I have a login system that has two pages, it's quite simple but it doesn't appear that the data is being passed through as I am being redirected back. I have tried a couple solutions. Adding exit; and die; after the inital redirect from the login. I have also printed the session_id which worked fine.
Login page:
session_start();
if(isset($_POST['login'])){
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$username = stripslashes($username);
$password = stripslashes($password);
$password = md5($password);
$sql = "SELECT * FROM table WHERE username = :username LIMIT 1";
$stmt = $conn->prepare($sql);
$stmt->bindParam(":username", $username);
$stmt->execute();
foreach($stmt as $row) {
$id = $row['id'];
$db_password = $row['password'];
}
if($password == $db_password){
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: admin.php");
exit;
}else{
echo "You did not enter the correct details.";
}
}
This is the admin page. It just redirects back to login and doesn't get any further down the page
session_start();
if(!isset($_SESSION['id'])){
header("Location: login.php");
}
execute()
Returns TRUE on success or FALSE on failure.
You need to fetch data form result set as
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);// fetch data
$id = $row['id'];
$db_password = $row['password'];
if($password == $db_password){// then compair
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: admin.php");
exit;
}else{
echo "You did not enter the correct details.";
}
Related
I am entering any password but I am getting successful logins. I am confused.
php code:
// LOGIN USER
// variable declaration
$email = "";
$mobile = "";
$under_userid = "";
$errors = array();
$_SESSION['success'] = "";
require('php-includes/connect.php');
session_start();
if (isset($_POST['login_user'])) {
$email = mysqli_real_escape_string($con, $_POST['email']);
$password = mysqli_real_escape_string($con, $_POST['password']);
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$Hpassword = hash('sha512', $_POST['password']);
$query = "SELECT * FROM user WHERE email='$email' AND password='$Hpassword'";
$mysqli_query = mysqli_query($con, $query);
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
$_SESSION['user_id'] = $row['user_id'];
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
}
please help me
You are not checked here if username and password are correct or not.
if (count($errors) == 0) {
$Hpassword = hash('sha512', $_POST['password']);
$query = "SELECT * FROM user WHERE email='$email' AND password='$Hpassword'";
$mysqli_query = mysqli_query($con, $query);
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
$_SESSION['user_id'] = $row['user_id'];
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
Please correct it using if condition is there any field match with that username or password as below
if(count($mysqli_query)>0)
{
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
You are getting login successful because there is no script which can track that provided password is in-correct or correct. So you need to add following if-statement for checking it,
if(mysqli_num_rows($mysqli_query) > 0){
$_SESSION['userid'] = $email;
$_SESSION['id'] = session_id();
$_SESSION['login_type'] = "user";
$_SESSION['user_id'] = $row['user_id'];
echo '<script>alert("Login Success.");window.location.assign("home.php");</script>';
}
mysqli_num_rows() will get the rows of match data from database and if there is row the if-statement will be true and then you will only get successful login. Other wise it will be fail and you can show error to user.
I have recently used a tutorial from http://tutsforweb.blogspot.co.uk/2012/05/registration-system-with-email.html. I have added a new field in my user table called 'com_code' as stated and defined the default as NULL.
Both confirm.php and registeraction.php work as the passkey variable is inserted into the com_code field in the database when a user registers, and when they click on the verify link in the email they have been sent, the com_code field is then set to NULL.
My problem is when this user logs in, a blank page appears ( with the url stuck at loginaction.php where I process the form). Any ideas where I have gone wrong in my loginaction.php code? I am new to PHP so as much explanation as possible would be great!!
loginaction.php
<?php require 'config/init.php';
// Get the data collected from the user and database
$email = trim($_POST["email"]);
$password = trim($_POST["password"]);
//Check for errors
if (empty($email) or empty($password)) {
$_SESSION["message"] = "Must enter Email and Password ";
header("Location: login.php"); //Redirection information
exit ;//Ends the script
}
$email = strip_tags($email);
$password = strip_tags($password);
$pwd = $_POST["password"];
$sql = "SELECT * FROM user WHERE email='$email' AND com_code is NULL";
$result = mysqli_query($mysqli,$sql)or die(mysqli_error());
if ($result->num_rows === 1) {
$row = $result->fetch_array(MYSQLI_ASSOC);
if (password_verify($pwd, $row['password'])) {
$_SESSION["authenticatedUserEmail"] = $email;
$_SESSION["unauthenticatedAdmin"] = $_SESSION['usertype'] == '0';
//We could also use information drawn from the database eg ID
$_SESSION['id'] = $row['id'];
$_SESSION['first_name'] = $row['first_name'];
$_SESSION['last_name'] = $row['last_name'];
$_SESSION['password'] = $row['password'];
$_SESSION['username'] = $row['username'];
$_SESSION['usertype'] = $row['usertype'];
$_SESSION['email'] = $row['email'];
if ($_SESSION['usertype'] == '1') {
header("Location: admin.php");
} else {
header("Location: profile.php");
}
}
else {
//Login was unsuccessful
$_SESSION["message"] = "Could not login as $email";
header("Location: login.php"); //Go back to the login pages
}
}//End else
?>
I am having problem logging in, below is a login code. When I submit login info it says Incorrect Information, I have gone wrong somewhere in code and can't figure it out. I have used password_hash() function, checked my database and it works well. Surely somethings wrong with login code. Now I tried echoing $pass_db and on submitting info I see the password is echoed correctly but incorrect information is also displayed and I am not redirected to main.php as I should be.
login.php
<?php
if(isset($_POST['login'])){
$username = $_POST['user_login'];
$password = $_POST['password_login'];
$stmt = $db->prepare("SELECT * FROM userss WHERE username = :username AND password = :password");
$stmt->execute(array(':username'=>$username,':password'=>$password));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$user_db = $row['username'];
$pass_db = $row['password'];
if(password_verify($password, $pass_db)) {
$_SESSION['username']=$username;
if (isset($_POST['rememberme'])) {
setcookie('username', $username,time()+31556926);
}
header("Location:main.php");
}
else {
echo "Incorrect Information!";
}
}
?>
register code
$pswd = password_hash($pswd, PASSWORD_DEFAULT);
$pswd2 = password_hash($pswd2, PASSWORD_DEFAULT);
$stmt = $db->prepare("INSERT INTO userss (username,first_name,last_name,email,password,password2) VALUES (:username,:first_name,:last_name,:email,:password,:password2,)");
$stmt->execute( array(':username'=>$un,':first_name'=>$fn,':last_name'=>$ln,':email'=>$em,':password'=>$pswd,':password2'=>$pswd2));
if ($stmt->rowCount() == 1) {
header("Location: login.php");
}
else {
echo "error";
}
I'm the following query to verify the login information posted by the form. But whenever I run the query i get internal server error. I'm not sure what i'm doing wrong.
<?php
if(isset($_POST["userName"]) && isset($_POST["password"])){
$userName = $_POST["userName"];
$password = $_POST["password"];
include "http://evocature.com/scripts/db_connect.php";
$results = mysql_query("SELECT id
FROM admins
WHERE userName = '$userName'
AND password ='$password' LIMIT 1");
$existCount = mysql_num_rows($results);
if($existCount == 1){
while($row = mysql_fetch_array($results)){
$id = $row["id"];
}
$_SESSION["id"] = $id;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
header("Location: http://www.evocature.com/admin/index.php");
exit();
}
else{
echo 'Invalid Information';
exit();
}
}
I belive you cant include http pages . Well not in this method .
When a user logs into my website login.php checks if they have the correct username password or if they are an administrator:
session_start ();
$username = '';
$password = '';
$dbusername = '';
$dbpassword = '';
if (isset($_POST['Email']) && isset($_POST['Password']))
{
$username = $_POST['Email'];
$password = md5($_POST['Password']);
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");
$numrow = mysql_num_rows ($query);
// user login
if ($numrow!=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['Email'];
$dbpassword = $row['Password'];
}
//Check to see if they match
if ($username==$dbusername&&$password==$dbpassword)
{
header("Location: member.php");
$_SESSION ['Email']=$username;
}
}
else
{
// admin login
$query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
$numrow2 = mysql_num_rows ($query2);
if ($numrow2!=0)
{
while ($row = mysql_fetch_assoc($query2))
{
$dbusername = $row['Email'];
$dbpassword = $row['Password'];
}
//Check to see if they match
if ($username==$dbusername&&$password==$dbpassword)
{
header("Location: admin.php");
$_SESSION ['Email']=$username;
}
else{
echo "Incorrect password";
}
}
else{
if ($username!=$dbusername&&$password!=$dbpassword)
{die("That user does not exist!");
}
}
}
}
They are redirected to member.php (relevant code below)
session_start ();
If (logged_in() === true)//Email
echo "Welcome, ".$_SESSION['Email']. "!<br><ahref='logout.php'>Logout</a>";
else
die ("You must be logged in");
This all works fine, the user is logged in and their username displays on the top of the page, but if the user goes back to the homepage or any other page on the website they are no longer logged in. Totally confused on how to do this, any help would be great.
You need to set the Session-variables before you redirect the user