I have a login form. I have in my table of the database two records: admin and user. If you login if admin you must go to admin_area.php. this is not working, he always log in if user.
If you login if user this works.
The first part of the script is not working and don't run.
Can someone help me?
thanks in advance.
<?php
//first part: this is not working
session_start();
//if (isset($_POST['submit'])) {
$a_username = $_POST ['username'];
$a_password = md5( $_POST ['password']);
if($a_username == "admin" && $a_password=="intel")
{
include 'connect.php';
$sqli = "SELECT * FROM users WHERE username='$a_username' AND password='$a_password' ";
$numrows = mysqli_query($link, $sqli) or die(mysqli_error());
$username = 'username';
$password = 'password';
//Add some stripslashes
$username = stripslashes($username);
$password = stripslashes($password);
//Check if username and password is good, if it is it will start session
if ($username == $a_username && $password == $a_password)
{
$_SESSION['username'] = 'true';
$_SESSION['username'] = $username;
//Redirect to admin page
header("Location: admin_area.php");exit();
}
}
//second part: this works
$username = $_POST ['username'];
$password = md5( $_POST ['password']);
if($username&&$password)
{
include 'connect.php';
$query = "SELECT * FROM users WHERE username='$username' AND password='$password' ";
$numrows = mysqli_query($link, $query) or die(mysqli_error());
if ($numrows != 0)
{
/
while ($row = mysqli_fetch_assoc ($numrows))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo "you are log in <a href='user.php'>click here for contine</a>, after 4 seconds"; header('Refresh: 4;url=user.php');
$_SESSION ['username'] = $username;
}
else
echo "<h3>incorrect password, <a href='index.php'>click here</a></h3>";
}
else
die ("text");
}
else
die ("text");
//}
?>
$a_password = md5( $_POST ['password']);
if($a_username == "admin" && $a_password=="intel")
This condition is not valid, because
$a_password = md5( $_POST ['password'])
is first converted to md5 format and then checked $a_password=="intel"
$a_password is now in md5 format and intel is normal string. For this first try to match normal $a_password like
$a_password = $_POST ['password']
and write your variable into your condition as like
$a_password = md5( $_POST ['password'])
Related
How do I add Login Details confirmation if incorrect? what I want to happen is when the user puts his/her credentials their userID and Password are correct but the user type is wrong if the user presses the login button it will say "incorrect credentials" and same goes with userID and Password if they input the wrong credentials
<?php
include "includes/config.php";
session_start();
if(isset($_POST['loginbutton'])){
$username = $_POST['username'];
$password = $_POST['password'];
$usertype = $_POST['usertype'];
if ($username != "" && $password != ""){
$sql_query = "SELECT * FROM tbl_useraccounts WHERE employee_id='".$username."' and password='".$password."' and usertype='".$usertype."'";
$result = mysqli_query($con,$sql_query);
while ($row=mysqli_fetch_array($result)) {
if ($row['employee_id']==$username && $row['password']==$password && $row['usertype']=='Admin'){
$_SESSION['username'] = $_POST['username'];
header('location: home.php');
}
elseif ($row['employee_id']==$username && $row['password']==$password && $row['usertype']=='SuperAdmin') {
$_SESSION['username'] = $_POST['username'];
header('location: HomeForSuperAdmin.php');
}
}
}
}
?>
Dharma Is correct!
You are wide open to SQL Injections and should use parameterized prepared statements instead of manually building your queries!
If you embed a string in some SQL targeting MySQL, you must escape the string with MySQL's function for this purpose (mysqli_real_escape_string) and trigger db query to input on failed login.
Modified code:
<?php
include "includes/config.php";
session_start();
if(isset($_POST['loginbutton'])){
$username = $_POST['username'];
$password = $_POST['password'];
$usertype = $_POST['usertype'];
$loginFlag = true;
if ($username != "" && $password != ""){
$sql_query = "SELECT * FROM tbl_useraccounts WHERE employee_id='".$username."' and password='".$password."' and usertype='".$usertype."'";
$result = mysqli_query($con,$sql_query);
while ($row=mysqli_fetch_array($result)) {
if ($row['employee_id']==$username && $row['password']==$password && $row['usertype']=='Admin'){
$_SESSION['username'] = $_POST['username'];
header('location: home.php');
$loginFlag = true;
}
elseif ($row['employee_id']==$username && $row['password']==$password && $row['usertype']=='SuperAdmin') {
$_SESSION['username'] = $_POST['username'];
header('location: HomeForSuperAdmin.php');
$loginFlag = true;
}
else {
$loginFlag = false;
}
}
}
if($loginFlag == false){
#real_escape_string is used to prevent sql injection
$username = real_escape_string($_POST['username']);
$password = real_escape_string($_POST['password']);
$usertype = real_escape_string($_POST['usertype']);
# query assume table name log
$sql_query = "INSERT INTO log (username, password, usertype, ip_address)
VALUES ('$username ', '$password ', '$usertype ', '".$_SERVER['REMOTE_ADDR']."')";
}
}
?>
I am having problem with the code.
It suppose to allow admin to view only admin page
and user to view user page only.
my admin still able to view user page.
below is my landing page
<?php
error_reporting(0);
include("config.php");
$host = "localhost"; //DB host
$username = "root"; //DB Username
$password = ""; //DB Password
$db_name = "hklcanet_pha"; //DB Name
$tbl_name = "users"; //Table name, where users are stored
$dbconfig = mysqli_connect($host,$username,$password,$db_name);
$username = $_POST['username']; //Get username from login form
$password = $_POST['password']; //Get password from login form
$username = stripslashes($username); //Makes string safe
$password = stripslashes($password); //Makes string safe
$username = mysqli_real_escape_string($dbconfig, $username); //Makes string safer
$password = mysqli_real_escape_string($dbconfig, $password); //Makes string safer
$sql = "SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; //SQL Query
$result = mysqli_query($dbconfig, $sql); //Executes Query
$rows = mysqli_num_rows($result); //Count rows selected (1 if a username/password combo can be found)
if($rows == 1){
session_start(); //Starts a PHP session
$_SESSION['username'] = $username; //Allows $username to be used later
header("location: interphase1.php");
$query = "SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result = mysqli_query($dbconfig, $query);
while($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
{
$permissions = $row['permissions']; //Gets the permissions of the user
$id = $row['id']; //Gets the ID of the user
}
$_SESSION['permissions'] = $permissions; //Allows $permissions to be used later
$_SESSION['id'] = $id; //Allows $id to be used later
$_SESSION['authenticated'] = 1; //Allows $id to be used later
echo("Login Succesful");//Prints success message
}
else
{
//echo("Invalid Username/Password");
}
?>
user page
<?php
session_start();
$permissions = $_SESSION['permissions'];
if($_SESSION['authenticated'] != 1)
{
echo("You must be logged in");
header("location:landing.php");
}
else
{
if($permissions < 0)
{
header("location:quicksummary.php");
echo("Your permissions are not high enough");
}
}
?>
admin page
<?php
session_start();
$permissions = $_SESSION['permissions'];
if($_SESSION['authenticated'] != 1)
{
header("location:landing.php");
echo("You must be logged in");
}
else
{
if($permissions < 1 )
{
header("location:quicksummary.php");
echo("Your permissions are not high enough");
}
}
?>
thanks and appreciate if somebody can help me on this, still new with the PHP code.
I have my form below.. I want an to perform an operation if that the user enters the wrong password for 3 times, after his account is locked for some minutes.. How do I achieve that in my form?
<?php
session_start();
if(isset($_POST['username']) && isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$connect = mysql_connect('localhost', 'root', 'root');
mysql_selectdb('lr') or die('Couldnt find database');
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0){
while ($row = mysql_fetch_assoc($query)){
$dbuser = $row['username'];
$dbpass = $row['password'];
}
if ($username == $dbuser && $password == $dbpass){
$_SESSION['username'] = $dbuser;
if($_SESSION['username']){
echo 'Welcome ' . $_SESSION['username'] . ' ! <br>';
echo 'Click here to log out !';
}
} else
echo 'Incorrect Username or Password Combinations ';
} else
die('That user does not exist');
}
?>
Like another user said before you are vulnerable to SQL injection. Always VALIDATE user input!
As to your issue, you can use the database for this, then someone could block another user's account easily. You can also use sessions variables instead. You only need to record in session the number of failed logins. After 3 fail you can set a session variable with a timestamp of when the user will be allowed to login again (current timestamp + X) and before running the SQL check if the time as passed.
If a user logs-in sucessfuly you should clear or reset those session variables.
(sorry i dont have time making you and example, but it's quite easy to implement.)
Made in mousepad, not tested in any way but it will give you some hints i hope.
<?php
session_start();
define('MAX_LOGIN_ATTEMPTS',3);
if(isset($_SESSION['loginTimeout']) && $_SESSION['loginTimeout']<time()) {
echo "You used all login attempts. Try again in a little while.";
exit() // ups, forgot about this :)
}
if(isset($_POST['username']) && isset($_POST['password'])){
$connect = mysql_connect('localhost', 'root', 'root');
mysql_selectdb('lr') or die('Couldnt find database');
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
$numrows = mysql_num_rows($query);
$bFail = false;
if($numrows !=0){
while ($row = mysql_fetch_assoc($query)){
$dbuser = $row['username'];
$dbpass = $row['password'];
}
if ($username == $dbuser && $password == $dbpass){
unset($_SESSION['loginTimeout']);
$_SESSION['username'] = $dbuser;
if($_SESSION['username']){
echo 'Welcome ' . $_SESSION['username'] . ' ! <br>';
echo 'Click here to log out !';
}
} else {
echo 'Incorrect Username or Password Combinations ';
$bFail = true;
}
} else {
die('That user does not exist');
$bFail = true;
}
if($bFail) {
if(isset($_SESSION['loginAttempts'])) $_SESSION['loginAttempts']++;
else $_SESSION['loginAttempts'] = 1;
if($_SESSION['loginAttempts']>MAX_LOGIN_ATTEMPTS) {
// one hour timeout
$_SESSION['loginTimeout'] = time() + 1*60*60;
}
}
}
?>
I have a log in page.First, when the user enters the correct username and password he will move to managing page. But, I want to fetch his database information for another page. I mean I detect the username and password, then get other rows from that.
I know which I can use sessions, but session gives me one value and this is want I do not need.
<?php
if(isset($_POST['username'])){
if(isset($_POST['password'])){
$user_id = $_POST['username'];
$password = $_POST['password'];
$result = mysql_query("SELECT * FROM `users`");
while($row = mysql_fetch_array($result)){
$db_id = $row[0];
$db_user_id = $row["user_id"];
$db_user_pass = $row["user_pass"];
$db_user_type = $row["user_type"];
$db_user_name = $row["user_name"];
if($db_user_id == $user_id && $db_user_pass == $password && $db_user_type == "manager"){
header("Location: manager.php");
$_SESSION['currentmanager'] = $user_id;
}elseif($db_user_id == $user_id && $db_user_pass == $password && $db_user_type == "user"){
$_SESSION['currentuser'] = $user_id;
header("Location: users.php");
}elseif($db_user_id == $user_id && $db_user_pass == $password && $db_user_type == "teacher"){
$_SESSION['currentteacher'] = $user_id;
header("Location: teachers.php");
}
}
}
}
?>
$_SESSION['some_array'] = array(1,3,4);
as #u_mulder said.
Thanks.
I can't figure out what is wrong with program. The password I know is correct but for some reason I am receiving an error saying it is incorrect.
here is my signup.php
$UserName = $_POST['UserName'];
$password = $_POST['password'];
$msd5Password = $md5[$password];
$email = $_POST['email'];
if ($UserName == null || $password == null || $email == null) {
echo 'Please Fill In All The Values';
}
else {
$sql = mysql_query("SELECT * FROM login WHERE email = '$email'");
$numrows = mysql_num_rows($sql);
if($numrows !=0)
{
die("There already is an account created with the email you entered.");
}
else
{
mysql_connect("localhost", "root") or die (mysql_error);
mysql_select_db ("thereview");
mysql_query("INSERT INTO login (UserName, password, email) VALUES ('$UserName', '$md5Password', '$email')")
or die(mysql_error());
header("Location:login.php");
}
}
And here is my login.php
session_start();
$UserName = $_POST['UserName'];
$password = $_POST['password'];
if($UserName == null|| $password == null) {
echo 'Please fill in UserName and Password';
}
else{
mysql_connect("localhost", "root") or die (mysql_error);
mysql_select_db ("thereview");
$query = mysql_query ("SELECT * FROM login WHERE UserName = '$UserName'");
$numrows = mysql_num_rows($query);
if($numrows != 0) {
while($row = mysql_fetch_assoc($query)) {
$dbEmail = $row['email'];
$dbUserName = $row['UserName'];
$dbPassword = $row['password'];
$dbId = $row['id'];
}
if($UserName = $dbUserName && md5($password) == $dbPassword) {
$_SESSION['UserName'] = $dbUserName;
$_SESSION['email'] = $dbEmail;
}
else {
echo 'UserName or Password is incorrect';
}
}
else {
echo 'User does not exist, Create an Account';
}
}
Looks like you have a typo here:
$msd5Password = $md5[$password];
should probably be:
$md5Password = md5($password);
Keep in mind MD5 is not good for password security any longer and you have VERY POOR security for this script, open to injection and other issues.
Are you sure about this?
$msd5Password = $md5[$password];
I think it should be:
$md5Password = md5($password);
$msd5Password = $md5[$password]; should probably read: $md5Password = md5($password); (careful about the details - dollars and parenthesis)
$UserName = $dbUserName should probably be $UserName == $dbUserName
In the sign up script you write $md5$password
I'm not strong in php, but shouldn't that be md5($password) as you write in the login script?
if($UserName **=** $dbUserName && md5($password) == $dbPassword)
will always give you false...
Try $UserName **==** $dbUserName instead.
Try this. You need to put parenthesis around these commands to make sure that its a test of only those values. Also where you have $UserName = $dbUserName you need to have it be == instead of =. Otherwise it will always be set to true rather then be testing it.
if(($UserName == $dbUserName) && (md5($password) == $dbPassword))
Also, at the top the code you have is this:
$msd5Password = $md5[$password];
You have two typos in there. First of all your variable later on is md5Password so you need to remove the s. Also the syntax for md5 is md5($password). Finally md5 is a function not a variable so you don't need the $.
Correct Syntax:
$md5Password = md5($password);
I hope this is helpful!