can't perform SELECT query

Question

My script is supposed to log the user into my database.

it does this by checking whether or not the username and password matches a row on the staff table.

if it is discovered that the username and password does exist it stores the username and password on the cookie.

The problem that I'm getting is that users are not being logged in.

It has been identified via the echo method that the following variables have the following values upon clicking the button

$row = 0 $username = whatever is in the username field on the form

this seems to indicate that there is something wrong with the query

<?php

$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '';

$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die                      ('Error connecting to mysql');

$dbname = 'the_shop';
mysql_select_db($dbname);

if(isset($_GET['submit']))
{
    $username = $_GET['username'];
    $password = md5($_GET['password']);
    echo "$username + $password <br />";

    // insert user into db
//  $sql = "INSERT INTO `logindb`.`users` (`id`, `username`, `password`) VALUES (NULL, '".$username."', '".$password."');";
//  echo $sql;
//  $result = mysql_query($sql);

    // getting user from db
    $query  = "SELECT Username, Password FROM staff WHERE `Username`='.$username.'";
    $result = mysql_query($query)
    or die(mysql_error());
    $num=mysql_numrows($result);
    echo $num;
    if($num <= 0) {
  echo "login not successful";
  echo "$username";
}
else
{
    $_SESSION['username'] = '$username';
    $_SESSION['password'] = '$password';
//header("Location:Admin_Control_panel.php");
}
}
?>

Answer 1

Your query should be:

$query = 'SELECT Username, Password FROM staff WHERE Username = ' . $username;

I suggest looking into PDO (PHP Data Objects) as an alternative to the method you are using and parameterising your variables.

http://php.net/manual/en/book.pdo.php

Answer 2

For starters your $query has unwanted characters (.) in there.

"SELECT Username, Password FROM staff WHERE `Username`='.$username.'"
                                                        ^         ^

Should be.

"SELECT Username, Password FROM staff WHERE `Username`= '$username'"

Without the dots.

Answer 3

$query  = "SELECT Username, Password FROM staff WHERE `Username`='$username'";

Answer 4

This line:

$query  = "SELECT Username, Password FROM staff WHERE `Username`='.$username.'";

Needs to be:

$query  = "SELECT Username, Password FROM staff WHERE `Username`='$username'";

There is no need to concatenate the string since you're using double-quotes and PHP is parsing the $ values inside a double quoted string.