I had this problem for a long time now, it doesnt seem to work, i dont know where i went wrong with the login system, it just shows 'Password incorrect'
can someone help please?
Thanks in Advance :)
<?php
require('mysql.php');
if(isset($_POST['submit'])){
if(empty($_POST['username']||$_POST['pw'])){
echo'<p class="warning">Error: Fülle bitte alle Felder aus</p>';
}else{
$Email = $_POST['username'];
$password = $_POST['pw'];
$userData = array($user,$password);
$adminData = array("Markus", 12345);
$sql = "SELECT * FROM Kunde WHERE Email ='$Email'";
$stmt = $conn -> prepare($sql);
$stmt -> execute();
$count = $stmt -> rowCount();
$row = $stmt -> fetch();
if($count !== 0) {
if(password_verify($password, $row['Passwort'])) {
$sql = "SELECT Kunden_ID FROM kunde WHERE email ='$Email'";
$stmt = $conn -> prepare($sql);
$stmt -> execute();
$kundenID = $stmt -> fetchAll();
if($userData == $adminData){
session_start();
$adminActive = $_SESSION['adminloggedin'];
header('Location: admin.php');
}else {
session_start();
$_SESSION['userloggedin'] = $kunden_id;
echo 'Erfolgreich eingelogged';
}
}else {
echo '<p class="warning">Passwort nicht korrekt</p>' ;
}
} else {
echo 'this username doesnt exist';
}
}
}
?>
Related
We were instructed to use two tables for different type of user (Super admin and Admin) which made our codes more complex than it should be.
I have a login query where I validate if the user has been disabled by a superadmin account.
However, my codes only logs in Admin accounts, and every time I try to log in a super admin account, it only shows the last Else where it says I used an invalid password/user.
<?php
include "config.php";
if(isset($_POST['username']) && isset($_POST['password']))
{
$username = $_POST ['username'];
$password = md5($_POST['password']);
$stmt = $db -> prepare("SELECT * FROM users WHERE username=? AND password=?");
$stmt -> bindParam(1, $username);
$stmt -> bindParam(2, $password);
$stmt ->execute();
$stmt2 = $db -> prepare ("SELECT * FROM sa_users WHERE username=? AND password=?");
$stmt2 -> bindParam(1, $username);
$stmt2 -> bindParam(2, $password);
$stmt2 ->execute();
$row = $stmt->fetch();
$row2 = $stmt2->fetch();
$user = $row['username'];
$pass = $row['password'];
$id = $row['user_id'];
$id2 = $row2['sa_id'];
$type = $row['type'];
$type2 = $row2['type'];
$user_status = $row['user_status'];
if ($user_status == 'Disable')
{
?>
<div class="alert">
<span class="closebtn" onclick="this.parentElement.style.display='none';">×</span>
<strong>Error!</strong> Your account has been disabled!
</div>
<?php
} else {
if($username==$user && $pass==$password && $type2 == 'Super_Admin')
{
session_start();
$_SESSION['username'] = $user;
$_SESSION['password'] = $pass;
$_SESSION['sa_id'] = $id2;
$_SESSION['type'] = $type2;
?>
<script>window.location.href='index.php'</script>
<?php
} else {
if ($username==$user && $pass==$password && $type=='Admin')
{
session_start();
$_SESSION['username'] = $user;
$_SESSION['password'] = $pass;
$_SESSION['user_id'] = $id;
$_SESSION['type'] = $type;
?>
<script>window.location.href='index.php'</script>
<?php
} else {
if ($username!=$user && $pass!=$password)
{
?>
<div class="alert">
<span class="closebtn" onclick="this.parentElement.style.display='none';">×</span>
<strong>Error!</strong> Wrong Password/Username.
</div>
<?php
}
}
}
}
}
?>
Your if statement only checks for the admin user and password.
It misses this variable initializations:
$user2 = $row2['username'];
$pass2 = $row2['password'];
When you check for Super Admin login credentials, you check using the username and password from Admin table and not from Super Admin table.
Hence:
if($username==$user && $pass==$password
Rather Than:
if($username==$user2 && $pass2==$password
There are also lines using Admin Values when they should be from Super Admin's.
Here's the code below I updated. Not tested it yet tho. Hopefully it runs fine.
<?php
include "config.php";
if(isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST ['username'];
$password = md5($_POST['password']);
$stmt = $db -> prepare("SELECT * FROM users WHERE username=? AND password=?");
$stmt -> bindParam(1, $username);
$stmt -> bindParam(2, $password);
$stmt ->execute();
$stmt2 = $db -> prepare ("SELECT * FROM sa_users WHERE username=? AND password=?");
$stmt2 -> bindParam(1, $username);
$stmt2 -> bindParam(2, $password);
$stmt2 ->execute();
$row = $stmt->fetch();
$row2 = $stmt2->fetch();
$user = $row['username'];
$pass = $row['password'];
$user2 = $row2['username'];
$pass2 = $row2['password'];
$id = $row['user_id'];
$id2 = $row2['sa_id'];
$type = $row['type'];
$type2 = $row2['type'];
$user_status = $row['user_status'];
if ($user_status == 'Disable')
{
?>
<div class="alert">
<span class="closebtn" onclick="this.parentElement.style.display='none';">×</span>
<strong>Error!</strong> Your account has been disabled!
</div>
<?php
} else {
if($username==$user2 && $pass2==$password && $type2 == 'Super_Admin')
{
session_start();
$_SESSION['username'] = $user2;
$_SESSION['password'] = $pass2;
$_SESSION['sa_id'] = $id2;
$_SESSION['type'] = $type2;
?>
<script>window.location.href='index.php'</script>
<?php
} else {
if ($username==$user && $pass==$password && $type=='Admin')
{
session_start();
$_SESSION['username'] = $user;
$_SESSION['password'] = $pass;
$_SESSION['user_id'] = $id;
$_SESSION['type'] = $type;
?>
<script>window.location.href='index.php'</script>
<?php
} else {
if ($username!=$user && $pass!=$password)
{
?>
<div class="alert">
<span class="closebtn" onclick="this.parentElement.style.display='none';">×</span>
<strong>Error!</strong> Wrong Password/Username.
</div>
<?php
}
}
}
}
}
?>
<!--end of php -->
i would like to read $Session[] variables on my profile page but im having issues while trying it.
this is my php script on my login file
<?php
if (isset($_POST['LoginBtn']))
{
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) || empty($password))
{
$show -> showError("please fill out all the fields");
}
else
{
$SQLCheckUser = $odb -> prepare("SELECT COUNT(*) FROM `Account` WHERE `username` = :user AND `password` = :password LIMIT 1");
$SQLCheckUser -> execute(array(':user' => $username, ':password' => hash('SHA512', $password)));
$loginCheck = $SQLCheckUser -> fetchColumn(0);
if ($loginCheck)
{
$SQLGetID = $odb -> prepare("SELECT `ID`, FROM `Account` WHERE `username` = :username LIMIT 1");
$SQLGetID -> execute(array(':username' => $username));
$_SESSION['username'] = $username;
$_SESSION['ID'] = $SQLGetID -> fetchColumn(0);
$show -> showSuccess('Willkommen... <meta http-equiv="refresh" content="2;url=index.php">');
}
else
{
$show -> showError('user was not found!');
}
}
}
?>
in the Database on Account i have variables like, username, password, firstname, lastname, adress and i would like to display them on the profile.php page for example like this
<h4 class="profile-user"><?php echo $_SESSION['firstname']; ?></h4>
<p class="profile-job"><?php echo $_SESSION['lastname']; ?></p>
<p class="profile-job"><?php echo $_SESSION['adress'];?></p>
how could i solve this issue ?
page contains a php file starting a session with
<?php session_start(); ?>
and a db connection
<?php
$show = new show();
$user = new user($odb);
$status = new status($odb);
class show
{
function showError($error)
{
echo '<div class="alert alert-danger"><a class="close" data- dismiss="alert" href="#">×</a><h4 class="alert-heading">error!</h4>'.$error.'</div>';
}
function showSuccess($success)
{
echo '<div class="alert alert-success"><a class="close" data-dismiss="alert" href="#">×</a><h4 class="alert-heading">Login success!</h4>'.$success.'</div>';
}
}
class user
{
var $odb;
function __CONSTRUCT($odb)
{
$this -> odb = $odb;
}
function loggedIn()
{
if (isset($_SESSION['username'], $_SESSION['ID']))
{
return true;
}
else
{
return false;
}
}
function isAdmin()
{
$SQL = $this -> odb -> prepare("SELECT `admin` FROM `Account` WHERE `ID` = :id");
$SQL -> execute(array(':id' => $_SESSION['ID']));
$rank = $SQL -> fetchColumn(0);
if ($rank == 1)
{
return true;
}
else
{
return false;
}
}
}`
my goal is it to display all the database variables of the logged in user on the profile page (Full name, Adress , Phone number) if someone could help me fix my code that would be really appreciated :)
this page profile.php
session_start();
$dbh = new PDO(" --- connection string --- ");
$user = new user($dbh);
if ($user->loggedIn()) {
$stmt = $odb->prepare("SELECT `firstname`, `lastname`,`adress`,FROM `Account` WHERE ID=$_SESSION['ID'] LIMIT 1");
$stmt->execute();
$row = $stmt->fetch();
}
foreach ($row as $item)
{
<h4 class="profile-user"><?php echo $item['firstname']; ?></h4>
<p class="profile-job"><?php echo $item['lastname']; ?></p>
<p class="profile-job"><?php echo $item['adress']; ?></p>
}
i received an error with this solution, i fixed it by changing the code in the profile.php to this.
<div class="col-lg-3">
<!-- Page Widget -->
<?php
$stmt = $odb->prepare("SELECT 'vorname', 'nachname','email',FROM 'Account' WHERE ID=$_SESSION[ID] LIMIT 1");
$stmt->execute();
$row = $stmt->fetch();
foreach ((array) $row as $item){
$vorname = $item['vorname']; // german word for firstname
$nachname = $item['nachname']; // german word for lastname
$email = $item['email']; // german word for email
} ?>
<h4 class="profile-user"><?php echo $vorname ?></h4>
but it doesnt seem to appear if i reload the screen.
looks really weird to me
I'm creating a back end to my website and running into issues with the login user part.
The user registration into the database is made with the password_hash function using the code below:
UserReg.php :
<?php
require_once 'db.php';
$mysqli = new mysqli($host, $user, $password, $dbname);
if($mysqli -> connect_error) {
die($mysqli -> connect_erro);
}
$username = "userF";
$password = "somePass";
$token = password_hash("$password", PASSWORD_DEFAULT);
add_user($mysqli,$username, $token);
function add_user($mysqli,$username, $token) {
$query = $mysqli->prepare("INSERT INTO users(username, password) VALUES
(?,?)");
$query->bind_param('ss',$username, $token);
$query->execute();
$result = $query->get_result();
if(!$result) {
die($mysqli->error);
}
$query->close();
}
My login form skips to a blank page even when i insert my username and password. Doesn't even go to the login error message.
Login.php
<?php
include 'db.php';
$username = $_POST['user'];
$pwd = $_POST['password'];
$sql = "SELECT password FROM users WHERE username = ?";
$stmt = $mysqli->prepare($sql);
$stmt->execute();
$stmt->bind_result($pass);
while ($result = $stmt->num_rows()) {
if($stmt->password_verify($pwd, $result)) {
echo "Your username or password is incorrect";
} else {
header("Location: Menu.php");
}
}
What am i missing?
Appreciate your help.
I think you need to take a look at password_verify how it works.
$username = $_POST['user'];
$pwd = $_POST['password'];
$sql = "SELECT username, password FROM users WHERE username = ?";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('s', $username);
$stmt->execute();
$stmt->bind_result($username, $password);
$stmt->store_result();
if ($stmt->num_rows == 1) { //To check if the row exists
if ($stmt->fetch()) { //fetching the contents of the row
if (password_verify($pwd, $password)) {
$_SESSION['username'] = $username;
echo 'Success!';
exit();
} else {
echo "INVALID PASSWORD!";
}
}
} else {
echo "INVALID USERNAME";
}
$stmt->close();
I've been trying to get logged persons user_id which is in user_login table in my database and insert it to the another table.
What I know is, get the user_id from the user_login using query and assign that query to the SESSION variable and put that variable in another query where I want to insert it in the table but I'm unable to write a perfect code for it.The only thing I'm achieving is it taking the user_id as 1 in the new table.It would be a great help if you can review my code correct it.
<?php
ob_start();
include ('header.php');
require('includes/connect.php');
require('includes/product.php');
$product = new Product;
if(isset ($_GET['id'])) {
$id = $_GET['id'];
$data = $product -> fetch_data($id);
if(isset($_POST['add'])){
if (isset($_SESSION['logged_in'])) {
$query = $pdo->prepare("SELECT user_id FROM user_login ");
$user_id=$query->execute();
$_SESSION['user_id']['id']=$user_id;
$query = $pdo -> prepare("INSERT INTO cart_items(product_id , user_id, Price) VALUES (?,?,?)");
$query -> bindValue(1, $id);
$query -> bindValue(2, $_SESSION['user_id']['id']);
$query -> bindValue(3, $data['new_price']);
$query ->execute();
header('location:cart.php');
}
else{
header('location:Login Page.php');
}
}
?>
This is where I have done the user validation while logging in (connect.php)
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "ecom";
try{
$pdo = new PDO('mysql:host=localhost;dbname=ecom','root','');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e){
exit('Database error.');
}
function login(){
global $pdo;
$username = $_POST['email'];
$password = md5($_POST['password']);
if(empty($username) or empty($password))
{
$error = "Please fill all the fields";
}
else
{
$query = $pdo->prepare("SELECT * FROM user_login WHERE name = ? AND password = ? ");
$query->bindValue ( 1, $username);
$query->bindValue ( 2, $password);
$query->execute();
$num=$query->rowCount();
if($num==1) {
$_SESSION['logged_in']= true;
//header('location :' .$_SESSION['redirectURL']);
header('location: index.php');
exit();
}
else{
$error = "Please enter correct Username and Password";
}
}
}
?>
Thank you in advance.
replace your else part with this code
$query = $pdo->prepare("SELECT * FROM user_login WHERE name = ? AND password = ? ");
$query->bindValue ( 1, $username);
$query->bindValue ( 2, $password);
$query->execute();
$data = $query->fetchAll(PDO::FETCH_ASSOC);
$num=$query->rowCount();
if($num==1) {
$_SESSION['logged_in']= true;
$_SESSION['user_id'] = $data[0]["user_id"];
//header('location :' .$_SESSION['redirectURL']);
header('location: index.php');
exit();
} else{
$error = "Please enter correct Username and Password";
}
then you can get user id from session
I am trying to login as user but don't know getting this error but when I try second time I will have access,But after login same this,and after logged in on second try I can't fetch email from DB it seems it not creating session.Its just passing the code not creating sessions.
if (!isset($_SESSION['email']) && isset($_POST['email'])) {
if (!empty($_POST['email']) && !empty($_POST['password'])) {
$email = filter_var($_POST['email'], FILTER_SANITIZE_STRING);
$password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);
$password=sha1($password);
try {
$dbh = new PDO("mysql:host=$hostname; dbname=$database", $username, $pass);
$dbh -> setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$email = $_POST['email'];
$password = $_POST['password'];
$stmt = $dbh -> prepare("SELECT email, password FROM tbl_user WHERE email = '".$email."' and password = '".$password."'");
$stmt -> bindParam('".$email."', $email, PDO::PARAM_STR);
$stmt -> bindParam('".$password."', $password, PDO::PARAM_STR);
$stmt -> EXECUTE();
$em = $stmt -> fetchColumn();
if ($em == true) {
// session_register("email");
// session_register("password");
$_SESSION['email'] = $_POST['email'];
$_SESSION['START'] = time();
setcookie("username", $_POST['email'], mktime()+(60*3), "/");
setcookie("LUS", time(), mktime()+(60*3), "/");
$stmt -> $dbh -> prepare("SELECT Name FROM tbl_user WHERE email = '".$email."'");
$stmt -> EXECUTE();
$em2 = $stmt -> fetchColumn();
echo "Logged in.";
} else {
echo "email or password is incorrect.";
}
} catch (Exception $e) {
echo "".$e->getMessage();
}
} elseif (empty($_POST['email']) && !empty($_POST['password'])) {
# code...
echo "Error : Enter your E-mail.";
} elseif (!empty($_POST['email']) && empty($_POST['password'])) {
# code...
echo "Error: Enter your Password";
} else {
echo "Error: Enter your E-mail & Password";
}
}
elseif (isset($_SESSION['email'])) {
# code...
echo "Welcome again you still logged in <strong>" .round((time() . $_SESSION['START'])/60) ."</strong> minutes(s) ago <a href='logout.php'>LogOut</a>";
}
elseif (!isset($_SESSION['email'])) {
# code...
echo "You must loggin first.";
//header('location:../index.php');
}
change second prepare statment usage
$stmt -> $dbh -> prepare("SELECT Name FROM tbl_user WHERE email = '".$email."'");
to
$stmt = $dbh -> prepare("SELECT Name FROM tbl_user WHERE email = '".$email."'");