Are you sure you don't store passwords hashed?
Also, don't use this ugly function, use bound parameters. It's cleaner and better.
Update:
no is returned whenever the following condition fails:
if (isset($_POST['username']) && isset($_POST['password']))
, no matter what's going on in MySQL.
Check that you set both variables.
This bit:
$result = mysql_fetch_array(mysql_query($query));
return 'yes';
just returns yes no matter what the $result variable holds, try doing
if(empty($result)){
return 'no'
}else{
return 'yes'
}
if (isset($_POST['username']) && isset($_POST['password']))
This is the line which determines if you get yes or no. So that means that your not using post to get the variables from the form.
It has nothing to do with the query.
If your getting "no" that is because this code fails to return true:
if (isset($_POST['username']) && isset($_POST['password']))
So...Did you give the input fields those exact names? Is the form really being posted?
Your function doLogin() returns 'yes' if you have provided a username and a password, no matter what the database says...
This would appear to be a HTML problem more than a query problem as the only thing that would make this class return 'no' are your $_POST variables.
Hopefully the basics of your form needs to look something like this in HTML:
<form method='post' action='filename.php'>
<input type='text' name='username' /><br />
<input type='password' name='password' />
</form>
You should write the line
$result = mysql_fetch_array(mysql_query($query));
as
$res = mysql_query($query);
if (!$res) {
die "doLogin: " . mysql_error();
}
$user = mysql_fetch_array($res);
at least while testing this code. This way you can see if you have errors in your database calls.