccount" type="submit" value="Create Account" onclick="createAccount(txtUsername.value, txtPassword.value)"/> <br/>
Create admin account? <input id="chbCreateAdmin" type="checkbox"/>
</p>
</div>
</div>
</form>
Submit runs the following...
<?php
$User = $_POST["username"];
require "../database/dbConnection.php";
/* |
<?php
require "DB.php";
$conn = new mysqli($host, $user, $pass, $dbName);
if($conn->connect_error){
die("Connection failed: " . $conn->connect_error);
}
?>*/
$stmt = $conn->prepare("SELECT ID, Fname, Lname, Username, Password, Type FROM user_accounts WHERE Username=?");
$stmt->bind_param("s", $User);
$stmt->execute();
$stmt->bind_result($ID, $Fname, $Lname, $Username, $Password, $Type);
$stmt->fetch();
if($User === $Username){
if($_POST["password"] === $Password){
if($Type === "Admin"){
echo "go to admin home page";
}else{
echo "go to student home page";
}
}else{
echo "ERROR: Username or password was incorrect. Please enter the correct account information.";
}
}else{
echo "ERROR: Username or password was incorrect. Please enter the correct account information.";
}
?>
My questions was answered in the OP comments, the overall answer is at this link:
MySQLi query - php - html form: query line obtained from html form is different from hard-coded query line?
This question already has answers here:
How do I make a redirect in PHP?
(34 answers)
Closed 7 years ago.
I am learning pHp. I have made a login page.
The problem i am facing here is that, when user clicks on signin button & if record is found then he is taken to other page which displays redirect link, the user has to click on that to go to the next page.
Now what i want that when a user click on signin button, then the details should be cross checked in the database, if the record is found then user should be directly redirected to next page else error should be displayed.
This is my html page:
<!DOCTYPE html>
<html>
<head>
<title>OpenMoz</title>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="index.css"/>
</head>
<body style="height:650px;">
<h1 align="center" ><b><i>City Login</i></b></h1>
<div class="login">
<form action="login.php" method="post">
<input type="text" placeholder="Username" name="username" autocorrect=off autocapitalize=words required> <br>
<input type="password" placeholder="password" name="password" autocorrect=off autocapitalize=words required> <br>
<input type="submit" name="submit" value="Sign In">
</form>
<input type="submit" name="submit" value="Sign Up">
<div>
</body>
</html>
This is the login.php script to verify details :
<?php
$username = $_POST["username"];
$password = $_POST["password"];
if($username && $password)
{
$connect = mysql_connect("localhost","root","password") or die("Couldn't connect");
mysql_select_db("phplogin")or die("Couldn't connect");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows!=0)
{
while($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if($username==$dbusername && $password==$dbpassword)
{
echo ("<center><a href='home.php'>Redirect</a></center>");
$_SESSION['username'] = $username;
}
else
{
echo ("Incorrect Password !");
}
}
else
die("The user doesn't exist");
}
else
echo ("Please enter username & password");
?>
I would be really thankful if my problem gets solved.
As long as you have not outputted anything to the browser, you can do a header redirect. This will achieve your aim.
Change this:
echo ("<center><a href='home.php'>Redirect</a></center>");
$_SESSION['username'] = $username;
To this:
$_SESSION['username'] = $username;
header("Location: /some-new-page.php");
exit;
Always exit; after a location redirect.
Oh yeah, and CLEAN your inputs.. ..you are wide open to SQL Injection.
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
Oh yeah .. and mysql_* is deprecated. Use mysqli_*
use header("Location:home.php"); its best way to redirect page in php
header("Location:whaeverpage.php");
exit();
Do it before sending any data to the browser or you will get a header allready sen error
or by javascript :
If($connected ==='yes'){//your connection statement
?>
<script>window.location.replace("whatever_page");</script>
<?
}
WOWOW NONONO HALT! DO NOT LEARN mysql_ API FOR NEW DEVELOPMENT. It's deprecated/unsupported, ancient, error-prone. learn to use mysqli_ or better yet, PDO , and here is a great tutorial http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
also here: $query = mysql_query("SELECT * FROM users WHERE username='$username'");
code is vulnerable to SQL injection attack by hackers. must use mysql_real_escape_string.
also, you should not use * , for most cases, be specific. Also, you should not store passwords in plaintext (as your login system is doing), you should hash it..
other than that, check Chris Magg's already said what i would'ev https://stackoverflow.com/a/31355969/1067003
i have a form file with name form1.php
<?PHP
//form.php
session_start();
?>
<!DOCTYPE HTML>
<html>
<head>
<title>form</title>
</head>
<body>
<?PHP if (isset ($_SESSION["notfound"])) { ?>
<h2 style="text-align:center">Wrong user name or password</h2>
<?PHP unset($_SESSION["notfound"]);}
if (isset ($_SESSION["empty"])) {?>
<h2 style="text-align:center">Empty</h2>
<?PHP unset($_SESSION["empty"]); }?>
<form name="signin" action="http://localhost/M1.php" method="post">
<table>
<tr>
<td>
<label>
Username<input type="text" name="name" size="32"/>
</label>
</td>
<td>
<label>
Password <input type="password" name="pass" size="32"/>
</label>
</td>
<td>
<input type="submit" value="Login" />
</td>
</tr>
</table>
</form>
and controll file M1.php
<?php
$name=$_POST["name"];
$pass=$_POST["pass"];
if((!empty($name)) && (!empty($pass)))
{
session_start();
if($conection=mysql_connect("localhost","","")===false)
die("not connect to data base");
if(mysql_select_db('login',$conection) ===false)
die("data base not found");
$sql =sprintf("SELECT `password` FROM `signin` WHERE `username`= '%s' ",mysql_real_escape_string($name));
$dbpass=mysql_query($sql);
if ($dbpass==$pass)
{
$_SESSION["authenticated"]=true;
header("Location: http://localhost/home.php");
exit;
}
else //if ($dbpass===false)
{
$_SESSION["notfound"]=true;
header("Location: http://localhost/form1.php");
exit;
}
}
else
{
$_SESSION["empty"]=true;
header("Location: http://localhost/form1.php");
exit;
}
?>
*i am useing xampp for runing them
i have data base loging which contain a table signin
when i fill the form with same user name and password which i save in signin table and click submit it return me on form1.php with session 'notfoun'
and when i submit empty form it return me without seting empty session *
You are not fetching data from database and you make a condition based on execute query = $pass which will be always false, so change to
$dbpass=mysql_query($sql);
$result = mysql_fetch_array($dbpass);
$passw = $result['password'];
if ($passw==$pass)
{
//logged
As side note i would say a couple of thing. First I notice you sanitized your input which is a good pratice, but you really should switch to prepared statments with either PDO or mysqli so you will avoid any risk of mysql injection, also because mysql_* functions are deprecated. Second saving a password in plain text in database is a very bad pratice, you should really encrypt it and save an hash of the password in database, there is anice post about that here. Further more I think that session_start(); should be placed at the top of your file to work correctly.
It's firstly good time to make use of PDO or mysqli rather then using mysql which is deprecated in latest PHP version.
While passing db connection values, I feel you missed out the username & password, which should help you connect the database.
Later, mysql_query("SELECT_QUERY"); returns result object, whose values should be read by mysql_fetch_assoc() which returns the db row into associative array form.
Finally your code should look like,
$sql =sprintf("SELECT `password` FROM `signin` WHERE `username`= '%s' ",mysql_real_escape_string($name));
$result = mysql_query($sql);
$dbpass = mysql_fetch_assoc($result);
$dbpass = $dbpass['password'];
if ($dbpass==$pass)
{
$_SESSION["authenticated"]=true;
header("Location: http://localhost/home.php");
exit;
}
else //if ($dbpass===false)
{
$_SESSION["notfound"]=true;
header("Location: http://localhost/form1.php");
exit;
}
What's the error you're getting?
Anyway, how do you connect through your database? I see you have put the username and password as an empty string. You should try to put in a user/pass of an existing user:
mysql_connect syntax:
mysql_connect(host,username,password,newlink,clientflag)
example:
mysql_connect("localhost","root","")
or
mysql_connect("localhost","root","password")
EDIT: ASSIGNMENT WORK. Please don't mention External Libraries or complicated procedures that deal with security issues.
I want to implement a very basic login page that compares the users username and password with ones stored in a database (using MySql) and then redirect to another webpage that is only available to logged in users. I have looked at these two tutorials:
http://frozenade.wordpress.com/2007/11/24/how-to-create-login-page-in-php-and-mysql-with-session/
http://www.phpro.org/tutorials/Basic-Login-Authentication-with-PHP-and-MySQL.html
and I've attempted to use both techniques. The second one kept giving me server errors, and the first one gives me the login page, and doesn't return any errors, but then when pressing the submit button, it just doesn't do anything. I've followed it practically word for word, only changing the file names and some database column names to fit with my pre-existing stuff, but to no avail. This login page has given me an almighty headache and I would really like to get this out of the way and done with now.
LOGIN PAGE
<?php
// Inialize session
session_start();
// Check, if user is already login, then jump to secured page
if (isset($_SESSION['username'])) {
header('Location: RecordEvents.php');
}
?>
... skip all the unnecessary parts
<h1>Login</h1>
<?php
if(!empty($errorMessage))
{
echo("<p>There was a problem with your login:</p>\n");
echo("<ul>" . $errorMessage . "</ul>\n");
}
?>
<form action="loginscript.php" method="post">
Username:
<input type="text" name="username" /> </br>
Password:
<input type="password" name="password" /> </br>
<p>
<!--the submit button with an altered value. once selected the validation script will run-->
<input type="submit" name="login" value="Allons-y!" />
</p>
</form>
CONFIG.INC (I tried at first naming the file .php but that made no difference.)
<?php
$hostname = 'localhost';
$dbname = 'clubresults';
$username = 'newuser';
$password = 'password';
// Let's connect to host
mysql_connect($hostname, $username, $password) or DIE('Connection to host is failed, perhaps the service is down!');
// Select the database
mysql_select_db($dbname) or DIE('Database name is not available!');
?>
LOGINSCRIPT.PHP
<?php
// Inialize session
session_start();
// Include database connection settings
include('Inlcude\config.inc');
// Retrieve username and password from database according to user's input
$login = mysql_query("SELECT * FROM admin_passwords WHERE (Username = '" . mysql_real_escape_string($_POST['username']) . "') and (Password = '" . mysql_real_escape_string(md5($_POST['password'])) . "')");
// Check username and password match
if (mysql_num_rows($login) == 1) {
// Set username session variable
$_SESSION['username'] = $_POST['username'];
// Jump to secured page
header('Location: RecordEvents.php');
}
else {
// Jump to login page
header('Location: Login.php');
}
?>
RECORDEVENTS.PHP
<?php
// Inialize session
session_start();
// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: Login.php');
}
Include ('Include\eventscript.php');
?>
... blah blah
<?php
if(!empty($errorMessage))
{
echo("<p>There was an error with your form:</p>\n");
echo("<ul>" . $errorMessage . "</ul>\n");
}
?>
<form action="RecordEvents.php" method="post">
Name: <input type="text" name="EventName" value="<?php print $varEventname;?>" /> </br>
Date: <input type="text" name="EventDate" placeholder="yyyy-mm-dd hh:mm:ss" value="<?php print $varEventdate;?>" /> </br>
Location: <input type="text" name="Location" value="<?php print $varLocation;?>" /> </br>
<p>
<!--the submit button with an altered value. once selected the validation script will run-->
<input type="submit" name="formSubmit" value="Allons-y!" />
<!--the reset button to empty the form and start again-->
<input type="reset" name="formReset" value="Try Again" />
</p>
</form>
the db is called clubresults, the table i'm using is admin_passwords and the column names are: Username, Password.
Can anyone spot the error I am obviously making?
Check your spelling.
include('Inlcude\config.inc');
Please see this.
$login = mysql_query("SELECT * FROM admin_passwords WHERE username = '" .mysql_real_escape_string($_POST['username']) . "' and password = '" .mysql_real_escape_string($_POST['password']) . "'");
I removed the md5() function.
http://php.net/manual/en/function.md5.php
This is what really happens when there is an md5 in your query.
Lets say that you input the ff.
username = username
password = password
Your query will be like this, with md5() in your $_POST['password'].
SELECT * FROM admin_passwords WHERE username = 'username' and password = '5f4dcc3b5aa765d61d8327deb882cf99'
Please see the link above for more info!
First thing I see is
include('Inlcude\config.inc');
Obviously, the path is wrong. Further, sanitize your code. E.g. include doesn't require parentheses and should be written in lower case always, like
include 'Include\config.inc';
Next, are you sure, there is only one entry in your database? As it is defined to only load the recordevents script on
mysql_num_rows($login) == 1
Sometimes while developing, you may have two equal rows.