Using a variable to direct traffic

Question

I am mostly sure that my error is with the variable not being gotten from the table. However I can not see the error I am asking for that data at the same time I am asking for the username and password. The table consists of [username],[password],[company]. The goal is to have the user get directed based on the name in company after the username and password have been verified. I keep getting the echo at the end.

Here is the code

   function RegisterUser($usename, $password, $company)
{
   // hash the pwd
   $hpwd = hash('sha256',$password);
   $q ='insert into users values(username, password, company) values(?,?,?)';
   $stmt = PDO::prepare($q);
   $stmt->exectue(array( $username, $hpwd, $company));
}
// validate user and return the company if successfull

function ValidateUser($username, $password, &$company)
{
   $hpwd = hash('sha256',$password);
   $q ='select company from users where username=? AND password=?';
   $stmt = PDO::prepare($q);
   $stmt->exectue(array( $username, $hpwd));
   if( ($company = $stmt->fetch(PDO::FETCH_COLUMN)) === false )
   {
     $company = header( 'Location: login.php' );
   } 

   elseif($company == "monkeynones"){
        header( 'Location: admin1.php' );
        }

Answer 1

It is so important that new programmers learn to do username/password authentication properly I felt it necessary to write this longer post.

Firstly, as eicto pointed out, the mysql extension is both deprecated and should really not even be used ever.

So to the metal.
visit php.net and learn about PDO

Never store unencoded passwords.

here is what you should do:

set up PDO:

// you need to store $link somewhere. in a class preferrably
function InitPDO(&$link)
{
   // havet the database handle all strings as UTF-8.
   $options = array('PDO::MYSQL_ATTR_INIT_COMMAND' => 'set names utf8');
   $link = new PDO ( 'mysql:host='.$config['dsn_host'].';dbname='.$config['dsn_db'], $config['username'], $config['password'], $options ) ;

   // If there is an error executing database queries, have PDO to throw an exception.
   $link->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
   $link->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
}

upon registration of user.

function RegisterUser($username, $password, $company)
{
   // hash the pwd
   $hpwd = hash('sha256',$password);
   $q ='insert into users values(username, password, company) values(?,?,?)';
   $stmt = $link->prepare($q);
   $stmt->execute(array( $username, $hpwd, $company));
}

// validate user and return the company if successfull

function ValidateUser($username, $password, &$company)
{
   $hpwd = hash('sha256',$password);
   $q ='select company from users where username=? AND password=?';
   $stmt = $link->prepare($q);
   $stmt->execute(array( $username, $hpwd));
   if( ($company = $stmt->fetch(PDO::FETCH_COLUMN)) === false )
   {
     $company = 'invalid'; // because user auth failed';
   } 
   //else all is good
}

example test usage.

// assumes there is a 'login.php' and a 'invalid.php' file
$link = null;
InitPDO( $link );
RegisterUser('tester','password','login');
VerifyUser('tester','password', $redir );
if( file_exists( $redir . '.php' ) )
{
   header( 'Location: '. $redir . '.php' );
   exit;
}
echo 'error. no valid page found to fullfill query';

Answer 2

Your query is wrong:

$sql = "SELECT 'password' and 'company' from users where 'username' = '$username';";

should be

$sql = "SELECT `password`, `company` from `users` where `username` = '$username'";

Use backticks, not quotes, around identifiers. and is replaced by a comma, and the trailing semicolon in the query isn't required.