We Keep Coding

php Header location not letting me into admin area

I recently started learning PHP. I've been working on a basic login page. Everything works great locally, but when it's uploaded to ipage, it just reloads the login page. If I enter incorrect login info, it tells me that I entered something wrong.
Here's my code...
login.php:
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (isset($_POST['submit'])) {
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$uid = strip_tags($uid);
$pwd = strip_tags($pwd);
$uid = stripcslashes($uid);
$pwd = stripcslashes($pwd);
$uid = mysqli_real_escape_string($db, $uid);
$pwd = mysqli_real_escape_string($db, $pwd);
$sql = "SELECT * FROM users WHERE uid='$uid' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['pwd'];
$pwd = password_verify($pwd, $row['pwd']);
if ($pwd == $db_password) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
}
?>
dashboard.php:
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (!isset($_SESSION['id'])) {
header("Location: http://website.com/login.php");
exit();
}
?>
any help would be appreciated very much...

I think the problem of your code lies in here
if ($pwd == $db_password) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
password_verify() returns TRUE or FALSE and you are trying to check if it is equal to $db_password. As fas as I know this will not be true so even though the password you are typing in is correct, the page won't go anywhere because the if statement is not working properly.
So in your case, this is how I think you should have your code
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (isset($_POST['submit'])) {
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$uid = strip_tags($uid);
//$pwd = strip_tags($pwd);
$uid = stripcslashes($uid);
//$pwd = stripcslashes($pwd);
$uid = mysqli_real_escape_string($db, $uid);
//$pwd = mysqli_real_escape_string($db, $pwd);
$sql = "SELECT * FROM users WHERE uid='$uid' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['pwd'];
$pwd = password_verify($pwd, $db_password);
if ( $pwd === TRUE ) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
}

having problems with removing sha1 encryption from my code

ill like to remove the sha1 encryption on this code so i can store my password as typed in the database instead of the encrypted code. Am new to coding so I need help
The code (settings_model.php)
<?php
$settings = new Datasettings();
if(isset($_GET['q'])){
$settings->$_GET['q']();
}
class Datasettings {
function __construct(){
if(!isset($_SESSION['id'])){
header('location:../../');
}
}
function changepassword(){
include('../../config.php');
$username = $_GET['username'];
$password = $_GET['password'];
$current = sha1($_POST['current']);
$new = sha1($_POST['new']);
$confirm = sha1($_POST['confirm']);
$q = "select * from userdata where username='$username' and password='$current'";
$r = mysqli_query($db,$q);
if(mysqli_num_rows($r) > 0){
if($new == $confirm){
$r2 = mysqli_query($db,"update userdata set password='$new' where username='$username' and password='$current'");
header('location:../settings.php?msg=success&username='.$username.'');
}else{
header('location:../settings.php?msg=error&username='.$username.'');
}
}else{
header('location:../settings.php?msg=error&username='.$username.'');
}
}
function addaccount(){
include('../../config.php');
$level = $_GET['level'];
$id = $_GET['id'];
$q = "select * from $level where id=$id";
$r = mysqli_query($db,$q);
$row = mysqli_fetch_array($r);
if($level == 'student'){
$username = $row['studid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}else{
$username = $row['teachid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}
$verify = $this->verifyusername($username);
if($verify){
$q2 = "insert into userdata values(null,'$username','$password','$fname','$lname','$level')";
mysqli_query($db,$q2);
header('location:../'.$level.'list.php?r=added an account');
}else{
header('location:../'.$level.'list.php?r=updated');
}
}
function verifyusername($user){
$q = "select * from userdata where username='$user'";
$r = mysql_query($q);
if(mysql_num_rows($r) < 1){
return true;
}else{
return false;
}
}
function getuser($search){
include('../config1.php');
$user = $_SESSION['id'];
$q = "select * from userdata where username !='$user' and username like '%$search%' order by lname asc";
$r = mysqli_query($db, $q);
return $r;
}
function addaccounts(){
include('../../config1.php');
extract($_POST);
$q = "select * from $level where id=$id";
$r = mysqli_query($db,$q);
$row = mysqli_fetch_array($r);
if($level == 'student'){
$username = $row['studid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}else{
$username = $row['teachid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}
$verify = $this->verifyusername($username);
if($verify){
$q2 = "insert into userdata values(null,'$username','$password','$fname','$lname','$level')";
mysqli_query($db,$q2);
header('location:../'.$level.'list.php?r=added an account');
}else{
header('location:../'.$level.'list.php?r=updated');
}
}
}
?>
please help need an answer soon. thanks.

just change this line
$confirm = sha1($_POST['confirm']);
to this
$confirm = $_POST['confirm'];

if (isset($_SESSION["uname"]) == ($_COOKIE['admin']))

I am trying to make a sample website that have a different privileges the admin is for admin page and the client is for client page?
and this is my PHP code db_login
<?php
$uname = $_POST["uname"];
$pword = $_POST["pword"];
require_once("../connector/db_open.php");
$sql = "SELECT * FROM tbl_create_acc WHERE uname = '".$uname."' AND pword = '".$pword."'";
$result = $conn->query($sql) or die ($conn->error);
if($result->num_rows >0)
{
if (isset($_SESSION["uname"]) == ($_COOKIE['admin']))
{
$row = mysqli_fetch_array($result);
session_start();
$_SESSION['id'] = $row['id'];
$_SESSION['uname'] = $row['uname'];
$_SESSION['pword'] = $row['pword'];
header("Location: ../page/adminpage.php");
}
else
{
header("Location: ../page/clientpage.php");
}
}
else
{
header("Location: ../page/index1.php");
}
require_once("../connector/db_close.php");
?>

MySql Password_verify() not working?

during registration, the user's password is saved in the database as an encrypted BCRYPT password.
My question is: Why can't I verify the encrypted database password with the entered password?
CODE:
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$veri_password' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);
//ERRS ARRAY DECLARED
$errors = array();
//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}
?>
I'm receiving an error that says 'account does not exist' even when I enter valid information.
Thanks,
-Eugene
EDIT CHANGED TO THIS:
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
if($veri_password === true){
//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);
//ERRS ARRAY ESTABLISHED
$errors = array();
//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}
}
?>

change to:
$sql = "SELECT id, username FROM users WHERE email='$email'";
Also change:
$veri_password = password_verify($password, $user_pass);
to
if(!password_verify($password, $user_pass)){
echo 'invalid password';
exit;
}
anyway, your code is vulnerable to sql injection. please consider using prepared statements in your queries or escape input strings with mysql_real_escape_string. . And also it is recommended to use mysqli or pdo instead of procedural methods

Can't update database using php and Mysql

I am trying to update a user password in database with the following code
<?php
session_start();
if( isset($_SESSION['user']) ){
}
else
{
header("location: index.php");
}
$host = "localhost";
$username = "xxxx";
$password = "xxxxx";
$db_name = "auth_db";
$tbl_name = "users";
$link = new mysqli("$host", "$username" , "$password", "$db_name");
if(mysqli_connect_error())
{
die('Connect Error ('.mysqli_connect_errno().')' .msqli_connect_error());
}
$username = $_SESSION['user'];
$pwd = $_POST['oldpass'];
$pwd1 = $_POST['newpass'];
$pwd2 = $_POST['newpass1'];
if($pwd1 !== $pwd2)
{
Print '<script>alert("New Passwords do not match");</script>';
Print '<script>window.location.assign("pwd.php");</script>';
}
$query = mysqli_query($link, "SELECT * from users WHERE username = '$username'");
$user_exist = mysqli_num_rows($query);
$tbl_user = "";
$tbl_password = "";
$password = 0 ;
if($user_exist > 0)
{
while($row = mysqli_fetch_assoc($query))
{
$tbl_user = $row['username'];
$tbl_password = $row['password'];
$password = password_verify($pwd, $tbl_password);
}
if(($username == $tbl_user) && ($password))
{
if($password)
{
$new_hash = password_hash(('$pwd1'), PASSWORD_BCRYPT);
mysqli_query($link, "UPDATE $tbl_name SET password = '$new_hash' WHERE username = '$tbl_user'");
Print '<script>alert("Updated, Please relogin.");</script>';
Print '<script>window,location.assign("logout.php");</script>';
}
}
else
{
Print '<script>alert("Incorrect Password");</script>';
Print '<script>window,location.assign("pwd.php");</script>';
}
}
?>
I am able to generate the hash but it is not getting updated in the database and the page is redirected to the given link. I am thinkinging that there is something worng with my
mysqli_query($link, "UPDATE $tbl_name SET password = '$new_hash' WHERE username = '$tbl_user'");
Any help is appreciated. Thank you.

your code has many syntax errors. i have cited some and put it in comments so you can change it yourself.
<?php
session_start();
if( isset($_SESSION['user']) ){
}
else
{
header("location: index.php");
}
$host = "localhost";
$username = "xxxx";
$password = "xxxxx";
$db_name = "auth_db";
$tbl_name = "users";
$link = new mysqli("$host", "$username" , "$password", "$db_name");
if(mysqli_connect_error())
{
die('Connect Error ('.mysqli_connect_errno().')' .msqli_connect_error());
}
$username = $_SESSION['user'];
$pwd = $_POST['oldpass'];
$pwd1 = $_POST['newpass'];
$pwd2 = $_POST['newpass1'];
if($pwd1 !== $pwd2)
{
Print '<script>alert("New Passwords do not match");</script>';
Print '<script>window.location.assign("pwd.php");</script>';
}
$query = mysqli_query($link, "SELECT * from users WHERE username = '$username'");
$user_exist = mysqli_num_rows($query);
$tbl_user = ""; // instead of reinitializing these as a blank slate just use the unset(); function
$tbl_password = ""; // so its unset($tbl_user); so you can save memory.
$password = 0 ;
if($user_exist > 0)
{
while($row = mysqli_fetch_assoc($query))
{
$tbl_user = $row['username'];
$tbl_password = $row['password'];
$password = password_verify($pwd, $tbl_password);
}
if(($username == $tbl_user) && ($password))
{
if($password)
{
$new_hash = password_hash(('$pwd1'), PASSWORD_BCRYPT);
mysqli_query($link, "UPDATE $tbl_name SET password = '$new_hash' WHERE username = '$tbl_user'");
Print '<script>alert("Updated, Please relogin.");</script>';
Print '<script>window,location.assign("logout.php");</script>'; //<- window.location.assign();
}
}
else
{
Print '<script>alert("Incorrect Password");</script>';
Print '<script>window,location.assign("pwd.php");</script>'; //<-- window.location.assign();
}
}
?>

Try this
$link = new mysqli($host, $username , $password, $db_name);
mysqli_query($link, "UPDATE $tbl_name SET pasword = ".$new_hash." WHERE username = ".$tbl_user.");