Good day, while doing my project, I did stuck on Login page.
This might be really trivial question or maybe even duplicate, but I can't find any solution online.
For some reason, my php script simply skips my login form and keeps making session and redirecting to index.php.
Here is my php script, for checking if email and password exist in databse:
if(isset($_POST['login'])) {
require 'connect.php';
$email = $_POST['email'];
$password = $_POST['password'];
$select_userdata = "select * from users where password ='$password' AND email = '$email'";
$run_check = mysqli_query($dbconfig, $select_userdata);
$check_user = mysqli_num_rows($run_check);
/**Error part**/
if ($check_user == 0) {
echo "<script>alert('Password or email is incorrect')</script>";
echo "<script>window.open('login.php','_self')</script>";
} else {
$_SESSION['email'] = $email;
echo "<script>alert ('You Have Been Logged in')</script>";
header('Location: index.php');
exit;
}
}
if(isset($_GET['logout'])) {
unset($_SESSION['email']);
}
For some reason, script does not care, if I have email and password in database or not. It "pretends" that there is such email address and password, and skips to $_SESSION['email'] = $email;
My question is, what am I doing wrong, and how do I fix it?
Problem is in your logic not your code. $check_user is 0 or more there is no difference for your code. it always reach the $_SESSION['email'] = $email; line.
Try this:
<?php
session_start();
include'functions/dbconfig.php';
if(isset($_POST['login'])) {
require 'functions/connect.php';
$email = $_POST['email'];
$password = md5($_POST['password']);
$select_userdata = "select * from users where password ='$password' AND email = '$email'";
$run_check = mysqli_query($dbconfig, $select_userdata);
$check_user = mysqli_num_rows($run_check);
if ($check_user == 0)
{
echo "<script>alert('Password or email is incorrect')</script>";
echo "<script>window.open('login.php','_self')</script>";
}
else
{
$_SESSION['email'] = $email;
echo "<script>alert ('You Have Been Logged in')</script>";
header('Location: index.php');
exit;
}
}
if(isset($_GET['logout'])) {
unset($_SESSION['email']);
}
?>
Related
After several cross checks, I created another account to be sure of the error, I am using password_hash with PASSWORD_DEFAULT algorithm. I am not sure where in my code I am not getting, but if I enter a wrong Email I get a different error message for the Email. Your assistance will be greatly appreciated.
<?php
$email_err = $password_err = $login_err = "";
//if user click login button
if(isset($_POST['login'])){
$Email = mysqli_real_escape_string($tie_in, $_POST['email']);
$Password = mysqli_real_escape_string($tie_in, $_POST['Password']);
$check_email = "SELECT * FROM accounts WHERE email = '$Email'";
$res = mysqli_query($tie_in, $check_email);
if(mysqli_num_rows($res) > 0){
$fetch = mysqli_fetch_assoc($res);
$fetch_pass = $fetch['password'];
if(password_verify($Password, $fetch_pass)){
$_SESSION['email'] = $Email;
$status = $fetch['status'];
if($status == 'verified'){
$_SESSION['email'] = $Email;
$_SESSION['Password'] = $Password;
header('location: index.html');
}else{
$info = "This account haven't been verified yet! - $email";
$_SESSION['info'] = $info;
header('location: verifying.php');
}
}else{
$login_err = "Incorrect Password!";
}
}else{
$login_err = "This account is not yet registered, Click on the bottom link to signup.";
}
}
?>
I have been working for 2 days on a login and authentication system in PHP. For my logic it should be perfect, but I have problems as usual.
Here is the code:
<?php
ob_start();
session_start();
include "../navbar.php";
require_once '../database-connection.php';
include "../login.html";
if (isset($_SESSION['session_id'])) {
header('Location: ../index.php');
exit;
}
if (isset($_POST['login'])) {
$email = $_POST['email'] ?? '';
$password = $_POST['password'] ?? '';
$query = "
SELECT email, password
FROM users
WHERE email = :email
";
$check = $pdo->prepare($query);
$check->bindParam(':email', $email, PDO::PARAM_STR);
$check->execute();
$user = $check->fetch(PDO::FETCH_ASSOC);
if ($email == $user['email']) {
if (password_verify($password, $user['password'])) {
session_regenerate_id();
$_SESSION['session_id'] = session_id();
$sql = "
SELECT username, id FROM users
WHERE email = :email";
$check = $pdo->prepare($sql);
$check->bindParam(':email', $email);
$check->execute();
$user = $check->fetch();
$_SESSION['session_user'] = $user['username'];
$_SESSION['email'] = $email;
$_SESSION['user_id'] = $user['id'];
header('Location: ../index.php');
exit;
} else {
$msg = "Wrong Password";
}
} else {
$msg = "Wrong Email";
}
printf($msg, 'back');
}
The system works, it allows me to authenticate the users registered in the database, but I don't understand why the $msg variable that I use for errors is not printed.
Or better any echo that I put in any part of the listing is not printed.
I can't print anything anywhere. It looks like the program just hangs after the first few includes, yet it lets me authenticate.
(Yes guys I debug by printing the echo to understand up where the scripts work!)
I have recently used a tutorial from http://tutsforweb.blogspot.co.uk/2012/05/registration-system-with-email.html. I have added a new field in my user table called 'com_code' as stated and defined the default as NULL.
Both confirm.php and registeraction.php work as the passkey variable is inserted into the com_code field in the database when a user registers, and when they click on the verify link in the email they have been sent, the com_code field is then set to NULL.
My problem is when this user logs in, a blank page appears ( with the url stuck at loginaction.php where I process the form). Any ideas where I have gone wrong in my loginaction.php code? I am new to PHP so as much explanation as possible would be great!!
loginaction.php
<?php require 'config/init.php';
// Get the data collected from the user and database
$email = trim($_POST["email"]);
$password = trim($_POST["password"]);
//Check for errors
if (empty($email) or empty($password)) {
$_SESSION["message"] = "Must enter Email and Password ";
header("Location: login.php"); //Redirection information
exit ;//Ends the script
}
$email = strip_tags($email);
$password = strip_tags($password);
$pwd = $_POST["password"];
$sql = "SELECT * FROM user WHERE email='$email' AND com_code is NULL";
$result = mysqli_query($mysqli,$sql)or die(mysqli_error());
if ($result->num_rows === 1) {
$row = $result->fetch_array(MYSQLI_ASSOC);
if (password_verify($pwd, $row['password'])) {
$_SESSION["authenticatedUserEmail"] = $email;
$_SESSION["unauthenticatedAdmin"] = $_SESSION['usertype'] == '0';
//We could also use information drawn from the database eg ID
$_SESSION['id'] = $row['id'];
$_SESSION['first_name'] = $row['first_name'];
$_SESSION['last_name'] = $row['last_name'];
$_SESSION['password'] = $row['password'];
$_SESSION['username'] = $row['username'];
$_SESSION['usertype'] = $row['usertype'];
$_SESSION['email'] = $row['email'];
if ($_SESSION['usertype'] == '1') {
header("Location: admin.php");
} else {
header("Location: profile.php");
}
}
else {
//Login was unsuccessful
$_SESSION["message"] = "Could not login as $email";
header("Location: login.php"); //Go back to the login pages
}
}//End else
?>
I've looked at lots of answers to redirect to a different page after submitting a form, but haven't been able to get it to work thus far, probably because I have no idea where to actually put the code. Can anyone help? The rest of this code is working fine, i just need to know where to place header():
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
//connects to database, checks username & password against database to see is user exists
if($username && $password)
{
include ("connect.php");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows !==0)
{
while($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
//if username and password are correct
if($username==$dbusername&&md5($password)==$dbpassword)
{
echo "You are logged in. <a href='main.php'>Continue to site.</a>";
$_SESSION['username'] = $username;
}
//if password is incorrect
else
echo "Your password is incorrect.";
}
//if username is incorrect
else
die("Username does not exist.");
}
//if no information is submitted
else
die("Please enter your login details.");
//prevents errors from displaying on page
error_reporting(0);
?>
I also need to know where it goes for this page:
<?php
//Check if register button was pressed
$button = $_POST['button'];
//if button was pressed,
if ($button)
{
//get data from form,
$username = $_POST['username'];
$password = $_POST['password'];
$retype_password = $_POST['retype_password'];
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
}
//check if all information has been entered,
if ($username && $password && $retype_password && $first_name && $last_name)
{
//check if password and retype_password are the same
if($password==$retype_password)
{
//check if username already exists
include("connect.php");
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
$numrows = mysql_num_rows($query);
if($numrows == 0)
{
//encrypt password
$password = md5($password);
//sends data from form to database - creates new user
$register = mysql_query("INSERT INTO users VALUES ('', '$username', '$password', '$first_name', '$last_name')");
echo "You are now registered. <a href='main.php'>Continue to site.</a>";
}
else
echo "Username is unavailable.";
}
else
echo "Password did not match.";
}
//prevents errors from displaying on page
error_reporting(0);
?>
Thanks in advance!
if($username==$dbusername&&md5($password)==$dbpassword)
{
$_SESSION['username'] = $username;
header( 'Location: http://www.yoursite.com/new_page.html' ) ;
}
You should put it once the job is done : that is after
//echo "You are logged in. <a href='main.php'>Continue to site.</a>";
$_SESSION['username'] = $username;
header('Location: your url');
exit;
Don't forget the "exit" or what follow will be executed.
That said, you cannot echo something before a doing redirection, that's logical because the echo can't be seen.
So, either you do not echo :
$_SESSION['username'] = $username;
header('Location: your url');
exit;
Or you do a HTML (or javascript) redirection, with a 5 seconds delay:
echo "You are logged in. <a href='main.php'>Continue to site.</a>";
$_SESSION['username'] = $username;
exit;
In which case you have to put it in the < head > section, to do the HTML redirection:
<meta http-equiv="refresh" content="0; url=http://example.com/main.php" />
Also
error_reporting(0);
Should be put at the beginning of the page, unless you want errors for previous lines to be shown.
BUT : error_reporting(0); should NEVER be used on a development site (and always on a production site).
You should turn on display_errors('on') and error_reporting(E_ALL) to see errors - errors are very useful for a developer.
I have the following code:
session_start ();
include 'core/init.php';
$username = '';
$password = '';
$dbusername = '';
$dbpassword = '';
if (isset($_POST['Email']) && isset($_POST['Password']))
{
$username = $_POST['Email'];
$password = md5($_POST['Password']);
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");
$numrow = mysql_num_rows ($query);
// user login
if ($numrow!=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['Email'];
$dbpassword = $row['Password'];
}
//Check to see if they match
if ($username==$dbusername&&$password==$dbpassword)
{
$_SESSION ['Email']=$username;
header('Location: member.php?username='.$username);
}
}
else
{
// admin login
$query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
$numrow2 = mysql_num_rows ($query2);
if ($numrow2!=0)
{
while ($row = mysql_fetch_assoc($query2))
{
$dbusername = $row['Email'];
$dbpassword = $row['Password'];
}
//Check to see if they match
if ($username==$dbusername&&$password==$dbpassword)
{
$_SESSION ['Email']=$username;
header("Location: admin.php");
}else{
if (empty ($username) === true|| empty($password) === true) {
echo "Please enter a username and password";
} else if ($username!=$dbusername){
echo "That user does not exist! Have you registered?";
} else if ($username=$dbusername&&$password!=$dbpassword) {
echo "Incorrect password";
}
}
}
}
}
But if a user logs in incorrectly, none of the error messages are displaying, just a blank page, I think its my curly brackets but no matter how many times i change them i either make it worse or nothing at all. Can anyone tell me what im doing wrong?
Check out:
if (empty ($username) === true|| empty($password) === true) {
echo "Please enter a username and password";
} else if ($username!=$dbusername){
echo "That user does not exist! Have you registered?";
} else if ($username=$dbusername&&$password!=$dbpassword) {
echo "Incorrect password";
}
}
This section which includes login errors is found in the " admin login " section, therefore no error is seen when a non-admin user login fails.
Your select statement is already ensuring that the provided username and password match what is in the database. There is no need to do a second comparison in PHP. Your code could just be the following:
if (isset($_POST['Email']) && isset($_POST['Password']))
{
$username = $_POST['Email'];
$password = md5($_POST['Password']);
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");
if(mysql_num_rows($query) == 1)
{
$_SESSION['Email'] = $username;
header('location: member.php?username='.$username);
}
else
{
// try admin login
$query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
if(mysql_num_rows($query2) == 1)
{
$_SESSION['Email'] = $username;
header("location: admin.php");
}
else
{
echo "Failed Login Attempt";
}
}
}
Since your query only returns records where the username and password match, there is NO way you will ever get a result back where the username matches but the password didn't, so your conditional check you do near the end of your admin login will NEVER occur.
As a side-note, it would be bad form to inform the user that the username was correct but password wasn't, or visa versa. This is a security issue and could make it easier for a malicious user to more easily gain access. This is besides the point though, so please only take this suggestion as personal advice and not directed at your question.
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");
if(mysql_num_rows($query) == 0){
echo 'You have entered wrong username/password'; }else {
// you can continue with your query below.