This question already has answers here:
How to use PHP's password_hash to hash and verify passwords
(5 answers)
Closed 1 year ago.
At first I am using md5 for hashing but then I learn that password_hash is more secured, but when I tried to use it in my website it wont work. I've tried putting the code password_verify everywhere.
When I'm trying to login it just giving me an error of password/ email combination is wrong even if it is correct. I also get the error for the password verify but when I put the correct credentials it's still giving me the error message
This is my login code
<?php
function login(){
global $db, $email, $errors;
// grab form values
$email = e($_POST['email']);
$password = e($_POST['password']);
// make sure form is filled properly
if (empty($email)) {
array_push($errors, "Email is required");
}else {
$email = hsc($_POST["email"]);
}
if (empty($password)) {
array_push($errors, "Password is required");
}else{
$password = hsc($_POST["password"]);
}
// attempt login if no errors on form
if (count($errors) == 0) {
$query = "SELECT * FROM accounts WHERE email='$email' AND password='$password' LIMIT 1";
$results = mysqli_query($db, $query);
if (password_verify($password, $_POST["password"])) {
array_push($errors, "Wrong password");
}
if (mysqli_num_rows($results) == 1) { // user found
// check if user is admin or user
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "You are now logged in";
header('location: admin/admin.php');
exit(0);
}else{
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
exit(0);
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
This is my register code (There are all in the same file functions.inc.php)
function register(){
// call these variables with the global keyword to make them available in function
global $db, $errors, $username, $email;
// receive all input values from the form. Call the e() function
// defined below to escape form values
$username = e($_POST['username']);
$email = e($_POST['email']);
$password_1 = e($_POST['password']);
$password_2 = e($_POST['re-password']);
//check email if already exist on database
$check = "SELECT * FROM accounts WHERE email='$email'";
$res_e = mysqli_query($db, $check);
// form validation: ensure that the form is correctly filled
if (empty($username)) {
array_push($errors, "Name is required");
}elseif (!preg_match("/^[a-zA-Z]+( [a-zA-Z]+)*$/",$username)) {
array_push($errors, "Only letters and one space only");
}else{
$username = hsc($_POST["username"]);
}
if (empty($email)) {
array_push($errors, "Email is required");
}elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
array_push($errors, "The email is invalid");
}elseif (mysqli_num_rows($res_e) > 0) {
array_push($errors, "The email already taken");
}else{
$email = hsc($_POST["email"]);
}
if (empty($password_1)) {
array_push($errors, "Password is required");
}elseif ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}else{
$password_1 = hsc($_POST["password_1"]);
}
// register user if there are no errors in the form
if (count($errors) == 0) {
$hashpassword = password_hash($password_1, PASSWORD_DEFAULT);;//encrypt the password before
saving in the database
if (isset($_POST['user_type'])) {
$user_type = e($_POST['user_type']);
$query = "INSERT INTO accounts (username, email, user_type, password)
VALUES('$username', '$email', '$user_type', '$hashpassword')";
mysqli_query($db, $query);
$_SESSION['add'] = "Added successfully";
header('location: users.php');
exit(0);
}else{
$query = "INSERT INTO accounts (username, email, user_type, password)
VALUES('$username', '$email', 'user', '$hashpassword')";
mysqli_query($db, $query);
// get id of the created user
$logged_in_user_id = mysqli_insert_id($db);
$_SESSION['user'] = getUserById($logged_in_user_id); // put logged in user in session
$_SESSION['add'] = "You are now logged in and thank you!";
header('location: index.php');
exit(0);
}
}
}
I don't know if this is also the reason that the login is not working but it is better that I put it in. This is the code for function hsc() and e()
// escape string
function e($val){
global $db;
return mysqli_real_escape_string($db, trim($val));
}
// htmlspecialchars the inputs data
function hsc($val) {
$val = htmlspecialchars($val);
return $val;
}
Here is the data base photo
(By far the simplest method...)
Try this example. It uses Argon2, which is by far the safest encryption method (AFAIK)
Note that it randomly generates a different string when run, so using password_verify is mandatory unlike using sha-256 to look up the password in the database
<?php
$pwd = password_hash("my password goes here", PASSWORD_ARGON2I);
// Use $_POST instead
echo $pwd;
?>
And to verify your password:
if(password_verify($_POST['password'], $row["password"])) {
// Your code here...
}
Also, use PDP PDO, it's much safer against SQL injection attacks
<?php
$db = new PDO('mysql:host='.$servername.';dbname='.$dbname.';charset=utf8mb4', $username, $password);
try {
$query = "SELECT * from `login` WHERE `username`=:username OR `email` =:usernamea";
$stmt = $db->prepare($query);
$stmt->bindParam('username', $username, PDO::PARAM_STR);
$stmt->bindParam('usernamea', $username, PDO::PARAM_STR);
$stmt->execute();
$count = $stmt->rowCount();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if($count == 1 && !empty($row)) {
$auth_email = $row['email'];
$auth_pwd = $row['password'];
if(password_verify($_POST['password'], $auth_pwd)) {
$validuser = $row['username'];
$_SESSION['valid'] = $validuser;
$_SESSION['name'] = htmlspecialchars($row['name']);
}
else {
echo 'Invalid';
}
}
else {
echo 'Invalid';
}
}
catch (PDOException $e) { echo "Error : ".$e->getMessage(); }
?>
Related
Hi I'm relatively new to php and I'm making a booking system database and website using php,and phpmyadmin as a server. I need help with coding of the database.
Specifically I'm trying to get the id of a logged in user.
here is my code
// connect to database
$db = mysqli_connect('localhost', '#', '#', '#'); // hidden for security
// variable declaration
$username = "";
$email = "";
$errors = array();
// call the register() function if register_btn is clicked
if (isset($_POST['register_btn'])) {
register();
}
// call the login() function if register_btn is clicked
if (isset($_POST['login_btn'])) {
login();
}
if (isset($_GET['logout'])) {
session_destroy();
unset($_SESSION['user']);
header("location: login.php");
}
if (isset($_POST['pickup_date'])) {
book();
}
// REGISTER USER
function register(){
global $db, $errors;
// receive all input values from the form
$firstname = e($_POST['firstname']);
$surname = e($_POST['surname']);
$address = e($_POST['address']);
$home_postcode = e($_POST['home_postcode']);
$age = e($_POST['age']);
$email = e($_POST['email']);
$username = e($_POST['username']);
$password_1 = e($_POST['password_1']);
$password_2 = e($_POST['password_2']);
// form validation: ensure that the form is correctly filled
if (empty($firstname)) {
array_push($errors, "first name is required");
}
if (empty($surname)) {
array_push($errors, "surname is required");
}
if (empty($address)) {
array_push($errors, "address is required");
}
if (empty($home_postcode)) {
array_push($errors, "home postcode is required");
}
if (empty($age)) {
array_push($errors, "age is required");
}
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password_1)) {
array_push($errors, "Password is required");
}
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
$password = $password_1;
// register user if there are no errors in the form
if (count($errors) == 0) {
if (isset($_POST['user_type'])) {
$user_type = e($_POST['user_type']);
$query = "INSERT INTO users (firstname, surname, address, home_postcode, age, email, username, user_type, password)
VALUES('$firstname', '$surname', '$address', '$home_postcode','$age','$email', '$username', '$user_type', '$password')";
mysqli_query($db, $query);
$_SESSION['success'] = "New user successfully created.";
header('location: home.php');
}else{
$query = "INSERT INTO users (firstname, surname, address, home_postcode, age, email, username, user_type, password)
VALUES('$firstname', '$surname', '$address', '$home_postcode','$age','$email', '$username', 'user', '$password')";
mysqli_query($db, $query);
// get id of the created user
$logged_in_user_id = mysqli_insert_id($db);
$_SESSION['user'] = getUserById($logged_in_user_id); // put logged in user in session
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}
}
}
// BOOK A CAR
function book() {
global $db, $errors;
// receive all input values from the form
$car_chosen = e($_POST['car_chosen']);
$pickup_date = e($_POST['pickup_date']);
$pickup_time = e($_POST['pickup_time']);
$return_date = e($_POST['return_date']);
$return_time = e($_POST['return_time']);
$collection_postcode = e($_POST['collection_postcode']);
// form validation: ensure that the form is correctly filled
if (empty($pickup_date)) {
array_push($errors, "pickup date is required");
}
if (empty($pickup_time)) {
array_push($errors, "pickup time is required");
}
if (empty($return_date)) {
array_push($errors, "return date is required");
}
if (empty($return_time)) {
array_push($errors, "return time is required");
}
if (empty($collection_postcode)) {
array_push($errors, "collection postcode is required");
}
// convert car chosen to the ID of that car
$query = "SELECT * FROM cars WHERE car_ID = " . $car_chosen;
// book car if there are no errors in the form
if (count($errors) == 0) {
$query = "INSERT INTO booking_details (pickup_date, pickup_time, return_date, return_time, total_cost, collection_postcode, car_fk, user_fk)
VALUES('$pickup_date', '$pickup_time', '$return_date', '$return_time', '1000', '$collection_postcode','$car_chosen','$id')";
if(mysqli_query($db, $query)){
echo 'hello';
}else{
echo "<br>" . $query . "<br>";
echo mysqli_error($db);
}
}
}
// return user array from their id
function getUserById($id){
global $db;
$query = "SELECT * FROM users WHERE user_id=" . $id;
$result = mysqli_query($db, $query);
$user = mysqli_fetch_assoc($result);
return $user;
}
// LOGIN USER
function login(){
global $db, $username, $errors;
// grab form values
$username = e($_POST['username']);
$password = e($_POST['password']);
// make sure form is filled properly
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
// attempt login if no errors on form
if (count($errors) == 0) {
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) { // user found
// check if user is admin or user
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "You are now logged in";
header('location: home.php');
}else{
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
function isLoggedIn()
{
if (isset($_SESSION['user'])) {
return true;
}else{
return false;
}
}
function isAdmin()
{
if (isset($_SESSION['user']) && $_SESSION['user']['user_type'] == 'admin' ) {
return true;
}else{
return false;
}
}
// escape string
function e($val){
global $db;
return mysqli_real_escape_string($db, trim($val));
}
function display_error() {
global $errors;
if (count($errors) > 0){
echo '<div class="error">';
foreach ($errors as $error){
echo $error .'<br>';
}
echo '</div>';
}
}
so I need to have the id of the user collected once they log in. I also need it to work where the user is logged in after registering for the first time.
And I have no idea how to get it, I've only managed to get the ID of the car chosen. Once the user_id is collected I should be able to insert it into the booking_details table with the rest of the values.
everything else works fine.
thank you all the help is appreciated.
You should get user details from session
$user = $_SESSION['user'];
$loggeduserid = $user['id'];
Note : here id is column name of user table
You are dumping an entire row (array) of data into $session['user']
$logged_in_user = mysqli_fetch_assoc($results);
$_SESSION['user'] = $logged_in_user;
Therefore you should simply be able to get the ID of the logged-in user using the ID column name.
$loggedInUserId = $_SESSION['user']['name_of_id_column'];
Finally, I should say it plainly. You are not using SQL in a safe manner. As the commenters have suggested, look into PDO and prepared statements. It is easier than you think. https://phpdelusions.net/pdo
This question already has answers here:
How do I get PHP errors to display?
(27 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 3 years ago.
Hi am trying to display the name of user that just logged in, Now when i sign up it works but when i login it does not work, please help.
This it the php code at the top of the index.php
<?php
session_start();
if (!isset($_SESSION['username'])) {
$_SESSION['msg'] = "You must log in first";
header('location: login.php');
}
if (isset($_GET['logout'])) {
session_destroy();
unset($_SESSION['username']);
header("location: login.php");
}
?>
This is the code that was meant to display the name that is in the index.php
<?php echo ucfirst($_SESSION['username']); ?>
This is my server.php
<?php
session_start();
// initializing variables
$username = "";
$email = "";
$errors = array();
// connect to the database
$db = mysqli_connect('localhost', 'root', '', 'register');
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($db, $_POST['password_2']);
// form validation: ensure that the form is correctly filled ...
// by adding (array_push()) corresponding error unto $errors array
if (empty($username)) { array_push($errors, "Username is required"); }
if (empty($email)) { array_push($errors, "Email is required"); }
if (empty($password_1)) { array_push($errors, "Password is required"); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
// first check the database to make sure
// a user does not already exist with the same username and/or email
$user_check_query = "SELECT * FROM user WHERE username='$username' OR email='$email' LIMIT 1";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) { // if user exists
if ($user['username'] === $username) {
array_push($errors, "Username already exists");
}
if ($user['email'] === $email) {
array_push($errors, "email already exists");
}
}
// Finally, register user if there are no errors in the form
if (count($errors) == 0) {
$password = md5($password_1);//encrypt the password before saving in the database
$query = "INSERT INTO user (username, email, password)
VALUES('$username', '$email', '$password')";
mysqli_query($db, $query);
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}
}
// LOGIN USER
if (isset($_POST['login_user'])) {
$email = mysqli_real_escape_string($db, $_POST['email']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM user WHERE email='$email' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
?>
But is like i have discovered that it is because there is no input code that has name="username" in my login.php
yeah, Remember the user is logging in with email and password not username and password, thank you.
This is what your code needs. You will have to enable sessions if you have not done so.
//enable sessions if you have not done so
//session_start();
//$_SESSION['username'] = 'nancy';
$_SESSION['username'] = $results['username'];
You can then echo it as follows
<?php
//enable sessions if you have not done so
//session_start();
echo htmlentities($_SESSION['username']);
?>
hence your code will look like
// LOGIN USER
if (isset($_POST['login_user'])) {
$email = mysqli_real_escape_string($db, $_POST['email']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM user WHERE email='$email' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
//session_start();
// $_SESSION['username'] = 'nancy';
$_SESSION['username'] = $results['username'];
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
Please am sure that you are not using this code in production. Php has a native way of hashing password and you are using deprecated md5.
You can refer on my previous answers on how to write login based on php way.
source As for sql injection, I will suggest that you used prepared statements as its more safer
I recently used a format for my login that stored the password in the database using $password = md5(password_1) full code below...
Then changed that to $password = (password_hash($password_1, PASSWORD_DEFAULT); full code below....
it successfully saved a hashed password in my database like:$2y$10$.FTJmF/47NbmQMU3nZGTZeKAHYZ8TBm8X2Jc.TLbAIK...
Now verifying the password is where something is going wrong,
The original code was $password = md5($password_1) which would successfully log me in with the md5 storing in the first code.
I changed that to $password = password_verify($password_1, PASSWORD_DEFUALT);
but thats giving me this error.
Ive tried $hash = password_verify($password_1, PASSWORD_DEFAULT );
but its giving me the same error,
<?php
session_start();
// initializing variables
$username = "";
$email = "";
$errors = array();
// connect to the database
$db = mysqli_connect('', '', '', '');
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($db, $_POST['password_2']);
// form validation: ensure that the form is correctly filled ...
// by adding (array_push()) corresponding error unto $errors array
if (empty($username)) { array_push($errors, "Username is required"); }
if (empty($email)) { array_push($errors, "Email is required"); }
if (empty($password_1)) { array_push($errors, "Password is required"); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
// first check the database to make sure
// a user does not already exist with the same username and/or email
$user_check_query = "SELECT * FROM loginsystem WHERE username='$username' OR email='$email' LIMIT 1";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) { // if user exists
if ($user['username'] === $username) {
array_push($errors, "Username already exists");
}
if ($user['email'] === $email) {
array_push($errors, "email already exists");
}
}
// Finally, register user if there are no errors in the form
if (count($errors) == 0) {
//Hashing the password
$password = password_hash($password_1, PASSWORD_DEFAULT);//encrypt the password before saving in the database
$query = "INSERT INTO loginsystem (username, email, password)
VALUES('$username', '$email', '$password')";
mysqli_query($db, $query);
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: home.php');
}
}
// ...
// ...
// LOGIN USER
if (isset($_POST['login_user'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password_1']);
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) $password = password_verify($password, PASSWORD_DEFAULT); {
$query = "SELECT * FROM loginsystem WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
?>
apart from the typos there are two problems:
1st: password_verify() has different parameters: the typed password and the hashed password from database.
which leads us to the second problem:
You can only verify the password after you got the hash from the database.
So get that hash first (by querying for usename alone), than verify.
$query = "SELECT username, email, password FROM loginsystem WHERE username='$username'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$row = mysqli_fetch_assoc($results);
if(password_verify($password, $row['password'])) {
// password correct!
} else {
// nope
}
} else {
// wrong credentials
}
You should also change to a prepared statements, as this now could be vulnerable to sql injection.
PASSWORD_DEFUALT is misspelled. It should be PASSWORD_DEFAULT as in the example below:
$hash = password_hash($password, PASSWORD_DEFAULT);
[...]
if (password_verify($password, $hash)) {
// Password matches
}
The first parameter of password_verify is the user-entered password. The second parameter is the stored hash generated by password_hash.
I've created a registration form which takes a user's name, username, email and password. I've also created a sql database using XAMPP control panel, named the database 'registration' and created a table called 'users' to store all the inputs.
When the user enters this data, they should be presented with the login page and in the background the data should be store int he database..but when I opened up phpmyadmin to check the table, there is no data saved.
Below is the code I used to sent the inputs from the user to the database which is my 'server.php' file:
<?php
session_start();
// initializing variables
$name = "";
$email = "";
$username = "";
$errors = array();
// connect to the database
$db = mysqli_connect('localhost', 'root', 'root', 'registration');
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$name = mysqli_real_escape_string($db, $_POST['name']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$username = mysqli_real_escape_string($db, $_POST['username']);
$password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($db, $_POST['password_2']);
// form validation: ensure that the form is correctly filled ...
// by adding (array_push()) corresponding error unto $errors array
if (empty($name)) { array_push($errors, "Name is required");
}
if (empty($email)) { array_push($errors, "Email is required");
}
if (empty($username)) { array_push($errors, "Username is required"); }
if (empty($password_1)) { array_push($errors, "Password is required"); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
// first check the database to make sure
// a user does not already exist with the same username and/or email
$user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) { // if user exists
if ($user['username'] === $username) {
array_push($errors, "Username already exists");
}
if ($user['email'] === $email) {
array_push($errors, "email already exists");
}
}
// Finally, register user if there are no errors in the form
if (count($errors) == 0) {
$password = md5($password_1);//encrypt the password before saving in the database
$query = "INSERT INTO users (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
mysqli_query($db, $query);
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: login.php');
}
}
// ...
// ...
// LOGIN USER
if (isset($_POST['login_user'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: https://georginahughes48.wixsite.com/makeupyourmind');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
?>
Please let me know if any further code is needed to assist me with this issue..Thanks in advance!
After connection code add this line
if($db->connect_errno)
{
echo "Error: ( " .$db->errorno. " )". $db->error;
die;
}
Just replace this code
if (count($errors) == 0) {
$password = md5($password_1);//encrypt the password before saving in the database
$query = "INSERT INTO users (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
if( mysqli_query($db, $query))
{
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: login.php');
}
else
{
echo mysqli_error($db);
}
}
}
Check if it gives any errors.
Try your code in try catch block. Replace your register part with this:
// Finally, register user if there are no errors in the form
try {
if (count($errors) == 0) {
$password = md5($password_1);//encrypt the password before saving in the database
$query = "INSERT INTO users (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
mysqli_query($db, $query);
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: login.php');
}
} catch (Exception $e) {
echo 'Caught exception: ', $e->getMessage(), "\n";
}
This will give you error if anything breaks in between, else your code is seems okay.
Step 1 : change the code like following:
<?php
session_start();
// initializing variables
$name = "";
$email = "";
$username = "";
$errors = array();
// connect to the database
$db = mysqli_connect('localhost', 'root', '', 'registration');
if (!$db) {
die("Connection failed: " . mysqli_connect_error());
}
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$name = mysqli_real_escape_string($db, $_POST['name']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$username = mysqli_real_escape_string($db, $_POST['username']);
$password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($db, $_POST['password_2']);
// form validation: ensure that the form is correctly filled ...
// by adding (array_push()) corresponding error unto $errors array
if (empty($name)) { array_push($errors, "Name is required");
}
if (empty($email)) { array_push($errors, "Email is required");
}
if (empty($username)) { array_push($errors, "Username is required"); }
if (empty($password_1)) { array_push($errors, "Password is required"); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
// first check the database to make sure
// a user does not already exist with the same username and/or email
$user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) { // if user exists
if ($user['username'] === $username) {
array_push($errors, "Username already exists");
}
if ($user['email'] === $email) {
array_push($errors, "email already exists");
}
}
// Finally, register user if there are no errors in the form
if (count($errors) == 0) {
$password = md5($password_1);//encrypt the password before saving in the database
$query = "INSERT INTO users (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
if( mysqli_query($db, $query))
{
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: login.php');
}
else
{
echo mysqli_error($db);
}
}
}
// ...
// ...
// LOGIN USER
if (isset($_POST['login_user'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: https://georginahughes48.wixsite.com/makeupyourmind');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
?>
Assuming there is no password for mysql.
Step 2:
Recheck mysql connection and table names case and spelling
Step 3:
Check the nullable fields, field types and length in table. If you have primary key check if auto increment is there or not. hope this will help.
Below is the code I'm running. I'm trying to get it so my CMS index.php will deny access if the users user_level is under 1. I'm logging in with a test account setup with the user_level at 1 but I'm not having any luck.
Code on top of my index.html:
<?php
if($_SESSION['user_level'] == "1"){
header("Location: index.php");
exit;
}else{ header("Location: login.php");
exit;
}
So if user_level is 1 or higher, proceed to index.html (which is my CPanel index, not my actual sites index.
If the user_level is below 1, redirect back to login.
Here's my server.php code where all the magic happens after you click login.
<?php
session_start();
// variable declaration
$fullname = "";
$useremail = "";
$age = "";
$igname = "";
$profileurl = "";
$errors = array();
// connect to database
$db = mysqli_connect('****', '****', '****',
'****');
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$fullname = mysqli_real_escape_string($db, $_POST['fullname']);
$useremail = mysqli_real_escape_string($db, $_POST['useremail']);
$age = mysqli_real_escape_string($db, $_POST['age']);
$igname = mysqli_real_escape_string($db, $_POST['igname']);
$profileurl = mysqli_real_escape_string($db, $_POST['profileurl']);
$password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($db, $_POST['password_2']);
// form validation: ensure that the form is correctly filled
if (empty($fullname)) { array_push($errors, "Full name is required"); }
if (empty($useremail)) { array_push($errors, "Email is required"); }
if (empty($age)) { array_push($errors, "Age is required"); }
if (empty($igname)) { array_push($errors, "In game name is required"); }
if (empty($profileurl)) { array_push($errors, "Truckers-MP Profile URL is required"); }
if (empty($password_1)) { array_push($errors, "Password is required"); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
// register user if there are no errors in the form
if (count($errors) == 0) {
$password = md5($password_1);//encrypt the password before saving in the database
$query = "INSERT INTO users (fullname, email, age, igname, profileurl, password)
VALUES('$fullname', '$useremail', '$age', '$igname', '$profileurl', '$password')";
mysqli_query($db, $query);
$_SESSION['useremail'] = $useremail;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
echo '<script language="javascript">';
echo 'alert("Once an admin reviews your account, they will send you an email alerting you that you can login. Please be patient.")';
echo '</script>';
}
}
// ...
// LOGIN USER
if (isset($_POST['login_user'])) {
$useremail = mysqli_real_escape_string($db, $_POST['useremail']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($useremail)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE email='$useremail' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['user_level'] = $row['user_level'];
$_SESSION['useremail'] = $useremail;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
?>
I'm sure I'm not doing it right but at least I can say I damn well tried. Any help would be greatly apprechiated.
There is undefined variable $row. Define it first (fetch_assoc()), then you can assign it into session.
if (mysqli_num_rows($results) == 1) {
$row = mysqli_fetch_assoc($results);
$_SESSION['user_level'] = $row['user_level'];
$_SESSION['useremail'] = $useremail;
...
}
mysqli_num_rows returns the number of rows in a result set. Not the indexes! You can keep this code and assign this way -> $_SESSION['user_level'] = $row[some index]; (if your table is like id,user,pass,mail' some index will be 1.
If you want to have a text index, just look for the mysqli_fetch_array