[Syfer]

<?php
if(isset($_POST['login']))
{
$uname=$_POST['uname'];
if(empty($uname)
){
echo "<script>alert('username is empty')</script>";
}
else
{
if(empty($_POST['pwd']))
{
echo "<script>alert('password is empty')</script>";
}
else
{

$po = "SELECT * FROM accounts WHERE uname='$uname'";
$resulty = mysql_query($po) or die(mysql_error());
while($rowy = mysql_fetch_array($resulty))
{
if(empty($rowy['id_no']))
{
    echo "<script>alert('Account doesn't exist')</script>";
}
else
{
if(md5($_POST['pwd']) != $rowy['pwd'])
{
     echo "<script>alert('Your password is incorrect')</script>";
}
else
{
		     
			 $_SESSION['position']=$rowy['position'];
			 $_SESSION['id_no'] = $rowy['id_no'];
             $_SESSION['uname'] = $_POST['uname'];
		    echo '<meta http-equiv="refresh" content="0;url=index1.php">';
	         exit;
    }
	}
	}	
	}	
	}
	}
  
   if(isset($_REQUEST["action"]) && $_REQUEST["action"] == "login"){
  echo '<div class="gin">
<form method="post">
  LOGIN
  <br />
  Username:
  <input type="text" name="uname"/>
  <br />
  <br />
 Password:&nbsp
<input type="password" name="pwd"/>
<input type="submit" name="login" value="login" />
<a href="index.php"><input type="button" value="back" /></a></p>
</form>
</div>';
}
  
?>

my code
and the part of my validation which is not working

if(empty($rowy['id_no']))
{
    echo "<script>alert('Account doesn't exist')</script>";
}
else
{

any help would be appreciated.

[codeprada]

If you're only checking for the existence of an account you should use MySQL's function COUNT().

SELECT COUNT(`field`) AS `total` FROM `table` WHERE `username` = :uname

You would only need to fetch one row with this query.

$results = mysql_query($sql);
$row = mysql_fetch_assoc($results);
if((int)$row['total'] > 0)
    // ... Account exists
else
    // ... Account doesn't exist

Next time when you're posting at least use indentation so that we don't have to sift through code to really follow what's going on. Don't throw user input directly into your queries since they'll make your application vulnerable to SQL injections. I'm sure we've told you this time and time again. Finally, use MySQLi or PDO. mysql_* functions are outdated.

[Syfer]

are there any other solution aside from that?

[JackOfAllTrades]

WHY??? That's the RIGHT way to do it!

[Syfer]

<?php
if(isset($_POST['login'])){
$uname=$_POST['uname'];
if(empty($uname)){
echo "<script>alert('username is empty')</script>";
}else{
if(empty($_POST['pwd'])){
echo "<script>alert('password is empty')</script>";
}else{
$po = "SELECT COUNT(`id_no`) AS total FROM accounts WHERE uname='$uname'";
$results = mysql_query($po);
$row = mysql_fetch_assoc($results);
if((int)$row['total'] > 0)
    if(md5($_POST['pwd']) != $rowy['pwd']){
     echo "<script>alert('Your password is incorrect')</script>";
	}else{
		     
			 $_SESSION['position']=$rowy['position'];
			 $_SESSION['id_no'] = $rowy['id_no'];
             $_SESSION['uname'] = $_POST['uname'];
		    echo '<meta http-equiv="refresh" content="0;url=index1.php">';
	         exit;
    }
else
    echo "<script>alert('Account doesn't exist')</script>";

	
	}
	}	
	}	
	
?>

then i might be the one who got it wrong..
did i used it correctly or wrong?
*disregard the sql injection thing gonna fix that later after this.*

[codeprada]

It looks like you're just trying to guess a solution. Firstly, $rowy does not exist and you don't need to check if an accounts exists if you're trying to match the credentials. All you need to do is count the amount of matches you have and if it's equal to one then the user name and password are correct.

SELECT COUNT(`field`) AS `total` FROM `table` WHERE `username` = :uname AND `password` = :pass