i'm using php 7.2.31 .. i'v already imported my DB file in phpmyAdmin
when i'm trying to login in admin website page (or the others 2 users ) it's getting this message :-
(Invalid Email or Password )
the email address and password already in the database and it's correct .. ! !
here's my login-in code :-
<?php session_start();?>
<link rel="stylesheet" href="popup_style.css">
<!DOCTYPE html>
<html lang="en">
<meta http-equiv="content-type" content="text/html;charset=UTF-8" />
<head>
<title>Admin Panel</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=0, minimal-ui">
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="description" content="#">
<meta name="keywords" content="Admin , Responsive">
<meta name="author" content="Nikhil Bhalerao +919423979339.">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600,800" rel="stylesheet">
<link rel="stylesheet" type="text/css" href="files/bower_components/bootstrap/css/bootstrap.min.css">
<link rel="stylesheet" type="text/css" href="files/assets/icon/themify-icons/themify-icons.css">
<link rel="stylesheet" type="text/css" href="files/assets/icon/icofont/css/icofont.css">
<link rel="stylesheet" type="text/css" href="files/assets/css/style.css">
</head>
<body class="fix-menu">
<?php
include('connect.php');
extract($_POST);
if(isset($_POST['btn_login']))
{
$passw = hash('sha256', $_POST['password']);
function createSalt()
{
return '2123293dsj2hu2nikhiljdsd';
}
$salt = createSalt();
$pass = hash('sha256', $salt . $passw);
//echo $pass;
if($_POST['user'] == 'admin'){
$sql = "SELECT * FROM admin WHERE loginid='" .$email . "' and password = '". $pass."'";
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
//print_r($row);
$_SESSION["adminid"] = $row['id'];
$_SESSION["id"] = $row['id'];
$_SESSION["username"] = $row['username'];
$_SESSION["password"] = $row['password'];
$_SESSION["email"] = $row['loginid'];
$_SESSION["fname"] = $row['fname'];
$_SESSION["lname"] = $row['lname'];
$_SESSION['image'] = $row['image'];
$_SESSION['user'] = $_POST['user'];
}else if($_POST['user'] == 'doctor'){
$sql = "SELECT * FROM doctor WHERE loginid='" .$email . "' and password = '". $pass."'";
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
//print_r($row);
$_SESSION["doctorid"] = $row['doctorid'];
$_SESSION["id"] = $row['doctorid'];
$_SESSION["password"] = $row['password'];
$_SESSION["email"] = $row['loginid'];
$_SESSION["fname"] = $row['doctorname'];
$_SESSION['user'] = $_POST['user'];
}else if($_POST['user'] == 'patient'){
$sql = "SELECT * FROM patient WHERE loginid='" .$email . "' and password = '". $pass."'";
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
//print_r($row);
$_SESSION["patientid"] = $row['patientid'];
$_SESSION["id"] = $row['patientid'];
$_SESSION["password"] = $row['password'];
$_SESSION["email"] = $row['loginid'];
$_SESSION["fname"] = $row['patientname'];
$_SESSION['user'] = $_POST['user'];
}
//print_r($row);
$count=mysqli_num_rows($result);
if($count==1 && isset($_SESSION["email"]) && isset($_SESSION["password"])) {
{
?>
<div class="popup popup--icon -success js_success-popup popup--visible">
<div class="popup__background"></div>
<div class="popup__content">
<h3 class="popup__content__title">
Success
</h3>
<p>Login Successfully</p>
<p>
<!-- <button class="button button--success" data-for="js_success-popup"></button> -->
<?php echo "<script>setTimeout(\"location.href = 'index.php';\",1500);</script>"; ?>
</p>
</div>
</div>
<!-- <script>
window.location="index.php";
</script> -->
<?php
}
}
else {?>
<div class="popup popup--icon -error js_error-popup popup--visible">
<div class="popup__background"></div>
<div class="popup__content">
<h3 class="popup__content__title">
Error
</h3>
<p>Invalid Email or Password</p>
<p>
<button class="button button--error" data-for="js_error-popup">Close</button>
</p>
</div>
</div>
<?php
}
}
?>
<?php
$que="select * from manage_website";
$query=$conn->query($que);
while($row=mysqli_fetch_array($query))
{
//print_r($row);
extract($row);
$business_name = $row['business_name'];
$business_email = $row['business_email'];
$business_web = $row['business_web'];
$portal_addr = $row['portal_addr'];
$addr = $row['addr'];
$curr_sym = $row['curr_sym'];
$curr_position = $row['curr_position'];
$front_end_en = $row['front_end_en'];
$date_format = $row['date_format'];
$def_tax = $row['def_tax'];
$logo = $row['logo'];
}
?>
<section class="login-block">
<div class="container-fluid">
<div class="row">
<div class="col-sm-12">
<div class="auth-box card" >
<div class="text-center">
<image class="profile-img" src="uploadImage/Logo/<?php echo $logo; ?>" style="width: 60%"></image>
</div>
<div class="card-block" >
<div class="row m-b-20">
<div class="col-md-12">
<h5 class="text-center txt-primary">Sign In</h5>
</div>
</div>
<form method="POST" >
<div class="form-group form-primary">
<select name="user" class="form-control" required="">
<option value="">-- Select One --</option>
<option value="admin">Admin</option>
<option value="doctor">Doctor</option>
<option value="patient">Patient</option>
</select>
<span class="form-bar"></span>
</div>
<div class="form-group form-primary">
<input type="email" name="email" class="form-control" required="" placeholder="Email">
<span class="form-bar"></span>
</div>
<div class="form-group form-primary">
<input type="password" name="password" class="form-control" required="" placeholder="Password">
<span class="form-bar"></span>
</div>
<div class="row m-t-25 text-left">
<div class="col-12">
<div class="forgot-phone text-right f-right">
Forgot Password?
</div>
</div>
</div>
<div class="row m-t-30">
<div class="col-md-12">
<button type="submit" name="btn_login" class="btn btn-primary btn-md btn-block waves-effect text-center m-b-20">LOGIN</button>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
<script type="text/javascript" src="files/bower_components/jquery/js/jquery.min.js"></script>
<script type="text/javascript" src="files/bower_components/jquery-ui/js/jquery-ui.min.js"></script>
<script type="text/javascript" src="files/bower_components/popper.js/js/popper.min.js"></script>
<script type="text/javascript" src="files/bower_components/bootstrap/js/bootstrap.min.js"></script>
<script type="text/javascript" src="files/bower_components/jquery-slimscroll/js/jquery.slimscroll.js"></script>
<script type="text/javascript" src="files/bower_components/modernizr/js/modernizr.js"></script>
<script type="text/javascript" src="files/bower_components/modernizr/js/css-scrollbars.js"></script>
<script type="text/javascript" src="files/bower_components/i18next/js/i18next.min.js"></script>
<script type="text/javascript" src="files/bower_components/i18next-xhr-backend/js/i18nextXHRBackend.min.js"></script>
<script type="text/javascript" src="files/bower_components/i18next-browser-languagedetector/js/i18nextBrowserLanguageDetector.min.js"></script>
<script type="text/javascript" src="files/bower_components/jquery-i18next/js/jquery-i18next.min.js"></script>
<script type="text/javascript" src="files/assets/js/common-pages.js"></script>
</body>
<!-- for any PHP, Codeignitor or Laravel work contact me at mayuri.infospace#gmail.com -->
</html>
and the check-login file :-
<?php
session_start();
if((isset($_SESSION["email"]) && isset($_SESSION["password"]))){
$myemail = $_SESSION['email'];
}else {
header("location:login.php");
}
?>
thanks !
You are getting
invalid Email and password because the variable $email which you are using in your query has no email from the form. After this line:
$pass = hash('sha256', $salt . $passw);
Add this line:
$email = $_POST['email'];
This will solve your problem. But there are many other other problems in your code like it is open to SQL injection. You can use prepare statements.
PHP Prepared Statements. Always validate the data coming from users.
Do not store password as a plain text. See here password-encryption-storing-password-in-session
If you want to get only one record from a database always use LIMIT 1 in your code.
Related
I'm using PHP web service for my android development back end. The connection with php and MSSQL Server are successful but unfortunately I stuck at this part:
<?php
session_start();
include "connect.php";
$user_name = $_POST["username"];
$user_pass = strval($_POST["password"]);
//echo $user_name;
//echo $user_pass;
//$user_name = "admin";
//$user_pass = "admin";
$mysql_qry="SELECT ID, Password FROM user WHERE (ID = '" . $_POST["username"] . "' AND Password = '" . $_POST["password"] . "')";
$result= sqlsrv_query($conn ,$mysql_qry);
$row = sqlsrv_fetch_array($result);
if($row) {
$_SESSION["ID"] = $row['ID'];
header ('location:../createUser.php');
}else{
die( print_r( sqlsrv_errors(), true));
}
?>
It shows error: An invalid parameter was passed to sqlsrv_fetch_array.
This is my login form:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta
name="viewport"
content="width=device-width, initial-scale=1, shrink-to-fit=no"
/>
<meta name="description" content="" />
<meta name="author" content="" />
<title>Login</title>
<!-- Custom fonts for this template-->
<link
href="vendor/fontawesome-free/css/all.min.css"
rel="stylesheet"
type="text/css"
/>
<link
href="https://fonts.googleapis.com/css?family=Nunito:200,200i,300,300i,400,400i,600,600i,700,700i,800,800i,900,900i"
rel="stylesheet"
/>
<!-- Custom styles for this template-->
<link href="css/sb-admin-2.min.css" rel="stylesheet" />
</head>
<body class="bg-gradient-primary">
<div class="container">
<!-- Outer Row -->
<div class="row justify-content-center">
<div class="col-xl-10 col-lg-12 col-md-9">
<div class="card o-hidden border-0 shadow-lg my-5">
<div class="card-body p-0">
<!-- Nested Row within Card Body -->
<div class="row">
<img class="col-lg-6 d-none d-lg-block " src="img/Login.png">
<div class="col-lg-6">
<div class="p-5">
<div class="text-center">
<h1 class="h4 text-gray-900 mb-4">
Welcome To DEMO 1
</h1>
</div>
<form class="user" method="POST" action="php/login.php">
<div class="form-group">
<input
type="text"
name="username"
class="form-control form-control-user"
id="exampleInputEmail"
aria-describedby="emailHelp"
placeholder="Enter Username..."
/>
</div>
<div class="form-group">
<input
type="password"
name="password"
class="form-control form-control-user"
id="exampleInputPassword"
placeholder="Password"
/>
</div>
<button
class="btn btn-primary btn-user btn-block"
type="submit"
>
Login
</button>
</form>
<hr />
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- Bootstrap core JavaScript-->
<script src="vendor/jquery/jquery.min.js"></script>
<script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
<!-- Core plugin JavaScript-->
<script src="vendor/jquery-easing/jquery.easing.min.js"></script>
<!-- Custom scripts for all pages-->
<script src="js/sb-admin-2.min.js"></script>
</body>
</html>
I already check on the parameter and everything looks just fine. Why is the error keep occur?
I think you need one parameter in
$row = sqlsrv_fetch_array($result);
So , change to
$row = sqlsrv_fetch_array( $result, SQLSRV_FETCH_ASSOC)
Or , edit your query
$mysql_qry="SELECT ID, Password FROM user WHERE ID = '$user_name' AND Password = '$user_pass' ";
Consdier the following:
One possible explanation for your error is that you are concatenating user input to build the SQL statement. In fact, you are injecting your code. Never do this, always use prepared statements and parameterized queries to prevent SQL injection. With PHP Driver for SQL Server, function sqlsrv_query() does both statement preparation and statement execution and can be used to execute parameterized queries.
You need to hash the passowrd, because at the moment you are passing the password as plain text. When the password is hashed, you may safely pass it to the database.
Check the result from sqlsrv_query() execution.
As a note, you may use sqlsrv_has_rows() function to check if the result set has one or more rows.
The next example, based on your code, may help to get your expected results:
<?php
session_start();
include "connect.php";
$user_name = $_POST["username"];
$user_pass = strval($_POST["password"]);
$mysql_qry = "
SELECT ID, Password
FROM user
WHERE ID = ? AND Password = ?
";
$params = array($user_name, $user_pass);
$result = sqlsrv_query($conn, $mysql_qry, $params);
if ($result === false) (
echo "Error (sqlsrv_query): ".print_r(sqlsrv_errors(), true);
exit;
)
if (sqlsrv_has_rows($result)) {
// You don't even need to fetch the record, just use:
// $_SESSION["ID"] = $user_name;
// header ('location:../createUser.php');
$row = sqlsrv_fetch_array($result);
if ($row === false) {
echo "Error (sqlsrv_fetch_array): ".print_r(sqlsrv_errors(), true);
exit;
}
$_SESSION["ID"] = $row['ID'];
header ('location:../createUser.php');
} else {
echo "User not found";
exit;
}
?>
I have a login form that successfully logs in user on the site if the both username and password are correct. But if any of those credentials are wrong or empty it redirect me to blank page custom_functions.php . It does not validate my username and password and it is supposed to. Any help is appreciated. Here is my code.
login.php
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Welcome to Love Her Feet</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="/login_assets/css/style.css">
<link href="https://fonts.googleapis.com/css?family=Raleway:300,400,500&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600&display=swap" rel="stylesheet">
<link rel="stylesheet" href="/login_assets/css/media.css">
<script src="/login_assets/js/jquery.min.js"></script>
<script src="/login_assets/js/modernizr.custom.js"></script>
</head>
<body>
<header class="clear hBlack">
<div class="jLogo"><img src="/login_assets/images/logo.png" alt=""></div>
</header>
<div class="logArea clear">
<form action="custom_functions.php" method="post" enctype="application/x-www-form-urlencoded">
<div class="logbox">
<div class="box clear">
<h2>Members Area</h2>
<div class="logTypes">
<input type="text" name="username" class="logtextbox" placeholder="Username or email">
<span class="text-danger"><?php echo $username_error; ?></span>
<input type="password" name="password" class="logtextbox" placeholder="Password"><br>
<span class="text-danger"><?php echo $password_error; ?></span>
<!-- <input type="text" name="captcha" class="logtextbox" placeholder="Enter the code shown below"><br>
<img style="margin: 0 auto;" src="captcha.php">
<span class="text-danger"><?php echo $captcha_error; ?></span> -->
<div style="text-align: center">Remember my login: <input name="remember" type="checkbox"></div>
</div>
</div>
<input type="submit" value="submit" class="logBtn" name="submit">
</div>
</form>
<div class="logtext1">
</div>
<div class="logtext2">
</div>
</div>
</div>
<footer class="clear">
<p class="fNav">Home<span>|</span>
Log Out
</p>
</footer>
</body>
</html>
custom_functions.php
<?php
function validation($form_data)
{
$form_data = trim(stripcslashes(htmlspecialchars($form_data)) );
return $form_data;
}
if ($_SERVER['REQUEST_METHOD'] == "POST"){
if(isset($_POST["submit"])) {
login_function();
}
}
function login_function() {
session_start();
require 'connection.php';
$username_error = "";
$password_error = "";
$v_username = $_POST['username'];
$v_password = $_POST['password'];
$username = validation($v_username);
$password = validation($v_password);
$remember = isset($_POST['remember']);
if(empty($username))
{
$username_error = "<p>Please enter your username!</p>";
}
if(empty($password))
{
$password_error = "<p>Please enter your password!</p>";
}
if(!empty($username) && !empty($password)) {
$sql = "SELECT * FROM member_auth WHERE username = :username";
$stmt = $pdo->prepare($sql);
$stmt->bindValue(':username', $username);
$stmt->execute();
$user = $stmt->fetch(PDO::FETCH_ASSOC);
$cryptpass = $user['cryptpass'];
if($user === false){
$username_error = "<p>User doesn't exist</p>";
} elseif($user) {
$newPass = crypt($password, $cryptpass);
if($cryptpass == $newPass) {
$_SESSION['loggedin'] = TRUE;
$_SESSION['username'] = $username;
if($remember == "on") {
setcookie("remember", $username, time()+3600);
}
header('Location: login_success.php');
} else {
$password_error = "<p>Password is not correct!</p>";
}
}
}
}
?>
login_success.php
<?php
session_start();
if(isset($_SESSION["loggedin"]) || $_COOKIE["remember"]) {
echo "Welcome, {$_SESSION["username"]} <br>";
echo "<a href='logout.php'>Logout</a>";
} else {
header("Location: login.php");
}
I have an HTML login form whose action sends to another PHP file where there is a function that is supposed to login user on to the site. When submited form leads to that php file but it shows an empty page like it doesn't trigger that function. I put echo and die on top of the function but still, nothing happens.
Also when I echo something outside of function it displays what I entered in echo, so it calls the right file just it won't load function. Any help is appreciated. Here is my code.
login.php
<?php
if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (isset($_POST["submit"])) {
login_function();
}
}
?>
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="/login_assets/css/style.css">
<link href="https://fonts.googleapis.com/css?family=Raleway:300,400,500&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600&display=swap" rel="stylesheet">
<link rel="stylesheet" href="/login_assets/css/media.css">
<script src="/login_assets/js/jquery.min.js"></script>
<script src="/login_assets/js/modernizr.custom.js"></script>
</head>
<body>
<header class="clear hBlack">
<div class="jLogo"><img src="/login_assets/images/logo.png" alt=""></div>
</header>
<div class="logArea clear">
<form action="custom_functions.php" method="post" enctype="application/x-www-form-urlencoded">
<div class="logbox">
<div class="box clear">
<h2>Members Area</h2>
<div class="logTypes">
<input type="text" name="username" class="logtextbox" placeholder="Username or email">
<span class="text-danger"><?php echo $username_error; ?></span>
<input type="password" name="password" class="logtextbox" placeholder="Password"><br>
<span class="text-danger"><?php echo $password_error; ?></span>
<!-- <input type="text" name="captcha" class="logtextbox" placeholder="Enter the code shown below"><br>
<img style="margin: 0 auto;" src="captcha.php">
<span class="text-danger"><?php echo $captcha_error; ?></span> -->
<div style="text-align: center">Remember my login: <input name="remember" type="checkbox"></div>
</div>
</div>
<input type="submit" value="submit" class="logBtn" name="submit"/>
</div>
</form>
</div>
<footer class="clear">
<p class="fNav">Home<span>|</span>
Log Out
</p>
</footer>
</body>
</html>
custom_functions.php
<?php
//echo "AAAAAAAAA";
function validation($form_data)
{
$form_data = trim(stripcslashes(htmlspecialchars($form_data)) );
return $form_data;
}
function login_function() {
//echo "AAAAAAAAAA";
//die('!');
session_start();
require 'connection.php';
$username_error = "";
$password_error = "";
//$captcha_error = "";
$v_username = $_POST['username'];
$v_password = $_POST['password'];
//$v_captcha = $_POST['captcha'];
$username = validation($v_username);
$password = validation($v_password);
//$captcha = validation($v_captcha);
$remember = isset($_POST['remember']);
if (empty($username)) {
$username_error = "<p>Please enter your username!</p>";
}
if (empty($password)) {
$password_error = "<p>Please enter your password!</p>";
}
if (!empty($username) && !empty($password)) {
$sql = "SELECT * FROM member_auth WHERE username = :username";
//$sql = "SELECT * FROM member_auth LIMIT 1";
$stmt = $pdo->prepare($sql);
$stmt->bindValue(':username', $username);
$stmt->execute();
$user = $stmt->fetch(PDO::FETCH_ASSOC);
$cryptpass = $user['cryptpass'];
if($user === false){
$username_error = "<p>User doesn't exist</p>";
} elseif ($user) {
$newPass = crypt($password, $cryptpass);
if ($cryptpass == $newPass) {
$_SESSION['loggedin'] = TRUE;
$_SESSION['username'] = $username;
if ($remember == "on") {
setcookie("remember", $username, time()+3600);
}
header('Location: login_success.php');
} else {
$password_error = "<p>Password is not correct!</p>";
}
}
}
}
?>
Move your condition from same page to custom_functions.php
if ($_SERVER['REQUEST_METHOD'] == "POST"){
if(isset($_POST["submit"])) {
login_function();
}
}
or
<form action="" method="post" enctype="application/x-www-form-urlencoded">
you call login function in the login page and define the function in custom.php page so it does not find any function in this file put your code in the same function and it will work.
if ($_SERVER['REQUEST_METHOD'] == "POST"){
if(isset($_POST["submit"])) {
login_function();
}}
This question already has answers here:
Accessing $_COOKIE immediately after setcookie()
(9 answers)
How to validate captcha properly?
Closed 3 years ago.
I have a login form in php and remember me checkbox. I want when user enters username and password and checks that remember me checkbox to automatically be logged in for as long as he doesn't click logout button. I am trying to achieve that using cookies and sessions, altough some say that it is not safe, I don't have other options like tokens and such because I don't have access to tables and to change them. Any help is appreciated. Here is my code.
login.php
<?php
session_start();
require 'connection.php';
$username_error = "";
$password_error = "";
$captcha_error = "";
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
if(isset($_POST['submit']))
{
$v_username = $_POST['username'];
$v_password = $_POST['password'];
$v_captcha = $_POST['captcha'];
$remember = $_POST['remember'];
function validation($form_data)
{
$form_data = trim(stripcslashes(htmlspecialchars($form_data)) );
return $form_data;
}
$username = validation($v_username);
$password = validation($v_password);
$captcha = validation($v_captcha);
if(empty($username))
{
$username_error = "<p>Please enter your username!</p>";
}
if(empty($password))
{
$password_error = "<p>Please enter your password!</p>";
}
if(isset($_POST['remember'])) {
setcookie('username', $username, time()+60*60*7);
setcookie('password', $password, time()+60*60*7);
}
if ($captcha == $_SESSION['cap_code'] && !empty($captcha)) {
if(!empty($username) && !empty($password)) {
$sql = "SELECT * FROM member_auth WHERE username = :username";
$stmt = $pdo->prepare($sql);
$stmt->bindValue(':username', $username);
$stmt->execute();
$user = $stmt->fetch(PDO::FETCH_ASSOC);
$cryptpass = $user['cryptpass'];
if($user === false){
$username_error = "<p>User doesn't exist</p>";
} elseif($user) {
$newPass = crypt($password, $cryptpass);
if($cryptpass == $newPass) {
$_SESSION['loggedin'] = TRUE;
$_SESSION['username'] = $user['username'];
header('Location: login_success.php');
}else {
$password_error = "<p>Password is not correct!</p>";
}
}
}
} else {
$captcha_error = "<p>Please enter correct captcha!</p>";
}
}
}
?>
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Welcome to Love Her Feet</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
<link rel="stylesheet" href="/login_assets/css/style.css">
<link href="https://fonts.googleapis.com/css?family=Raleway:300,400,500&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600&display=swap" rel="stylesheet">
<link rel="stylesheet" href="/login_assets/css/media.css">
<script src="/login_assets/js/jquery.min.js"></script>
<script src="/login_assets/js/modernizr.custom.js"></script>
</head>
<body>
<header class="clear hBlack">
<div class="jLogo"><img src="/login_assets/images/logo.png" alt=""></div>
</header>
<div class="logArea clear">
<form action="login.php" method="post">
<div class="logbox">
<div class="box clear">
<h2>Members Area</h2>
<div class="logTypes">
<input type=text name="username" class="logtextbox" placeholder="Username">
<span class="text-danger"><?php echo $username_error; ?></span>
<input type=password name="password" class="logtextbox" placeholder="Password"><br>
<span class="text-danger"><?php echo $password_error; ?></span>
<div style="width:100%; text-align:center">
<img src="captcha.php" style="width:150px; height:30px"/><p style="margin:4px 0px 0px 0px">Reload Image</p>
</div>
<div style="width:100%">
<label>Enter Captcha:</label>
<input type="text" name="captcha" id="captcha" maxlength="6" size="6"/>
</div>
<span class="text-danger"><?php echo $captcha_error; ?></span>
<div style="text-align: center">Remember my login: <input name="remember" type=checkbox value="y"></div>
</div>
</div>
<input type="submit" name="submit" value="submit" class="logBtn">
</div>
</form>
</div>
</div>
</body>
</html>
login_success.php
<?php
session_start();
if(isset($_SESSION["loggedin"])) {
echo "Welcome, {$_SESSION["username"]} <br>";
echo "<a href='logout.php'>Logout</a>";
} else {
header("Location: login.php");
}
logout.php
<?php
session_start();
session_destroy();
header("Location: login.php");
I am going from vulnerable SQL codes into secure one, and I am trying to update my login to this:
if(isset($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
if($username != '' && $password!=''){
session_start();
$sql = "SELECT * FROM login WHERE username=? and password =?";
$stmt = $con->prepare($sql);
$stmt=bind_param("ss", $username, $password);
$stmt->execute();
$stmt->store_result();
$num->$stmt->num_rows;
$stmt->close();
if($num>0){
$_SESSION["username"] = $username;
header("Location:homepage.php");
die();
} else {
$message = "Invalid Username or Password!";
}
}
}
When I am launching my login page I got this message:
This webpage has a redirect loop
Any help is appreciated.
EDIT
homepage code:
<?php
require_once ('/include/global.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Clinic Form</title>
<link href="css/1140.css" rel="stylesheet" type="text/css" />
<link href="css/style.css" rel="stylesheet" type="text/css" />
<link href="http://fonts.googleapis.com/css?family=Source+Sans+Pro:300" rel="stylesheet" type="text/css" />
</head>
<body>
<div class="container12">
<header>
<div class="row" align="center">
<div class="column12"> <img src="images/logo.png"/> </div>
</div>
<div class="row" align="center">
<div class="row" align="center">Logout</div>
</div>
</header>
<h1 id="home" align="center"> </h1>
<div class="alert"></div>
<div class="column12" align="center">
<div class="row"><a href="patients.php">
<input type="image" value="Patient" src="images/patient.png" width="widthInPixels" height="heightInPixels" onmouseover="this.src='images/patient_roll.png';" onmouseout="this.src='images/patient.png';">
</a> </div>
<div class="row"><a href="/clinic form/appoint/appoint.php">
<input type="image" value="Appointments" src="images/appointments.png" width="widthInPixels" height="heightInPixels" onmouseover="this.src='images/appointments_roll.png';" onmouseout="this.src='images/appointments.png';">
</a> </div>
<div class="row"><a href="/clinic form/med/med.php">
<input type="image" value="Medicaments" src="images/med.png" width="widthInPixels" height="heightInPixels" onmouseover="this.src='images/med_roll.png';" onmouseout="this.src='images/med.png';">
</a> </div>
<div class="row"><a href="">
<input type="image" value="Statistics" src="images/stat.png" width="widthInPixels" height="heightInPixels" onmouseover="this.src='images/stat_roll.png';" onmouseout="this.src='images/stat.png';">
</a> </div>
</div>
</div>
</body>
</html>
EDIT 2
global.php file:
<?php
session_start();
$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name
$tbl_name=""; // Table name
//if(!session_is_registered(myusername)){
//header("location:index.html");
if(isset($_SESSION['username'])) {
echo "Page seen only by " . $_SESSION['username']."<br>";
$con=mysqli_connect($host,$username,$password,$db_name);
}
else{
session_destroy();
header("location:index.php");
}
?>
EDIT 3
The entire index.php code:
<?php
require_once('/include/global.php');
/*if(isset($_POST['login'])){
if($_POST['username'] != '' && $_POST['password']!=''){
if(!isset($_SESSION))
{
session_start();
session_register('username');
}
$result = mysql_query("SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
$row = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["username"] = $row[$_POST["username"]];
$_SESSION['username'] = $_POST["username"];
header("Location:homepage.php");
} else {
$message = "Invalid Username or Password!";
}
}else{
$error_msg="Please fill all the fields";
}
}*/
if(isset($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
if($username != '' && $password!=''){
session_start();
$sql = "SELECT * FROM login WHERE username=? and password =?";
$stmt = $con->prepare($sql);
$stmt=bind_param("ss", $username, $password);
$stmt->execute();
$stmt->store_result();
$num->$stmt->num_rows;
$stmt->close();
if($num>0){
$_SESSION['username'] = $username;
header("Location: homepage.php") ; die();
} else {
$message = "Invalid Username or Password!";
}
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Clinic Form</title>
<link href="css/1140.css" rel="stylesheet" type="text/css" />
<link href="css/style.css" rel="stylesheet" type="text/css" />
<link href="http://fonts.googleapis.com/css?family=Source+Sans+Pro:300" rel="stylesheet" type="text/css" />
</head>
<body>
<div class="container12">
<header>
<div class="row" align="center">
<div class="column12"> <img src="images/logo.png"/> </div>
</div>
</header>
<h1 id="home" align="center">Login</h1>
<form action="" method="POST">
<?php if(isset($message)) echo "<script type='text/javascript'>alert('$message');</script>" ?>
<div class="alert">
<?php if(isset($error_msg)) echo "<script type='text/javascript'>alert('$error_msg');</script>" ?>
</div>
<div class="column12" align="center">
<div class="row">
<input type="text" class="large-fld" name="username" value="" placeholder="Username" />
</div>
<div class="row">
<input type="password" class="large-fld" name="password" value="" placeholder="*****" />
</div>
<div class="row">
<input type="image" name="login" value="Login" src="images/btn.png" width="widthInPixels" height="heightInPixels" onMouseOver="this.src='images/rollOverBtn.png';" onMouseOut="this.src='images/btn.png';">
</div>
</div>
</form>
</div>
</body>
</html>
Maybe it will help you, if you be more specific about your header. When I started I found this little peace of code and use it ever since.
$hostname = $_SERVER["HTTP_HOST"];
$path = dirname($_SERVER["PHP_SELF"]);
header("Location: https://".$hostname.($path == "/" ? "" : $path)."/homepage.php");
die();
But I have another question, where do you set your Session Variable $_SESSION["username"] ?
EDIT:
Ok, your code does this:
You call homepage.php which includes global.php. Since there are no session variables set yet, global.php jumps into this part
else
{
session_destroy();
header("location:index.php");
}
Here you redirect to index.php. In index.php you include global.php again and exactly at this point your loop begins. So your global.php sends you to index.php in which global sends you to index.php and so on.
On way is to simply remove the include of global.php at the very beginning of your index.php.
Further you need to call
$stmt->bind_param("ss", $username, $password);
instead of
$stmt=bind_param("ss", $username, $password);
Please add space in header function after Location: .
header("Location: homepage.php");