Why can't i block users with banstatus "Banned" from accessing the website? The error now is that the php banned all users from accessing the website even when their banstatus is not banned. Please help to identify the error as i have been trying to solve the error for a long time and couldn't solve it still. Thank you in advance :)
These are my codes:
if(!empty($_POST['username'])){
$username=$_POST['username'];
}
else
{
$username=null;
echo "<font color='red'> Please enter your username! </font></p>";
}
if(!empty($_POST['password'])){
$password= md5($_POST['password']);
}
else
{
$password=null;
echo "<font color='red'> Please enter your password! </font></p>";
}
if ($username && $password) {
$connection = mysql_connect("", "", "", "");
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$db = mysql_select_db("", $connection);
$query = mysql_query("SELECT * FROM users WHERE username='$username' and password='$password' and active=1", $connection);
$rows = mysql_num_rows($query);
if ($rows == 1) {
if ($rows['banstatus'] == '') {
session_start();
$_SESSION['username'] = $username;
header("Location:somewhere.php");
}
else{
echo "<br><br><br><b><font color='red'>Your account has been banned. Please contact the administrator.</font></b><br><br>";
}
}
else {
echo "<br><br><br><b><font color='red'> Login is not successful.</font></b><br><br>";
}
mysql_close($connection); // Closing Connection
}
if(!empty($_POST['username'])){
$username=$_POST['username'];
}
else
{
$username=null;
echo "<font color='red'> Please enter your username! </font></p>";
}
if(!empty($_POST['password'])){
$password= md5($_POST['password']);
}
else
{
$password=null;
echo "<font color='red'> Please enter your password! </font></p>";
}
if ($username && $password) {
$connection = new mysqli($your_db_IP_ADDR, $your_db_username, $your_db_pass, $your_db_database_name);
/*$username = stripslashes($username);*/ //if you using mysqli real_escape_string you don't need to stripslashes
/*$password = stripslashes($password);*/ //MD5 is an hash. You don't need to stripslashes it
$username = $connection->real_escape_string($username);
/*$password = $connection->real_escape_string($password)*/ // your $password is an MD5 hash. You don't need to escape it;
$results = $connection->query("SELECT * FROM users WHERE username='$username' and password='$password' and active = 1");
if ($results->num_rows === 1) {
$row = $results->fetch_assoc(); //call it row, it just one
if ($row['banstatus'] === '') {
session_start();
$_SESSION['username'] = $username;
$connection->close(); // Closing Connection also HERE before redirect
header("Location:somewhere.php");
} else {
echo "<br><br><br><b><font color='red'>Your account has been banned. Please contact the administrator.</font></b><br><br>";
}
} else {
echo "<br><br><br><b><font color='red'> Login is not successful.</font></b><br><br>";
}
$mysqli->close();
}
Related
I can't do authorization on the site! I register everything is fine! But he does not want to enter the site! I do not know what to do ! + I use the md5 () function, and my database encrypts everything perfectly, but how to make it enter through this function too? Also not included without this feature, please help !!!
Here is the authorization code:
require("include/connect.php");
if (isset($_SESSION["user_id"])) {
// вывод "Session is set"; // в целях проверки
header("Location: main.php");
}
if (isset($_POST['button-login'])) {
if (!empty($_POST['login']) && !empty($_POST['password_1'])) {
$login = htmlspecialchars($_POST['login']);
$email = htmlspecialchars($_POST['email']);
$password = htmlspecialchars($_POST['password_1']);
$query = mysql_query("SELECT * FROM users WHERE id='" . $login . "' AND password='" . $password . "'");
$numrows = mysql_num_rows($query);
if ($numrows != 0) {
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['login'];
$dbpassword = $row['password_1'];
}
if ($login == $dbusername && $password == $dbpassword) {
// старое место расположения
// session_start();
$_SESSION['login'] = $login;
$_SESSION['user_id'] = $login;
header("Location: main.php");
}
} else {
// $message = "Invalid username or password!";
echo "Invalid username or password!";
}
} else {
$message = "All fields are required!";
}
}
Try to convert the $password variable into md5()
$password = md5($password);
after md5() encryption check your username & password condition
if($login == $dbusername && $password == $dbpassword)
Hope this will helps!
I am new to php, I'm trying to link the login page and register page. Once I press the login button it goes directly to the linked page although I enter wrong password.
I tried to solve it by putting mysqlinumrows. The result after login is still in the login page . I've tried to fix it, but can't. I hope someone will help me to reduce my stress by knowing my fault in the code below I attach.
Code:
<?php
session_start();
$_SESSION['message'] = '';
$mysqli=new MySQLi('127.0.0.1','root','','accounts');
if($_SERVER["REQUEST_METHOD"] == "POST") {
if ($_POST['password']== $_POST['confirmpassword']) {
$username = $mysqli->real_escape_string($_POST['username']);
$email = $mysqli->real_escape_string($_POST['email']);
$password = md5($_POST['password']);
$profile_path = $mysqli->real_escape_string('images/'.$_FILES['profile']['name']);
if (preg_match("!image!", $_FILES['profile']['type'])) {
if (copy($_FILES['profile']['tmp_name'],$profile_path)){
$_SESSION['username'] =$username;
$_SESSION['profile'] =$profile_path;
$sql ="INSERT INTO users(username,email,password,profile)"
."VALUES ('$username','$email','$password','$profile_path')";
if($mysqli->query($sql)=== true) {
$_SESSION['message'] = 'Registration successful!
Added $username to the database!';
header("location:RegisterLogin.php");
}
else {
$_SESSION['message'] = "User could not be added to the database!";
}
}
else{
$_SESSION['message'] = "file failed!";
}
}
else {
$_SESSION['message'] = "Please only upload GIF,JPG, or PNG images!";
}
}
else{
$_SESSION['message'] = "two password do not match!";
}
}
?>
(Login Form)
<?php
session_start();
$_SESSION['message']='';
$mysqli=new MySQLi('127.0.0.1','root','','accounts');
if(isset($_POST['username'])) {
$username = $mysqli->real_escape_string($_POST['username']);
$password = md5($_POST['password']);
$sql="SELECT * FROM users WHERE username ='$username' AND password=$password";
$result = mysqli_query($mysqli,$sql);
if(mysqli_affected_rows($result) == 1){
$_SESSION['username'] = $username;
$_SESSION['message'] = "Registration successful!";
header("location:Welcome.php");
}
else{
$_SESSION['message'] = "Login Failed!";
}
}
?>
Correct your select query in login page to $sql="SELECT * FROM users WHERE username ='$username' AND password='$password' "; Add single quotes to password variable
First you must have form tag. try this format
<form action="" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" name="login">
</form>
And for your PHP code:
if(isset($_POST['login'])) {
$username = $mysqli->real_escape_string($_POST['username']);
$password = md5($_POST['password']);
$sql="SELECT * FROM users WHERE username ='$username' AND password=$password";
$result = mysqli_query($mysqli,$sql);
if(mysqli_affected_rows($result) == 1){
$_SESSION['username'] = $username;
$_SESSION['message'] = "Registration successful!";
header("location:Welcome.php");
}
else{
$_SESSION['message'] = "Login Failed!";
}
}
If It's not your problem then comment it below. I'll help you.
I'm making a PHP login and it was working before, but I tried to make the username feature case insensitive and the code hasn't worked since. I deleted all of the stuff I added to try and make it case insensitive i.e.strtolower().All that displays on the page is "Please enter a username and password." but I have an html file that is supposed to pop up and dispay the login. Here is the code (I took out the personal database info in the mysql connect area):
<?php
session_start();
$username = $_POST["username"];
$password = $_POST["password"];
if ($username&&$password)
{
$connect = mysql_connect("","","") or die("No Database");
mysql_select_db("") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM login WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo "Login succesful. <a href='/memberarea.php'>Members</a>";
$_session['username']=$dbusername;
}
else
echo "Incorrect Password";
}
else
die("Username does not exist");
}
else
die("Please enter a username and password.");
?>
I have put mysql_real_escape_string() around your post values to prevent sql injection
Also mysqli is the latest way to connect to mysql database but i have not added that to your code:
session_start();
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
if ($username&&$password)
{
$connect = mysql_connect("","","") or die("No Database");
mysql_select_db("") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM login");
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
if ($username == $dbusername && $password == $dbpassword)
{
echo "Login succesful. <a href='/memberarea.php'>Members</a>";
$_session['username']=$dbusername;
}
}
else {
echo "Incorrect Password";
}
}
i tried to put username & password dynamically but
It doesnt work with stored username & password in DB and stays on same page....
really depressed.
<?php include "../db/db_connection.php";
$username = $_POST['txt_username'];
$pwd =$_POST["txt_pwd"];
if(empty($username) || $username == ""){
header("location:index.php?err_msg=1");
exit;
}
if(empty($pwd) || $pwd == ""){
header("location:index.php?err_msg=2");
exit;
}
$sql = "SELECT username,password FROM users WHERE username= '$username' and password= '$pwd'";
$result = mysqli_query($con,$sql);
if(mysqli_num_rows($result)==1){
header("location:dashboard.php");
}
else{
header("location:index.php?err_msg=3");
}
if($_REQUEST['txt_username'] == $username && $_REQUEST['txt_pwd'] == $pwd){
$_SESSION['txt_username'];
$_SESSION['txt_pwd'];
header("Location:dashboard.php");
}
else{
header("Location:index.php");
}
?>`
Those lines doesn't nothing..
$_SESSION['txt_username'];
$_SESSION['txt_pwd'];
maybe:
$_SESSION['txt_username'] = $user;
$_SESSION['txt_pwd'] = ...;
?
You can try this, I am not sure if this is exactly what you are looking for...
<?php session_start();
$username = $_POST['txt_username'];
$pwd =$_POST["txt_pwd"];
if(empty($username) || $username == ""){
header("location:index.php?err_msg=1");
exit;
}
if(empty($pwd) || $pwd == ""){
header("location:index.php?err_msg=2");
exit;
}
$sql = "SELECT username,password FROM users WHERE username= '$username' and password= '$pwd'";
$result = mysqli_query($con,$sql);
if(mysqli_num_rows($result)==1){
$_SESSION['txt_username'] = $username;
$_SESSION['txt_pwd'] = $pwd;
header("location:dashboard.php");
}
else{
header("location:index.php?err_msg=3");
}
header("Location:index.php"); // if it stays on the same page remove this line
?>
I restructured your code to look more clean.
Also I suggest you to avoid using mysql and start using mysqli (or PDO) to avoid SQL injection attacks.
<?php session_start();
if(isset($_SESSION['txt_username']) && !empty($_SESSION['txt_username'])) {
//If we enter here the user has already logged in
header("Location:dashboard.php");
exit;
}
if(!isset($_POST['txt_username'])) {
header("location:index.php?err_msg=1");
exit;
}
else if(!isset($_POST["txt_pwd"])) {
header("location:index.php?err_msg=2");
exit;
}
$username = $_POST['txt_username'];
$pwd = $_POST["txt_pwd"];
//We use MYSQL with prepared statements BECAUSE MYSQL IS DEPRECATED
$mysqli = new mysqli('localhost', 'my_bd_user', 'mi_bd_password', 'my_bd');
$sql = "SELECT 1 FROM users WHERE username= ? and password = ?";
$stmt = $mysql->prepare($sql);
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$stmt->bind_result($result);
$stmt->fetch();
if(!empty($result)) {
//IF we enter here user exists with that username and password
$_SESSION['txt_username'] = $username;
header("location:dashboard.php");
exit;
}
else{
header("location:index.php?err_msg=3");
}
Try it.
I checked your code and found everything is correct .I wold like you to add connection file on this.
Like
$username = "root";
$password = "password";//your db password
$hostname = "localhost";
//connection to the database
$dbhandle = mysql_connect($hostname, $username, $password)
or die("Unable to connect to MySQL");
//select a database to work with
$selected = mysql_select_db("db name",$dbhandle)
or die("Could not select Database");
Thanks
Try below code :
i have reviewed and changed your code :
<?php session_start();
mysqli_connect("locahost","username","password");
mysqli_select_db("database_name");
$username = trim($_POST['txt_username']);
$pwd = trim($_POST["txt_pwd"]);
if($username == ''){
header("location:index.php?err_msg=1");
exit;
}
if($pwd == ""){
header("location:index.php?err_msg=2");
exit;
}
$sql = "SELECT `username`,`password` FROM users WHERE `username`= '".$username."' and password= '".$pwd."'";
$result = mysqli_query($sql);
if(mysqli_num_rows($result)>0){
$_SESSION['txt_username'] = $username;
$_SESSION['txt_pwd'] = $pwd;
header("location:dashboard.php");
}
else{
header("location:index.php?err_msg=3");
}
?>
I have the following code:
session_start ();
include 'core/init.php';
$username = '';
$password = '';
$dbusername = '';
$dbpassword = '';
if (isset($_POST['Email']) && isset($_POST['Password']))
{
$username = $_POST['Email'];
$password = md5($_POST['Password']);
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");
$numrow = mysql_num_rows ($query);
// user login
if ($numrow!=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['Email'];
$dbpassword = $row['Password'];
}
//Check to see if they match
if ($username==$dbusername&&$password==$dbpassword)
{
$_SESSION ['Email']=$username;
header('Location: member.php?username='.$username);
}
}
else
{
// admin login
$query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
$numrow2 = mysql_num_rows ($query2);
if ($numrow2!=0)
{
while ($row = mysql_fetch_assoc($query2))
{
$dbusername = $row['Email'];
$dbpassword = $row['Password'];
}
//Check to see if they match
if ($username==$dbusername&&$password==$dbpassword)
{
$_SESSION ['Email']=$username;
header("Location: admin.php");
}else{
if (empty ($username) === true|| empty($password) === true) {
echo "Please enter a username and password";
} else if ($username!=$dbusername){
echo "That user does not exist! Have you registered?";
} else if ($username=$dbusername&&$password!=$dbpassword) {
echo "Incorrect password";
}
}
}
}
}
But if a user logs in incorrectly, none of the error messages are displaying, just a blank page, I think its my curly brackets but no matter how many times i change them i either make it worse or nothing at all. Can anyone tell me what im doing wrong?
Check out:
if (empty ($username) === true|| empty($password) === true) {
echo "Please enter a username and password";
} else if ($username!=$dbusername){
echo "That user does not exist! Have you registered?";
} else if ($username=$dbusername&&$password!=$dbpassword) {
echo "Incorrect password";
}
}
This section which includes login errors is found in the " admin login " section, therefore no error is seen when a non-admin user login fails.
Your select statement is already ensuring that the provided username and password match what is in the database. There is no need to do a second comparison in PHP. Your code could just be the following:
if (isset($_POST['Email']) && isset($_POST['Password']))
{
$username = $_POST['Email'];
$password = md5($_POST['Password']);
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");
if(mysql_num_rows($query) == 1)
{
$_SESSION['Email'] = $username;
header('location: member.php?username='.$username);
}
else
{
// try admin login
$query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
if(mysql_num_rows($query2) == 1)
{
$_SESSION['Email'] = $username;
header("location: admin.php");
}
else
{
echo "Failed Login Attempt";
}
}
}
Since your query only returns records where the username and password match, there is NO way you will ever get a result back where the username matches but the password didn't, so your conditional check you do near the end of your admin login will NEVER occur.
As a side-note, it would be bad form to inform the user that the username was correct but password wasn't, or visa versa. This is a security issue and could make it easier for a malicious user to more easily gain access. This is besides the point though, so please only take this suggestion as personal advice and not directed at your question.
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");
if(mysql_num_rows($query) == 0){
echo 'You have entered wrong username/password'; }else {
// you can continue with your query below.