I want to check a user if they have permission to view the site during the login process via a manual set value in MySQL.
How would I insert that check into this code:
include 'dbh.inc.php';
$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['pwd']);
//Error handlers
//check if inputs are empty
if (empty($uid) || empty($pwd)) {
header("Location: ../index.php?login=empty");
exit();
} else {
$sql = "SELECT * FROM users WHERE user_uid='$uid' OR user_email='$uid'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1) {
header("Location: ../index.php?login=error");
exit();
} else {
if ($row = mysqli_fetch_assoc($result)) {
//de-hash pass
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if ($hashedPwdCheck == false) {
header("Location: ../index.php?login=error");
exit();
} elseif ($hashedPwdCheck == true) {
//log in user here
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../index.php?login=success");
exit();
}
}
}
}
You have pretty much everything done already. But your question not clear enough. Do you want to block the user from login or only allow limited access to certain pages for the user ?
if ($hashedPwdCheck == false) {
header("Location: ../index.php?login=error");
exit();
} elseif ($hashedPwdCheck == true) {
if($row['user_can_login']){
//log in user here
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../index.php?login=success");
exit();
}else{
header("Location: ../index.php?login=error");
exit();
}
}
This is to block existing user from login.
Related
So I have this piece of code that I just followed some guide to create,
<?php
session_start();
if (isset($_POST['submit'])) {
include 'db.conf.php';
$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['pwd']);
$_SESSION['uid'] = $uid;
//Error handleri
//Check jesu inputi empty
if (empty($uid) || empty($pwd))
{
header("Location: ../index.php?login=empty");
exit();
}
else
{
$sql = "SELECT * FROM users WHERE user_uid = '$uid' OR user_email = '$uid'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1)
{
header("Location: ../index.php?login=usernamenepostoji");
exit();
}
else
{
if ($row = mysqli_fetch_assoc($result)) {
//Dehashiranje
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if ($hashedPwdCheck == false) {
header("Location: ../index.php?login=invalidpass");
exit();
}
elseif ($hashedPwdCheck == true)
{
//Logiranje
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../index.php?login=success");
exit();
}
}
}
}
}
else
{
header("Location: ../index.php?login=error");
exit();
}
?>
It's just simple error handling and logging in that works. I understand it and wanted to recreate it with a bit more oop.
<?php
session_start();
include 'db.conf.php';
class Login
{
public $username;
public $password;
function __construct()
{
$this->username = $_POST['uid'];
$this->password = $_POST['pwd'];
$this->checkinputs();
}
function checkinputs()
{
if (empty($this->username) || empty($this->password))
{
header("Location: ../index.php?login=empty");
exit();
}
else
{
$username = $this->username;
$sql = "SELECT * FROM users WHERE user_uid =".$username;
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1)
{
header("Location: ../index.php?login=usernamenepostoji");
exit();
}
else
{
if ($row = mysqli_fetch_assoc($result)) {
//Dehashiranje
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if ($hashedPwdCheck == false) {
header("Location: ../index.php?login=invalidpass");
exit();
}
elseif ($hashedPwdCheck == true)
{
//Logiranje
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../index.php?login=success");
exit();
}
}
}
}
}
}
?>
This is what I got, it's literally the same code just using functions and other things to 'seperate' it into chunks. It doesn't work. I keep getting stuck on the if $resultCheck < 1 header which means that the username doesn't exist. Though I'm sure it does since nothing changed in the db. So it lead me to thinking its the $conn, it just doesn't connect to the database. I've dumped the $username variable in a file to check if it works, it does. I just have no idea how to proceed.
$conn doesn't exist in method checkinputs().
Either make it global:
function checkinputs()
{
global $conn;
...
}
which I would not recommend (because using globals is disencouraged).
or pass it into Login::_construct() and set it to $this->conn (then use it as $this->conn: $result = mysqli_query($this->conn, $sql);):
function __construct($conn)
{
$this->conn = $conn; // maybe also check if you have a valid connection!
$this->username = $_POST['uid'];
$this->password = $_POST['pwd'];
$this->checkinputs();
}
function checkinputs()
{
// no global now!
....
$result = mysqli_query($this->conn, $sql);
....
}
BUT: please switch to prepared stements. This code is vulnerable to sql injection!
related: Reference: What is variable scope, which variables are accessible from where and what are "undefined variable" errors?
I need to echo or to show an alert box when the user entered a incorrect user name and password. I used the url for the mean time to show the status if the user entered the incorrect username or the incorrect password.
session_start();
if (isset($_POST['submit'])) {
include 'dbh.inc.php';
$uid = mysqli_real_escape_string ($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string ($conn, $_POST['pwd']);
//ERROR HANDLERS
//Check for empty fields
if (empty($uid) || empty($pwd)) {
header("Location: ../login.php?login=empty");
exit();
} else {
$sql = "SELECT * FROM users WHERE user_uid='$uid' OR user_email='$uid'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1) {
header("Location: ../login.php?username_not_found");
exit();
} else {
if ($row = mysqli_fetch_assoc($result)) {
//De-hashing the password
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if ($hashedPwdCheck == false) {
header("Location: ../login.php?password_not_match");
exit();
} elseif ($hashedPwdCheck == true) {
//Log in the user here
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../apptableremarks.php?login=success");
exit();
}
}
}
}
} else {
header("Location: ../index.php?login=error");
exit();
}
first change this line
header("Location: ../login.php?login=notFound");
then on the top the page in index.php file write this code
if(isset($_GET['login']))
{
echo "user name not found";
}
i think you should pass header variable like this :**
header("Location: ../login.php?user=not_found");
and then you can grab it using $_GET[] variable.
Like this: if(isset($_GET["user"] && $_GET["user"]==="not_fount")) echo "your alert message";
I have an echo after each header redirect. But it does not pop up. So when the user enters an invalid login detail no message pops up. What am I doing wrong?
I tried a JavaScript method as well but did not manage to fix the issue.
Is it something to do with my nested ifs maybe?
<?php
session_start();
#first if
if (isset($_POST['submit'])) {
include 'dbh.inc.php';
$uid = mysqli_real_escape_string( $conn , $_POST['uid'] );
$pwd = mysqli_real_escape_string( $conn , $_POST['pwd'] );
//Error handlers
//Check if this input are empty
#second if
if (empty($uid) || empty($pwd)) {
header("Location: ../index.php?login=empty");
exit();
}/*second else*/ else {
$sql = "SELECT * FROM users WHERE user_uid='$uid' OR user_email='$uid'";
$result = mysqli_query($conn,$sql);
$resultCheck = mysqli_num_rows($result);
#third if
if ($resultCheck < 1) {
header("Location: ../index.php?login=error");
echo "Login error";
exit();
}/*third else*/ else {
#forth if
if ($row = mysqli_fetch_assoc($result)) {
//de-hashing the password
$hashedPwdCheck = password_verify($pwd , $row['user_pwd']);
#fifth if
if ($hashedPwdCheck == false) {
header("Location: ../index.php?login=error");
echo "Login error";
exit();
} /*fifth else*/ elseif ($hashedPwdCheck == true) {
//Log in the user here
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
$uid = $_SESSION['u_id'];
header("Location: ../index.php?login=success");
echo "Login error";
exit();
}
}
}
}
}/*first else*/ else {
header("Location: ../index.php?login=error");
echo "Login error";
exit();
}
?>
If you use location headers you can never display messages - the browser ignores the rest of the request and does the redirect immediately, because the HTTP code is changed to 302.
Even if you could show a message, it would not be a good experience for the user, as it would only display for a fraction of a second and then the redirect would happen and the page would be overwritten. You should show the error message on the landing page (index.php?login=error).
Here is my login PHP code
<?php
session_start();
if (isset($_POST['submit'])) {
include 'dbh.inc.php';
$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['pwd']);
if (empty($uid) || empty($pwd)) {
header("Location: ../index.php?login=empty");
exit();
} else {
$sql = "SELECT * FROM users WHERE user_uid= ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("s",$user_uid);
$stmt->execute();
$result = $stmt->get_results(); //LINE 20 IS HERE BTW
$num_rows = $result->num_rows;
if($num_rows == 1) {
$rows = $result->fetch_assoc();
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if ($hashedPwdCheck == false) {
header("Location: ../index.php?login=errorchecker");
exit();
} elseif ($hashedPwdCheck == true) {
#Logs in
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../index.php?login=success");
exit();
}
$read->close();
} else {
header("Location: ../index.php?login=errorb4pwcheck");
}
}
}
Returns the error
Fatal error: Call to undefined method mysqli_stmt::get_results() in C:\wamp64\www\loginsystem-1\includes\login.inc.php on line 20
$result = $stmt->get_results();
I have searched as many threads as I can find and have tried different ways on doing this prepared statement, I have seen a lot about mysqlnd not being installed and enabled.
Proof mine is:
phpinfo on mysqlnd
I have tried using the bind & fetch methods but it just simply doesn't work, I'm guessing I am doing it wrong but i've watched many different tutorials and read forum posts about it and tried to apply it to my work.
This was the solution code my friend helped me solve :) Just incase anyone experienced the same issue...
session_start();
if (isset($_POST['submit'])) {
include 'dbh.inc.php';
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
# Error handlers
# Check if inputs are empty
if (empty($uid) || empty($pwd)) {
header("Location: ../index.php?login=empty");
exit();
} else {
$sql = "SELECT * FROM users WHERE user_uid= ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("s", $_POST['uid']);
$stmt->execute();
$result = $stmt->get_result();
$num_rows = $result->num_rows;
if($num_rows == 1) {
while ($rows = $result->fetch_assoc()) {
if (!password_verify($pwd, $rows['user_pwd'])) {
header("Location: ../index.php?login=errorchecker");
exit();
} else {
#Logs in
$_SESSION['u_id'] = $rows['user_id'];
$_SESSION['u_first'] = $rows['user_first'];
$_SESSION['u_last'] = $rows['user_last'];
$_SESSION['u_email'] = $rows['user_email'];
$_SESSION['u_uid'] = $rows['user_uid'];
header("Location: ../index.php?login=success");
exit();
}
}
$read->close();
} else {
header("Location: ../index.php?login=errorb4pwcheck");
}
}
}
How can I redirect two users according to their roles? I have database user type 1 and type 0. My log-in code is like this. Type 1 is suppose to be an admin and type 0 is a regular user.
<?php
session_start();
if(isset($_POST['submit'])){
include 'dbh.inc.php';
$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['pwd']);
if (empty($uid) || empty($pwd)){
header("Location: ../index.php?login=empty");
exit();
} else {
$sql = "SELECT * FROM users WHERE user_uid='$uid'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1) {
header("Location: ../index.php?login=error");
exit();
} else {
if ($row = mysqli_fetch_assoc($result)){
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if($hashedPwdCheck == false){
header("Location: ../index.php?login=error");
exit();
} elseif ($hashedPwdCheck == true) {
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../main.php?login=success");
exit();
}
}
}
}
} else {
header("Location: ../index.php?login=error");
exit();
}
you can do this easily by if()..else... but at all don't use directly header to redirect, I suggest you use this function to redirect:
function redirect($url){
if (headers_sent()){
die('<script type="text/javascript">window.location.href=\'' . $url . '\';</script>');
}else{
header('Location: ' . $url);
die();
}
}
this is what you need to do:
if($type == 1)
redirect($admin_url);
else
redirect($user_url);