I am trying to reset password but after I submit new password it takes me back to login without changing it. I think this happens because it doesn't remember the email and token. It shows me the form but after I click submit doesn't do anything.
Code:
<?php
if (isset($_GET['email']) && isset($_GET['token'])) {
include('databaze.php');
$conn = new mysqli($servername, $username, $password, $dbname);
$email = $conn->real_escape_string($_GET['email']);
$token = $conn->real_escape_string($_GET['token']);
$data = $conn->query("SELECT did FROM tbldoc WHERE email='$email' AND
token='$token'");
if ($data->num_rows > 0) {
include('reset-form.php');
if (isset($_POST['resetPass'])) {
$password = $_POST["password"];
$password_conf = $_POST['password-conf'];
$email = $_POST["email"];
$token = $_POST["token"];
if (empty($password) || empty($password_conf)) {
echo "<br><br>Fill the form";
} elseif ($password !== $password_conf) {
echo "<br><br>Password doesn't match Password Confirmation";
}
$password = md5($password);
$conn->query("UPDATE tbldoc SET hashedpwd='$password', token='' WHERE email='$email'");
}
} else {
echo "Please check your link!";
}
} else {
header("Location: login.php");
exit();
}
?>
form:
<form method="post" action="resetpassword.php" class="form-signin">
<h2 class="form-signin-heading">Reset Password</h2>
Password <input type="password" class="form-control" name="password" placeholder="Password">
<br>
Password Confirmation <input type="password" class="form-control" name="password-conf"
placeholder="Password Confirmation">
<br>
<input type="hidden" class="form-control" name="email" value="<?php echo $email;?>">
<input type="hidden" class="form-control" name="token" value="<?php echo $token;?>">
<input type="submit" class="btn btn-lg btn-primary btn-block" name="resetPass" value="Reset your Password">
Could you help me?
Your form is type POST and you are expecting GET
isset($_POST['email']) && isset($_POST['token'])
Could be?
May be because of this line, your SQL is not able to search email
$email = $conn->real_escape_string($_GET['email']);
Add this to your form. It will remember the email and token:
<input type="hidden" name="email" value="<?php echo #$email; ?>">
<input type="hidden" name="token" value="<?php echo #$token; ?>">
Your form method is POST and you are checking the data in GET. So every time else part will be called. change this line in your code
if (isset($_GET['email']) && isset($_GET['token'])) {
with
if (isset($_POST['email']) && isset($_POST['token'])) {
Your form action is post method so you need to check the condition as
if (isset($_POST['email']) && isset($_POST['token']))
This is full code. you use some place GET and some place POST method so it will work for POST method...
<?php
if (isset($_POST['email']) && isset($_POST['token'])) {
include('databaze.php');
$conn = new mysqli($servername, $username, $password, $dbname);
$email = $conn->real_escape_string($_POST['email']);
$token = $conn->real_escape_string($_POST['token']);
$data = $conn->query("SELECT did FROM tbldoc WHERE email='$email' AND
token='$token'");
if ($data->num_rows > 0) {
include('reset-form.php');
if (isset($_POST['resetPass'])) {
$password = $_POST["password"];
$password_conf = $_POST['password-conf'];
$email = $_POST["email"];
$token = $_POST["token"];
if (empty($password) || empty($password_conf)) {
echo "<br><br>Fill the form";
} elseif ($password !== $password_conf) {
echo "<br><br>Password doesn't match Password Confirmation";
}
$password = md5($password);
$conn->query("UPDATE tbldoc SET hashedpwd='$password', token='' WHERE email='$email'");
}
} else {
echo "Please check your link!";
}
} else {
header("Location: login.php");
exit();
}
?>
or change your form like <form method="GET" action="resetpassword.php" class="form-signin">
Related
I am creating a login form for a website that should redirect the user to the index page after they log in. The problem I'm having is that when I enter the details for logging in, it runs the error part of the code and I can't seem to figure out where I went wrong. I have gone through my code and even physically compared both the passwords and username and they match. Please help me with where I went wrong.
config.php
<?php
session_start();
$host = 'localhost';
$host_user = 'root';
$host_pass = '';
$db_name = 'the_dms_db';
$conn = mysqli_connect($host, $host_user, $host_pass, $db_name);
if (!$conn) {
echo 'Could not connect to the database';
}
$name = '';
$surname = '';
$username = '';
$email = '';
$errors = array();
if (isset($_POST['register_user'])) {
// receive inputs
$name = mysqli_real_escape_string($conn, $_POST['name']);
$surname = mysqli_real_escape_string($conn, $_POST['surname']);
$username = mysqli_real_escape_string($conn, $_POST['username']);
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$c_password = mysqli_real_escape_string($conn, $_POST['c_password']);
// form validation that it is filled correctly
if (empty($name)) {
array_push($errors, "Name is required");
}
if (empty($surname)) {
array_push($errors, "Surname is required");
}
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if ($password != $c_password) {
array_push($errors, "Passwords to not match");
}
// check database to see if user exists
$user_check_query = "SELECT * FROM users WHERE username='$username' OR email = '$email' LIMIT 1";
$result = mysqli_query($conn, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) {
if ($user['username'] === $username) {
array_push($errors, 'Username already exists');
}
if ($user['email'] === $email) {
array_push($errors, 'Email already exists');
}
}
// register user if no errors
$pass_hash = password_hash($password, PASSWORD_BCRYPT);
if (count($errors) == 0) {
$query = "INSERT INTO users (name, surname, username, email, password) VALUES ('$name', '$surname', '$username', '$email', '$pass_hash')";
mysqli_query($conn, $query);
$_SESSION['username'] = $username;
$_SESSION['success'] = 'You are now logged in!';
header('location: ./index.php');
}
}
if (isset($_POST['login_user'])) {
$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
if (empty($username)) {
array_push($errors, 'Username is required');
}
if (empty($password)) {
array_push($errors, 'Password is required');
}
if (count($errors) == 0) {
$password = password_hash($password, PASSWORD_BCRYPT);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$results = mysqli_query($conn, $query);
if (mysqli_num_rows($results) == 0) {
$_SESSION['username'] = $username;
$_SESSION['success'] = 'You are now logged in!';
header('location: ./index.php');
} else {
array_push($errors, 'Wrong username/password');
}
}
}
signin.php
<?php
require_once './header.php';
include_once './config.php';
?>
<link rel="stylesheet" href="/assets/css/style.css">
<section class="sign-in-section">
<div class="container">
<div class="form-area ">
<h1>Sign In</h1>
<form action="./signin.php" class="signin-form" method="POST">
<?php include './errors.php'; ?>
<section class="input-sections">
<input type="text" class="inputs form-control" name="username" id="username" placeholder="Username or Email">
<input type="password" class="inputs form-control" name="password" id="password" placeholder="Password">
<button type="submit" class="btn-form btn signin-btn" name="login_user" id="login_user">Sign in</button>
</section>
</form>
Not yet a member? Register here!
</div>
</div>
</section>
signup.php
<?php
include './config.php';
require_once './header.php';
?>
<link rel="stylesheet" href="/assets/css/style.css">
<section class="sign-in-section">
<div class="container">
<div class="form-area ">
<h1>Sign up</h1>
<form action="signup.php" class="signup-form" method="post">
<?php include './errors.php' ?>
<section class="input-sections">
<input type="text" class="inputs form-control" name="name" id="name" placeholder="Name" value="<?php echo $name ?>">
<input type="text" class="inputs form-control" name="surname" id="surname" placeholder="Surname" value="<?php echo $surname ?>">
<input type="text" class="inputs form-control" name="username" id="username" placeholder="Username" value="<?php echo $username ?>">
<input type="text" class="inputs form-control" name="email" id="email" placeholder="Email" value="<?php echo $email ?>">
<input type="password" class="inputs form-control" name="password" id="password" placeholder="Password">
<input type="password" class="inputs form-control" name="c_password" id="c_password" placeholder="Confirm Password">
<button type="submit" class="btn-form btn register-btn" name="register_user" id="register">Register</button>
</section>
</form>
Already have an account? Sing in here!
</div>
</div>
</section>
errors.php
<?php if (count($errors) > 0) : ?>
<div class="error">
<?php foreach ($errors as $error) : ?>
<p><?php echo $error ?></p>
<?php endforeach ?>
</div>
<?php endif ?>
Shouldn't the returned result have 1 row rather than 0 rows, if it's a match?
Change this
if (mysqli_num_rows($results) == 0)
To this
if (mysqli_num_rows($results) >= 1)
If you ignore the vulnerabilities within the sql statements you should analyse the following to see where you were going astray with the approach above. Using password_hash will generate a new hash on each invocation - so the hashed password will never ( hopefully ) match a newly generated hash. You need to use password_verify instead.
define('BR','<br />');
$password=$_POST['password'];
$query = "SELECT `password` FROM `users` WHERE `username`='$username' LIMIT 1";
$results = mysqli_query( $conn, $query );
$rs=mysqli_fetch_assoc( $results );
if( password_verify( $password, $rs['password'] ) ){
/* OK - The user supplied a good username/password combo */
}else{
/* Bad Foo!!! The supplied password did not verify against the stored hash */
}
If you consider
$pwd='banana';
echo password_hash($pwd,PASSWORD_DEFAULT) . BR;
echo password_hash($pwd,PASSWORD_DEFAULT) . BR;
echo password_hash($pwd,PASSWORD_DEFAULT) . BR;
you will likely see results similar to:
$2y$10$7a4Cvzn51eYa3EJKary8zemJn4/GiFA.2fqYQrwd6QrRORIk552Wm
$2y$10$E5.28SSkQo2lZv11zilkBO1L35umAFzr5Zr2yKScX4nDgFkN.kTbK
$2y$10$HEzHOFT/7V972XDEB9uzRuU/dxHxRnSXs64wu1qdahJs2CSp3wwD6
As you can see they are all different...
The PHP script supposed to receive two variables : username and password but it doesn't do that and it always "echo" : "missing input".
I tried to echo the two variables but nothing was echoed, which i think means that they are not initialized.
This is the script:
require_once ('connect.php');
$username= $_POST['username'];
$password= $_POST['password'];
if(isset($_POST['username']) && isset($_POST['password'])) {
if(!empty($username) && !empty($password)) {
$query = "Select * from merchant where username='$username' and password = '$password' ";
$r = mysqli_query($con, $query);
if(mysqli_query($con,$query)) {
echo "Welcome";
mysqli_close($con);
}
else {
echo "Wrong password or username";
mysqli_close($con);
}
}
else {
echo "you must type both inputs";
}
}
else {
echo "missing input";
}
I tried sending the post data using Postman and via HTML page but both returned the same thing: "missing input"
This is the HTML i used
<form action="mlog.php" method="post">
<input type="textbox" name="username" value="username" />
<input type="textbox" name="password" value="password" />
<input type="submit" name="login" value="submit" />
</form>
its <input type="text">
<form action="mlog.php" method="post">
<input type="text" name="username" value="username" />
<input type="text" name="password" value="password" />
<input type="submit" name="login" value="submit" />
</form>
Check if the login button was clicked, then check if the username and password are not empty then assign the vars to them if not.
<?php
if(!empty($_POST['username']) && !empty($_POST['password'])) {
$username= $_POST['username'];
$password= $_POST['password'];
$query = "Select * from merchant where username='$username' and password = '$password' ";
$r = mysqli_query($con, $query);
if($r) {
echo "Welcome";
//redirect
}
else {
echo "Wrong password or username";
mysqli_close($con);
}
}
else {
echo "you must type both inputs";
}
}
?>
I have already created a successfull login form that is connected to a database to determine whether or not a login is correct. But i would like to update this so that if an incorrect username or password is entered they will get an error message. Im just not to sure how to implement that into my existing code?...
my user login page:
<form action="../login.php" method="post">
<label for="login-username"><i class="icon-user"></i> <b>Username</b> </label><br/>
<input class="form-control" type="text" name="username">
<br/>
<label for="login-password"><i class="icon-lock"></i> <b>Password</b> </label> <br/>
<input class="form-control" type="password" name="password">
<br/>
<button type="submit" class="btn pull-right">Login</button>
</form>
<?php
if (isset($_SESSION['username'])){
if($_SESSION['logged_in'] = 1){
echo ('Logged in as: '. $_SESSION['username'].' '.$_SESSION['surname']).'<br>Log out';
}
}
?>
and the login.php it is posting to:
<?php
session_start();
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "gpdb";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("connection failed: " . $conn->connect_error);
}
//echo "connection successful";
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM patients where Username ='$username' and Password ='$password'";
$result = $conn->query($sql);
$admin_user = 'admin';
$admin_password = 'admin1';
if ($result->num_rows > 0) {
if ($username === $admin_user || $password === $admin_password ){
foreach($result as $row) {
//echo "PatientID " .$row["PatientID"]."<br>". "First name and Last name: " . $row["Firstname"]. " ".$row["Surname"]. "<br/>";
$_SESSION['id'] = $row["PatientID"];
$_SESSION['username'] = $row["Firstname"];
$_SESSION['surname'] = $row["Surname"];
$_SESSION['logged_in'] = 2;
header("location: http://localhost/index.php");
die;
}
}else{
foreach($result as $row) {
$_SESSION['id'] = $row["PatientID"];
$_SESSION['username'] = $row["Firstname"];
$_SESSION['surname'] = $row["Surname"];
$_SESSION['logged_in'] = 1;
header("location: http://localhost/index.php");
die;
}
}
}else{
$_SESSION['logged_in'] = 0;
header("location: http://localhost/user.php");
die;
}
?>
<?php
if ($result->num_rows > 0){
header("location: http://localhost/index.php");
}else{
echo "Wrong Username or Password <br />".
'Go back...';
}
?>
You may also create a login_failure.php page and in the else part redirect the user to that page. OR another approach is to pass the value of failure message
header("location: http://localhost/user.php?msg = 1");
and display the message at the top of login box. Get the value of 'msg' in user.php page and apply if condition to display the message.
<div><?php
$msg = $_GET['msg'];
if (isset($msg)) { echo "Wrong username/password"; } ?> </div>
<form action="../login.php" method="post">
<label for="login-username"><i class="icon-user"></i> <b>Username</b> </label><br/>
<input class="form-control" type="text" name="username">
<br/>
<label for="login-password"><i class="icon-lock"></i> <b>Password</b> </label> <br/>
<input class="form-control" type="password" name="password">
<br/>
<button type="submit" class="btn pull-right">Login</button>
</form>
<html>
<div class="panel-body">
<form method="post" action="index.php">
<div class="form-group">
<input class="form-control" placeholder="username" name="username" type="text" autofocus>
</div>
<div class="form-group">
<input class="form-control" placeholder="password" name="password" type="password" value="">
</div>
<input type='submit' name="submit" value='Login'>
</form>
<?php
if(isset($_POST['submit']))
{
$username = sanitize($_POST['username']);
$password = sanitize($_POST['password']);
if($username && $password)
{
$query = mysql_query("SELECT Name, Password FROM users WHERE Name = '$username' LIMIT 1");
if(mysql_num_rows($query) == 1)
{
while($row = mysql_fetch_assoc($query))
{
$dbusername = $row['Name'];
$dbpassword = $row['Password'];
}
$somename = hash( 'whirlpool', $password);
$somename = strtoupper($somename);
if($username == $dbusername && $somename == $dbpassword)
{
$_SESSION['username'] = $dbusername;
header('location: /pcp/home.php');
}
else $error = "Wrong password!";
}
else $error = "Username doesn't exist!";
}
else $error = "Type name and password!";
}
?>
</div>
</html>
When I submit the button with correct password and user, it doesn't go to home.php but when I reload, it goes.
It's using bootstrap, is this the reason why? If so or not, could you help me fix it.
If you want to add your php code together with form elements, you need to write
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" >
or not. Simply separate form page & php page.
It means that
index.php
<html>
<div class="panel-body">
<form method="post" action="check.php">
<div class="form-group">
<input class="form-control" placeholder="username" name="username" type="text" autofocus>
</div>
<div class="form-group">
<input class="form-control" placeholder="password" name="password" type="password" value="">
</div>
<input type='submit' name="submit" value='Login'>
</form>
</div>
</html>
ckeck.php
<?php
if(isset($_POST['submit']))
{
$username = sanitize($_POST['username']);
$password = sanitize($_POST['password']);
if($username && $password)
{
$query = mysql_query("SELECT Name, Password FROM users WHERE Name = '$username' LIMIT 1");
if(mysql_num_rows($query) == 1)
{
while($row = mysql_fetch_assoc($query))
{
$dbusername = $row['Name'];
$dbpassword = $row['Password'];
}
$somename = hash( 'whirlpool', $password);
$somename = strtoupper($somename);
if($username == $dbusername && $somename == $dbpassword)
{
$_SESSION['username'] = $dbusername;
header('location: /pcp/home.php');
}
else $error = "Wrong password!";
}
else $error = "Username doesn't exist!";
}
else $error = "Type name and password!";
}
?>
I'm kinda' beginner and I've coded my own PHP login from Zero, but I still got some errors, here's the code:
<?php
include 'connection.php';
$query = " SELECT * FROM admin";
$result = mysql_query($query) or die(mysql_error());
?>
<form action="<?php echo $_SERVER['SELF_PHP']; ?>" method="post">
Username : <input type="text" name="usernameInput" value="" />
Password : <input type="password" name="passwordInput" value="" />
<input type="submit" value="Login" />
</form>
<?php
$username = $_POST['usernameInput'];
$password = $_POST['passwordInput'];
if ($username = $result['username']) {
if ($password = $result['password']){
header('Location: admin.php');
} else {
echo "PASSWORD IS INCORRECT";
}
} else {
echo "USERNAME IS INCORRECT";
}
?>
So if you can fix this or got an easier way from PHP login from please tell me. :)
A few things...
Don't use mysql functions
You need to use == to compare strings, not =
You need to actually fetch the results of your query
include 'connection.php';
$query = " SELECT * FROM admin";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_row($result); /* add this */
?>
<form action="<?php echo $_SERVER['SELF_PHP']; ?>" method="post">
Username : <input type="text" name="usernameInput" value="" />
Password : <input type="password" name="passwordInput" value="" />
<input type="submit" value="Login" />
</form>
<?php
if(isset($_POST['usernameInput']) && isset($_POST['passwordInput'])){
$username = $_POST['usernameInput'];
$password = $_POST['passwordInput'];
}
else{
echo 'some error ...';
}
if($username == $row ['username'] && $password == $row ['password']){
header('Location: admin.php');
}
else{
echo ' username or password is wrong';
}
?>
I have to point out that you are sending the same form over and over without first checking the post. And when you send the form, you will not be able to send the header to redirect, because html is started and headers are sent already.
Mysql functions are deprecated, please use mysqli interface.
Among other several bugs like assignment = instead of is equal ==
Try it this way:
If no post exists send the form else check and if ok redirect or not ok. resend the form
<?php
if($_POST){
include 'connection.php';
$query = " SELECT * FROM admin";
$r = mysql_query($query) or die(mysql_error());
// get an associated array from query result resource.
$result = mysql_fetch_assoc($r);
$username = $_POST['usernameInput'];
$password = $_POST['passwordInput'];
if ( ($username == $result['username'])
&& ($password == $result['password'])){
header('Location: admin.php');
exit(0);
} else {
echo "PASSWORD IS INCORRECT";
}
}
?>
<form action="<?php echo $_SERVER['SELF_PHP']; ?>" method="post">
Username : <input type="text" name="usernameInput" value="" />
Password : <input type="password" name="passwordInput" value="" />
<input type="submit" value="Login" />
</form>
<?php
?>