So im having problem with code in php, it drives me crazy..
The thing is, i am making login page, and i have index.php, login.php and dashboard.php.
Login form is in index.php, in login.php it checks if user is in database, and if it is redirect user to dashboard.php, but when i type right user and pass, it redirects me to index.php instead of dashboard.php??
login.php
<?php
session_start();
include($_SERVER['DOCUMENT_ROOT'] . "/new_cms/includes/db.php");
$username = $_POST['username'];
$password = $_POST['password'];
$btn = $_POST['submit'];
if(isset($btn)){
if(empty($username) || empty($password)){
echo "You must fill all fields";
}else{
$sql = "SELECT * FROM admins WHERE username = '$username' AND password = '$password'";
$query = mysqli_query($dbconn, $sql);
$rows = mysqli_num_rows($query);
if($rows > 0){
$_SESSION['usr'] = $rows['password'];
header("Location: dashboard.php");
}else{
echo "Invalid login";
}
}
}
?>
dashboad.php
<?php
session_start();
include($_SERVER["DOCUMENT_ROOT"] . "/new_cms/includes/db.php");
include($_SERVER["DOCUMENT_ROOT"] . "/new_cms/admin/login.php");
if(!isset($_SESSION['usr'])){
header("Location: index.php");
}else{
echo "Welcome";
}
?>
What am i doing wrong?
$rows is just a number, not an array, since you used mysqli_num_rows. Still you try to get $rows['password'].
instead, fetch the first row of the result and use this to assign to the session variable.
if(isset($btn)){
if(empty($username) || empty($password)){
echo "You must fill all fields";
}else{
$sql = "SELECT * FROM admins WHERE username = '$username' AND password = '$password'";
$query = mysqli_query($dbconn, $sql);
$rows = mysqli_num_rows($query);
if($rows > 0){
$user = mysqli_fetch_assoc($query);
$_SESSION['usr'] = $user['password'];
header("Location: dashboard.php");
}else{
echo "Invalid login";
}
}
}
Related
I want to create a login page for admin and super admin in one PHP page. Currently, I do login page for admin and super admin separately but use the same database table.
Below is my current code for admin and super admin login
admin_login.php
<?php
include("config/config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
$Email = mysqli_real_escape_string($link,$_POST['Email']);
$Pwd = mysqli_real_escape_string($link,$_POST['Pwd']);
$sql = "SELECT staff.Email FROM staff WHERE Email = '$Email' AND Pwd ='$Pwd' AND staff.Role = 'admin'";
$result = mysqli_query($link,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
if($count == 1) {
$_SESSION['login_user'] = $Email;
header("location: pages/dashboard/dashboard_admin.php");
}else {
$error = "Your Login Name or Password is invalid";
}
}
?>
super_admin_login.php
<?php
include("config/config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
$Email = mysqli_real_escape_string($link,$_POST['Email']);
$Pwd = mysqli_real_escape_string($link,$_POST['Pwd']);
$sql = "SELECT staff.Email FROM staff WHERE Email = '$Email' AND Pwd ='$Pwd' AND staff.Role = 'super_admin'";
$result = mysqli_query($link,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
if($count == 1) {
$_SESSION['login_user'] = $Email;
header("location: pages/dashboard/dashboard_super_admin.php");
}else {
$error = "Your Login Name or Password is invalid";
}
}
?>
can anyone help me? Really appreciate
What you are doing now is to check if there is any username and password with the specific role, why not checking username and password and after that check the role of it to redirect to correct place ?
You can merge them, What you should do is to first check username and password and after that check the role to see if it is Admin or Super Admin to redirect to correct dashboard.
<?php
include("config/config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
$Email = mysqli_real_escape_string($link,$_POST['Email']);
$Pwd = mysqli_real_escape_string($link,$_POST['Pwd']);
$sql = "SELECT staff.Email,staff.Role FROM staff WHERE Email = '$Email' AND Pwd ='$Pwd'"; // Remember You do not need to check role here so you can accept both
$result = mysqli_query($link,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
if($count == 1) {
$_SESSION['login_user'] = $Email;
if($row["Role"] == "admin"){ //Check the role here
header("location: pages/dashboard/dashboard_admin.php");
}else{ // If you want to be more specific you can write a else-if here too.
header("location: pages/dashboard/dashboard_super_admin.php");
}
}else {
$error = "Your Login Name or Password is invalid";
}
}
?>
PS: NEVER STORE PLAIN PASSWORD AND USE PREPARED STATEMENTS TO PREVENT SQL INJECTION
You are approaching this from slightly the wrong perspective. Every user should login through the same script. User presents a UserId (Email in your case) and Password, you check they are correct and THEN you pick up the staff.Role to know what kind of user they are, and treat them accordingly
I have also changed your code to use a prepared, parameterised and bound query
<?php
include("config/config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
//$Email = mysqli_real_escape_string($link,$_POST['Email']);
//$Pwd = mysqli_real_escape_string($link,$_POST['Pwd']);
$sql = "SELECT Pwd, Role
FROM staff
WHERE Email = ?";
$stmt = $link->prepare($sql);
$stmt->bind_param('s',$_POST['Email']);
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_assoc();
if ($result->num_rows == 1 )
// this should really be using `password_verify()`
// but as that requiesa change to the way you save the password
// I cannot just add it here
if ( $_POST['Pwd'] == $row['Pwd'] ){
$_SESSION['login_user'] = $Email;
// might be useful to put the role in the session for later use as well
$_SESSION['Role'] = $row['Role'];
if ($row['Role'] == 'admin')
header("location: pages/dashboard/dashboard_admin.php");
exit;
}
if ($row['Role'] == 'super_admin')
header("location: pages/dashboard/dashboard_super_admin.php");
exit;
}
} else {
$error = "Your Login Name or Password is invalid";
}
}
}
?>
Additional reading to change your code to use the more secure password_hash() and pasword_verify()
I'm doing a login system for my webpage, when i key in the correct login id and password the page refresh back to the login page. I did all the things correct but the session keep messing things up and I don't know where is the error.
index.php
session_start();
if(!isset($_SESSION['loggedin'])){
header("location:login.php");
}
server.php
if(isset($_POST['login'])){
$username = mysqli_real_escape_string($db,$_POST['Username']);
$password = mysqli_real_escape_string($db,$_POST['password']);
if (empty($username)){
array_push($errors, "Username is required");
}
if (empty($password)){
array_push($errors, "Password is required");
}
if(count($errors) == 0){
$password = md5($password);
$query = "SELECT * FROM register where username='$username' AND password = '$password'";
$result = mysqli_query($db, $query);
if(mysqli_num_rows($result) == 1){//user found
$logged_in_user = mysqli_fetch_assoc($result);
if ($logged_in_user['type'] == 'admin') {
$_SESSION['loggedin'] = true;
$_SESSION['Username'] = $username;
$_SESSION['id'] = $id;
header('location: admin.php');
}
else{
$_SESSION['loggedin'] = true;
$_SESSION['Username'] = $username;
header('location: index.php');
}
}
}
}
Both pages should have session_start() at the top of code
for example
index.php
<?php
session_start();
server.php
<?php
session_start();
and so on
Another thing offtopic. Prefer using PDO instead of mysqli_ for database access
http://nl1.php.net/manual/pt_BR/book.pdo.php
I can't figure out why I'm getting out my password incorrect, my signup page is working properly.Everytime I try to login it shows login=incorrect password in my url.I tried to figure ot every possible issue online but nothing helped me.
<?php
session_start();
if(isset($_POST['submit'])){
include_once 'dbt.inc.php';
$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
//error handlers
if(empty($username) || empty($password)){
header("Location: ../main_login.php?login=empty");
exit();
}
else{
$sql = "SELECT * FROM users WHERE user_username = '$username'";
$run = mysqli_query($conn, $sql);
$result = mysqli_num_rows($run);
if ($result < 1) {
header("Location: ../main_login.php?login=error");
exit();
}
else{
if ($row = mysqli_fetch_assoc($run)) {
$hashedpasswordcheck = password_verify($password, $row['user_password']);
if ($hashedpasswordcheck == false) {
header("Location: ../main_login.php?login=incorrect password");
exit();
}
elseif($hashedpasswordcheck == true){
//log in user
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['user_first'] = $row['user_first'];
$_SESSION['user_last'] = $row['user_last'];
$_SESSION['user_email'] = $row['user_email'];
$_SESSION['user_username'] = $row['user_username'];
$_SESSION['user_password'] = $row['user_password'];
header("Location: ../main_login.php?login=success");
exit();
}
}
}
}
}
else{
header("Location: ../main_login.php?login=error");
exit();
}
?>
If you get incorrect false responses from password_verify and you know it should be correct, make sure you are enclosing the hash variable in single quotes (') and not double quotes (").
In PHP anything that starts with a $ inside double quotes as a variable.
So I am trying to create a simple login structure, and im not sure why it does not work, I appreciate there are many examples on here, and please do not mark this for duplication, I just really need some help I have tried and tried but I can not see what I have done wrong.
<?php
session_start();
include 'databaseconnection.php';
$email = strip_tags($_POST['email']);
$pwd = strip_tags($_POST['pwd']);
$sql = "SELECT * FROM user WHERE email='$email'";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['pwd'];
$hash = password_verify($pwd, $hash_pwd);
if ($hash == 0) {
header("Location: error.php")
exit();
} else {
$sql = "SELECT * FROM user WHERE email='$uid' AND pwd ='$hash_pwd'";
$result = mysqli_query($conn, $sql);
if (!row = mysqli_fetch_assoc($result)); {
echo "your email address or password is incorrect!";
} else {
$_SESSION['id'] = $row['id'];
}
header("Location: profile.php")
If someone could simply suggest what changes I should make, I would really appreciate it.
There you go simple code
<?php
session_start();
include 'databaseconnection.php';
$email = $_POST['email'];
$pwd = $_POST['pwd'];
$sql = "SELECT * FROM user WHERE email = '$email'";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($result);
$hash_pwd = $row['pwd']; // password from database
// if password is valid start session and redirect to profile.php
if (password_verify($pwd, $hash_pwd))
{
$_SESSION['id'] = $row['id'];
header('Location: profile.php');
}
else
{
header("Location: error.php")
exit();
}
?>
You have not closed the "} else {"... section.
First check request second filter input third use pdo
<?php
session_start();
include 'databaseconnection.php';
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
$email = filter_input(INPUT_POST, 'email',FILTER_VALIDATE_EMAILL); //filter input
$pwd = filter_input(INPUT_POST, 'pwd',FILTER_SANITIZE_STRING,FILTER_FLAG_STRIP_HIGH); //filter input
$hashed = sha1($pwd);
$sql= $conn->prepare( "SELECT * FROM user WHERE email ? AND password = ?"); //use pdo here
$sql->execute(array($email, $pwd));
$row = $sql->fetch();
if($row['email'] !== $email || $row['password'] !== $hashed){
header("Location: error.php");
exit();
} else {
$_SESSION['id'] = $row['id'];
header("Location: profile.php");
}
}else {
echo 'error';
}
?>
How would I make this work, I asked before and didn't get a correct answer. This code is the user login, so when they log in I want username and avatar to be trackable through out the site. So far I just have username. I have tried methods and have failed every time.
$username = $_POST['username'];
$password = sha1($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $sql) or die('Error querying database.');
$count=mysqli_num_rows($result);
if ($count == 1)
{
$row = mysqli_fetch_array($result);
while ($_SESSION['username'] = $row['username'])
{
session_start();
header('Location: index.php');
}
}
else
{
echo 'Invalid Logins';
}
mysqli_close($conn);
?>
Supposing you have avatar stored in the avatar field in the database:
if ($count == 1)
{
session_start();
$row = mysqli_fetch_array($result);
$_SESSION['username'] = $row['username'];
$_SESSION['avatar'] = $row['avatar'];
header('Location: index.php');
}
else
{
echo 'Invalid Logins';
}