difficulty in login in one attempt

Hello Everyone, i created a login page, but i am facing some difficulties into that.
my login page is working but in two attempts. i mean when i m trying to login using, it's not logged in and giving me again the login page, but when i am trying to login second time with the same username an password, it's logged in/working.
can anyone tell me the problem, here is my code:

index.php

<?php include("connect.inc.php"); if(isset($_POST['username'])&& isset($_POST['password'])) { $username = $_POST['username']; $password = $_POST['password']; if(!empty($username)&& !empty($password)) { $query = "SELECT `id` FROM `users` WHERE `username`= '$username' AND `password`= '$password'"; if($query_run = mysql_query($query)) { $num_row = mysql_num_rows($query_run); if($num_row == 0) { echo 'Invalid username and password.'; } else { $user_id = mysql_result($query_run, 0, 'id'); $_SESSION['user_id']=$user_id; $_SESSION['username']=$username; header("Location: loggedin.php"); } } else { } } else { echo 'fill username and password.'; } } ?>


Page which appear after login:


<?php require 'core.inc.php'; require 'connect.inc.php'; if(isset($_SESSION['user_id'])&&!empty($_SESSION['user_id'])){ $username = $_SESSION['username']; echo $username; ?>


core.inc.php

<?php ob_start(); session_start(); $current_file = $_SERVER['SCRIPT_NAME']; function getfield($field){ $query = "SELECT `$field` FROM `users` WHERE `id`='".$_SESSION['user_id']."'"; if($query_run = mysql_query($query)) { return mysql_result($query_run, 0, $field); } } ?>

connect.inc.php

<?php $connect_error = 'could not connect'; $database_error = 'database not found'; $host_name = 'localhost'; $user_name = 'root'; $password = ''; $database = 'test'; if(!@mysql_connect($host_name, $user_name, $password) || !@mysql_select_db($database)) { die($connect_error); } ?>

Where is your login form located? Is it in index.php or in some other file?

Side note: Your code looks vulnerable for SQL Injection.

yes it's index.php. and why it is vulnerable for sql injections can you explain please...

If I post username ' OR '1'='1, your query becomes SELECT `id` FROM `users` WHERE `username`= '' OR '1' = '1' AND `password`= 'whatever here'. As a result (the OR taking precedence if I recall correctly), all records will be returned and I will definitely be able to login. That's just a "harmless" use. With the right input you can delete records, or even drop entire tables. Use mysql_real_escape_string or casting to numbers on every single value you use in any query.

thank you for this explanation, as you said i replace code like this:


<?php
include("connect.inc.php");
if(isset($_POST['username'])&& isset($_POST['password']))
{

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

if(!empty($username)&& !empty($password))
{

$query = "SELECT `id` FROM `users` WHERE `username`= '$username' AND `password`= '$password'";
if($query_run = mysql_query($query))
{
$num_row = mysql_num_rows($query_run);
if($num_row == 0)
{
echo 'Invalid username and password.';
}
else
{
$user_id = mysql_result($query_run, 0, 'id');
$_SESSION['user_id']=$user_id;
$_SESSION['username']=$username;
header("Location: loggedin.php");
}
}
else
{

}
}
else
{
echo 'fill username and password.';
}
}
?>



is it ok..?
and please let me know if i should do any other updation to make my login page more secure...
Thank you...