Serious programming problem

Why does my code not work when the username does not exist? When the username doesn't exist it just gives me a blank screen. No error messages, no form, no nothing. It works as intended when the username is found but the password is incorrect and when the username/password are both correct.

Also, please don't make fun of my code. I'm sensitive and I'd like to stay that way.


<?php
$num_rows = 0;
if($_SERVER['REQUEST_METHOD'] == 'POST') {
  $uname = $_POST['username'];
  $pword = $_POST['password'];


$db_handle = mysql_connect(localhost, "admin", "1admin");
$db_found = mysql_select_db("users", $db_handle);

$result = mysql_query("SELECT * FROM logininfo WHERE username = '$uname'") or die(mysql_error());
$num_rows = mysql_num_rows($result) or die(mysql_error());;
if($num_rows > 0)
  $row = mysql_fetch_array($result) or die(mysql_error());

if($num_rows == 0) {
  echo "Username not found.";
}
else if(md5($pword) != $row['password']) {
  echo "Incorrect Password.";
}
else {
  session_start();
  echo "Success.";
  $_SESSION['login'] = "1";
  $_SESSION['username'] = $uname;
  echo '<META HTTP-EQUIV="Refresh" Content="3; URL=index.php">';   
  exit; 
}
}
?>


<FORM NAME ="form1" METHOD ="POST" ACTION ="login.php">

Username: <INPUT TYPE = 'TEXT' Name ='username'  value="<?PHP print $uname;?>" maxlength="20">
Password: <INPUT TYPE = 'TEXT' Name ='password'  value="<?PHP print $pword;?>" maxlength="16">

<P>
<INPUT TYPE = "Submit" Name = "Submit1"  VALUE = "Login">


</FORM>

>>37
Was planning on fixing that after the site was functional.

Serious question though. I'm not completely new to programming, I've programmed in C mostly, but some other stuff as well. How come even scripting languages like python or perl don't have these injection problems like PHP?

$num_rows = mysql_num_rows($result) or die(mysql_error());;
;;

And look up mysql_real_escape_string(), use it on everything you concatenate to a query and you won't have problems with quotes and such.

>>41
They do, it's just not as pronounced.

>>41
Perl doesn't because Perl designs things right the first time, e.g. placeholders.

Ok, any language lets you shoot yourself in the foot.  It's just that PHP is constantly shooting at your feet and yelling "Dance!".

>>42
Don't manually concatenate SQL parameters, ever, and you will never have a problem. Prepared statements exist for a reason. So does mysqli, as >>40 pointed out.

except you'll have to concatenate SQL parameters when you need to specify a dynamic ORDER BY (or LIMIT) clause.

PDO still sucks, better than mysql_* but still sucky