Building a registration/login system and errors

That helped me on the way, but I have a distinct feeling I still have some noob mistake in my code.

I have this code at the top of a protected page:

<?php if (!isset($_SESSION)) {   session_start(); } $MM_authorizedUsers = ""; $MM_donotCheckaccess = "true"; // *** Restrict Access To Page: Grant or deny access to this page function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {   // For security, start by assuming the visitor is NOT authorized.   $isValid = False;   // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.   // Therefore, we know that a user is NOT logged in if that Session variable is blank.   if (!empty($UserName)) {     // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.     // Parse the strings into arrays.     $arrUsers = Explode(",", $strUsers);     $arrGroups = Explode(",", $strGroups);     if (in_array($UserName, $arrUsers)) {       $isValid = true;     }     // Or, you may restrict access to only certain users based on their username.     if (in_array($UserGroup, $arrGroups)) {       $isValid = true;     }     if (($strUsers == "") && true) {       $isValid = true;     }   }   return $isValid; } $MM_restrictGoTo = "Login/login.php"; if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {     $MM_qsChar = "?";   $MM_referrer = $_SERVER['PHP_SELF'];   if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";   if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)   $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];   $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);   header("Location: ". $MM_restrictGoTo);   exit; } ?>

OK, when I click on the menu choice on the originating page, http://ppbm6.com/index.html and click on the menu "Benchmark Results", I get to the login page as designed. So far, so good, I can fill in the email address and password, login and then it should open the protected page. However, all it accomplishes to do is empty the fields again, so there is no redirection at all. If I fill in a non-registered email address it correctly directs me to the registration page, but it does nothing with registered users.

The server behavior includes Restrict Access To Page ().

The code in the login script is:

<?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") {   if (PHP_VERSION < 6) {     $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;   }   $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);   switch ($theType) {     case "text":       $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";       break;        case "long":     case "int":       $theValue = ($theValue != "") ? intval($theValue) : "NULL";       break;     case "double":       $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";       break;     case "date":       $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";       break;     case "defined":       $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;       break;   }   return $theValue; } } if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") {   if (PHP_VERSION < 6) {     $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;   } //  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);   switch ($theType) {     case "text":       $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";       break;        case "long":     case "int":       $theValue = ($theValue != "") ? intval($theValue) : "NULL";       break;     case "double":       $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";       break;     case "date":       $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";       break;     case "defined":       $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;       break;   }   return $theValue; } } mysql_select_db($database_MYSQL, $MYSQL); $query_Recordset1 = "SELECT * FROM users"; $Recordset1 = mysql_query($query_Recordset1, $MYSQL) or die(mysql_error()); $row_Recordset1 = mysql_fetch_assoc($Recordset1); $totalRows_Recordset1 = mysql_num_rows($Recordset1); # Script 16.8 - login.php // This is the login page for the site. require_once ('includes/config.inc.php'); $page_title = 'Login'; //include ('includes/header.php'); // Start output buffering: ob_start(); // Initialize a session: session_start(); // Check for a $page_title value: if (!isset($page_title)) {     $page_title = 'User Registration'; } if (isset($_POST['submitted'])) {     require_once (MYSQL);     // Validate the email address:     if (!empty($_POST['email'])) {         $e = mysql_real_escape_string ($_POST['email'], $dbc);     } else {         $e = FALSE;         echo '<p class="error">You forgot to enter your email address!</p>';     }         // Validate the password:     if (!empty($_POST['pass'])) {         $p = mysql_real_escape_string ($_POST['pass'], $dbc);     } else {         $p = FALSE;         echo '<p class="error">You forgot to enter your password!</p>';     }     if ($e && $p) { // If everything's OK.             // Query the database:         $q = "SELECT user_id, first_name, last_name, email, user_level, pass FROM users WHERE (email='$e' AND pass='$p')";                $r = mysql_query ($q, $dbc) or trigger_error("Query: $q\n<br />MySQL Error: " . mysql_error($dbc));         if (@mysql_num_rows($r) == 1) { // A match was made.             // Register the values & redirect:             $_SESSION = mysql_fetch_array ($r);             mysql_free_result($r);             mysql_close($dbc);             $url = 'http://ppbm6.com/PPBM6.php'; // Define the URL:             ob_end_clean(); // Delete the buffer.             header("Location: $url");             exit(); // Quit the script.                         } else { // No match was made.             echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>';         }             } else { // If everything wasn't OK.         echo '<p class="error">Please try again.</p>';     }         mysql_close($dbc); } // End of SUBMIT conditional. ?> <?php // *** Validate request to login to this site. if (!isset($_SESSION)) {   session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) {   $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['email'])) {   $loginUsername=$_POST['email'];   $password=$_POST['pass'];   $MM_fldUserAuthorization = "";   $MM_redirectLoginSuccess = "http://ppbm6.com/PPBM6.php";   $MM_redirectLoginFailed = "http://ppbm6.com/Login/Registration.php";   $MM_redirecttoReferrer = false;   mysql_select_db($database_MYSQL, $MYSQL);     $LoginRS__query=sprintf("SELECT email, pass FROM users WHERE email=%s AND pass=%s",     GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));      $LoginRS = mysql_query($LoginRS__query, $MYSQL) or die(mysql_error());   $loginFoundUser = mysql_num_rows($LoginRS);   if ($loginFoundUser) {      $loginStrGroup = "";         if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}     //declare two session variables and assign them     $_SESSION['MM_Username'] = $loginUsername;     $_SESSION['MM_UserGroup'] = $loginStrGroup;              if (isset($_SESSION['PrevUrl']) && false) {       $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];        }     header("Location: " . $MM_redirectLoginSuccess );   }   else {     header("Location: ". $MM_redirectLoginFailed );   } } ?>

and the form code is:

<form action="<?php echo $loginFormAction; ?>" method="POST" name="login_form"> <h3>Please login first. If you haven't registered and activated your account, click on the Register button above.</h3><fieldset> <blockquote> Your browser must allow cookies in order to login.     <p><b>Email Address : </b> <input type="text" name="email" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" size="35" maxlength="40" /></p>     <p><b>Password :         </b>       <input type="password" name="pass" value="<?php if (isset($_POST['pass'])) echo $_POST['pass']; ?>" size="20" maxlength="20" /></p>     <input type="hidden" name="submitted" />     <input name="user_level" type="hidden" value="0" />     <input name="active" type="hidden" />     <input type="submit" name="Submit" value="Login" />     </blockquote></fieldset> </form></div>

The login script includes the Sever Behavior Log In User and shows like this:

I would expect it to revert to http://ppbm6.com/PPBM6.php after successful login but that does not happen.

I am pretty sure I have overlooked something very simple here, but if you have any suggestions, I would appreciate it.