The config.php doesn't seem to work

Question

In the home.html file, I have a div that when it is clicked it will show the login form to be filled by the user who want to login. After filling the form, the config of the form should direct it back to the home.html file.

The problem I encountered is, When I tried to fill the form of username and password field and submit that, the browser just stop blank in the config-haslogin.php, not direct it back to the home.html file.

The result is just the same when I tried to fill it with the wrong username and password.

config-haslogin.php

<?php @session_start();
$_SESSION['id']= 0;
?>


<?php
error_reporting(E_ALL ^ E_NOTICE);      
mysql_connect("mysql.com","usename","password") or die("cannot connect");
mysql_select_db("mytable")  or die("Fail");

$myemail= $_POST['email'];
$mypassword= $_POST['password'];

$sql= "SELECT * FROM user WHERE email='".$myemail."' and password='".$mypassword."'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1 ) 
{
echo "Login successful";
echo '<script>window.location="index.html";</script>';
}
 ?>

Answer 1

This is wrong:

echo "Login successful";
'<script>window.location="index.html";</script>';

You are missing the echo statement there:

echo "Login successful";
echo '<script>window.location="index.html";</script>';

More, but not as grave, problematic parts of your code:

@session_start();

Suppressing error messages doesn't solve problems, it just creates new ones. You will not notice when an error occurs and will spend hours finding a solution for it when it would take you only minutes if you had a proper error message.

error_reporting(E_ALL ^ E_NOTICE);  

This is only half the rent. It only defines which error levels to show, not if they are shown at all. If error messages are disabled by your hoster you have to do ini_set("display_errors", true); as well, otherwise you'll see nothing.

Your SQL code is vulnerable to SQL injections. I could just enter "mail@host.com' --" in your email field and be logged in without knowing the password. You should switch to mysqli_* or PDO and use prepared statemens for your queries.

Use proper error reporting. Don't just use this:

or die("cannot connect");

Instead relay the actual error message so you know WHY it didn't work:

or die("Connection error: " . mysql_error());

Use this after queries as well so you know why a query fails:

if ($result == false) echo "Query failed: " . mysql_error();

PDO and MySQLi have similar error reporting functions. Use them.

echo '<script>window.location="index.html";</script>';

You should not use JavaScript for redirections. You never know if the client has JavaScript enabled or is even capable of it. The proper way to do redirects is the header() function:

header("Location: index.html");
exit();

Note that header() will only work if there is absolutely NO output before it. Not even blanks, newlines or other whitespace.