I'm having a problem with redirecting a page in php.
<?php
include '../include/dbfunctions.php';
$email = $password = "";
$err = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (isset($_POST['login']) && !empty($_POST['password'])) {
$email = trim($_POST['email']);
$password = trim($_POST['password']);
$link = get_db_connection();
if (mysqli_connect_errno()) {
die(" Something went wrong ! ");
}
$user_email = mysqli_real_escape_string($link, $email);
$user_password = mysqli_real_escape_string($link, $password);
$query = "SELECT username FROM user WHERE user_email = '$user_email' AND user_password = SHA1('$user_password') AND user_active = '1';";
$data = mysqli_query($link, $query);
if (mysqli_num_rows($data) == 1) {
$row = mysqli_fetch_array($data);
$username = $row['username'];
mysqli_close($link);
if (!empty($username)) {
header('location:http://www.xxxxxxxxxxxxxx.be/login/dashboard.php');
exit();
}
} else {
$err = "Invalid combination of e-mail and password";
echo $err;
}
} else {
}
}
?>
I can't figure it out. If i fill in an invalid password or email, i get the error message. But when they are correct, nothing happens.
if (!empty($username)) {
header('location:http://www.yoursite.be/login/dashboard.php?error=error in login please try agine');
exit();
}
if (!empty($username)) {
header('location:http://www.xxxxxxxxxxxxxx.be/login/dashboard.php');
exit();}
$username might be empty.
Related
I just started off with PHP and attempted to make a simple login and sign-up page. The sign-up module works perfectly with the records being successfully being inserted into the database. But, whenever I try to log in, it always throws me a wrong password/username combination.
I am really new to web development so I am not looking for advice on SQL injections and other security-related issues. Could someone just tell me how I could make this work using PHP and MySQL only.
I am using the XAMPP server with phpMyAdmin.
Here is my Config.php file which I use to validate the data I accept through the forms.
<?php
session_start();
//variable declaration
$email = "";
$name = "";
$batch = "";
$password = "";
$errors = array();
$_SESSION['success'] = "";
//connect to database
$conn = mysqli_connect('localhost', 'root', '', 'timetable');
//Register User
if(isset($_POST['reg_user']))
{
$email = mysqli_real_escape_string($conn, $_POST['email']);
$name = mysqli_real_escape_string($conn, $_POST['name']);
$batch = mysqli_real_escape_string($conn, $_POST['batch']);
$password_1 = mysqli_real_escape_string($conn, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($conn, $_POST['password_2']);
//form validation
if($batch != 2016 || $batch != 2017 || batch != 2018 || batch != 2019)
{
array_push($errors, "Batch should be one of 2016/2017/2018/2019.");
}
if($password_1 != $password_2)
{
array_push($errors, "The two passwords do not match.");
}
if(count($errors) == 0)
{
$password = hash('sha512', $password);
$query = "INSERT INTO chairperson(email, name, batch, password)
VALUES('$email', '$name', '$batch', '$password')";
mysqli_query($conn, $query);
$_SESSION['email'] = $email;
$_SESSION['success'] = "You are now logged in.";
header('location: index.php');
}
}
//Login user
if(isset($_POST['login_user']))
{
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
if(count($errors) == 0)
{
$password = hash('sha512', $password);
$query = "SELECT * FROM chairperson WHERE email='$email' AND password='$password'";
$results = mysqli_query($conn, $query);
if(mysqli_num_rows($results) == 1)
{
$_SESSION['success'] = "You are now logged in.";
$_SESSION['email'] = $email;
header('location: index.php');
}
else
{
array_push($errors, "Wrong username/password combination.");
}
}
}
?>
<?php
session_start();
//variable declaration
$email = "";
$name = "";
$batch = "";
$password = "";
$errors = array();
$_SESSION['success'] = "";
//connect to database
$conn = mysqli_connect('localhost', 'root', '', 'timetable');
//Register User
if(isset($_POST['reg_user']))
{
$email = mysqli_real_escape_string($conn, $_POST['email']);
$name = mysqli_real_escape_string($conn, $_POST['name']);
$batch = mysqli_real_escape_string($conn, $_POST['batch']);
$password_1 = mysqli_real_escape_string($conn, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($conn, $_POST['password_2']);
//form validation
if(($batch != 2016) && ($batch != 2017) && ($batch != 2018) && ($batch != 2019))
{
array_push($errors, "Batch should be one of 2016/2017/2018/2019.");
}
if($password_1 != $password_2)
{
array_push($errors, "The two passwords do not match.");
}
if(count($errors) == 0)
{
$password = password_hash($password,PASSWORD_BCRYPT);
$query = "INSERT INTO chairperson(email, name, batch, password)
VALUES('$email', '$name', '$batch', '$password')";
mysqli_query($conn, $query);
$_SESSION['email'] = $email;
$_SESSION['success'] = "You are now logged in.";
header('location: index.php');
}
}
//Login user
if(isset($_POST['login_user']))
{
$email = mysqli_real_escape_string($conn, $_POST['email']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
if(count($errors) == 0)
{
$query = "SELECT * FROM chairperson WHERE email='$email' ";
$results = mysqli_query($conn, $query);
if(mysqli_num_rows($results) == 1)
{
$row=mysqli_fetch_assoc($results);
if(password_verify($password, $row['password']))
{
$_SESSION['success'] = "You are now logged in.";
$_SESSION['email'] = $email;
header('location: index.php');
}
else
{
array_push($errors, "Wrong username/password combination.");
}
}
else
{
array_push($errors, "Wrong username/password combination.");
}
}
}
?>
I can't do authorization on the site! I register everything is fine! But he does not want to enter the site! I do not know what to do ! + I use the md5 () function, and my database encrypts everything perfectly, but how to make it enter through this function too? Also not included without this feature, please help !!!
Here is the authorization code:
require("include/connect.php");
if (isset($_SESSION["user_id"])) {
// вывод "Session is set"; // в целях проверки
header("Location: main.php");
}
if (isset($_POST['button-login'])) {
if (!empty($_POST['login']) && !empty($_POST['password_1'])) {
$login = htmlspecialchars($_POST['login']);
$email = htmlspecialchars($_POST['email']);
$password = htmlspecialchars($_POST['password_1']);
$query = mysql_query("SELECT * FROM users WHERE id='" . $login . "' AND password='" . $password . "'");
$numrows = mysql_num_rows($query);
if ($numrows != 0) {
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['login'];
$dbpassword = $row['password_1'];
}
if ($login == $dbusername && $password == $dbpassword) {
// старое место расположения
// session_start();
$_SESSION['login'] = $login;
$_SESSION['user_id'] = $login;
header("Location: main.php");
}
} else {
// $message = "Invalid username or password!";
echo "Invalid username or password!";
}
} else {
$message = "All fields are required!";
}
}
Try to convert the $password variable into md5()
$password = md5($password);
after md5() encryption check your username & password condition
if($login == $dbusername && $password == $dbpassword)
Hope this will helps!
I recently started learning PHP. I've been working on a basic login page. Everything works great locally, but when it's uploaded to ipage, it just reloads the login page. If I enter incorrect login info, it tells me that I entered something wrong.
Here's my code...
login.php:
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (isset($_POST['submit'])) {
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$uid = strip_tags($uid);
$pwd = strip_tags($pwd);
$uid = stripcslashes($uid);
$pwd = stripcslashes($pwd);
$uid = mysqli_real_escape_string($db, $uid);
$pwd = mysqli_real_escape_string($db, $pwd);
$sql = "SELECT * FROM users WHERE uid='$uid' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['pwd'];
$pwd = password_verify($pwd, $row['pwd']);
if ($pwd == $db_password) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
}
?>
dashboard.php:
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (!isset($_SESSION['id'])) {
header("Location: http://website.com/login.php");
exit();
}
?>
any help would be appreciated very much...
I think the problem of your code lies in here
if ($pwd == $db_password) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
password_verify() returns TRUE or FALSE and you are trying to check if it is equal to $db_password. As fas as I know this will not be true so even though the password you are typing in is correct, the page won't go anywhere because the if statement is not working properly.
So in your case, this is how I think you should have your code
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (isset($_POST['submit'])) {
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$uid = strip_tags($uid);
//$pwd = strip_tags($pwd);
$uid = stripcslashes($uid);
//$pwd = stripcslashes($pwd);
$uid = mysqli_real_escape_string($db, $uid);
//$pwd = mysqli_real_escape_string($db, $pwd);
$sql = "SELECT * FROM users WHERE uid='$uid' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['pwd'];
$pwd = password_verify($pwd, $db_password);
if ( $pwd === TRUE ) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
}
I have this registration form that a user fills out and it sends to another page that adds the information in my database. Is there a way that after the person registers I can send the username and password to the sign-in page and it logs them in automatically?
this is the code that adds into my database after a user has registered:
require "connection.php";
session_start();
if ($_POST['firstname'] != "" && $_POST['lastname'] !="" && $_POST['email'] != "" && $_POST['username'] !="" && $_POST['password'] !="")
{
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$username = $_POST['username'];
$query1="SELECT * FROM users WHERE username = '$username' ";
$username = mysqli_real_escape_string($conn,$username);
$password = mysqli_real_escape_string($conn,$password);
$firstname = mysqli_real_escape_string($conn,$firstname);
$lastname = mysqli_real_escape_string($conn,$lastname);
$email = mysqli_real_escape_string($conn,$email);
$result = mysqli_query($conn,$query1)
or die(mysqli_error($conn));
if(mysqli_num_rows($result) != 0)
{
$_SESSION['er_firstname'] = $firstname;
$_SESSION['er_lastname'] = $lastname;
$_SESSION['er_email'] = $email;
header("Location: index.php/?a=1");
}
else {
unset($_SESSION['er_firstname']);
unset($_SESSION['er_lastname']);
unset($_SESSION['er_email']);
$query = "INSERT INTO users (firstname, lastname, password, username) VALUES ('$firstname','$lastname','$email','$password', '$username')";
$data = mysqli_query($conn,$query)or die(mysqli_error($conn));
header("Location: index.php/?a=2");
}
}
?>
And this is my login code that when I user normally enters there username and password to log in:
<?php
session_start();
$username = $_POST['username']; //either username or email
$password = $_POST['password'];
if($username=="" || $password == "")
{
header("Location: index.php");
}
require "connection.php";
if(!empty($username) && !empty($password)) {
$username = mysqli_real_escape_string($conn,$username);
$password = mysqli_real_escape_string($conn,$password);
$query = "SELECT * FROM users WHERE username = '$username' OR email = '$username' AND password = '$password'";
$data = mysqli_query($conn,$query);
if($data) {
if (mysqli_num_rows($data) == 1 ) {
$row = mysqli_fetch_assoc($data);
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];
header("Location: http://home");
}
else {
header("Location: index.php/?i=1");
exit();
} }
else {
die("Query failed");
}
}
else {
$_SESSION['message'] = "Please enter a email and password";
header("Location: index.php");
exit();
}
So is there a way to send add.php to login.php, I tried switching the add.php header location to login.php but it didnt work.
You could bypass the entire login screen. You can just apply login logic into your registration processing.
This would involve adding three lines of code by the looks of it.
$_SESSION['id'] = mysqli_insert_id($conn);
$_SESSION['username'] = $row['username'];
header("Location: http://home");
I have realized why i can't actually access userdata (after i am logged) old way to find the username is $_SESSION['username']; (assuming there is a row as 'username' in MySQL database)
So as i have a test account as "good25" (reason to choose numbers was to see if Alphanumeric inputs works fine.. its just checkup by me.. nevermind)
Problem :
assuming, i have rows in a table as 'username' and all of his information.. such as 'password', 'email', 'joindate', 'type' ...
On net i found out how to snatch out username from Session
<?php session_start(); $_SESSION('username'); ?>
successful!!
i had an idea to check if session is actually registering or no??
after a log on start.php i used this code
if(isset($_SESSION['username'])) { print_r($_SESSION['username']); }
the result was "1" (while i logged in using this username "good25")
any suggestions?
index.php (lets say, index.php just holds registration + Login form + registration script.. in login form, action='condb.php')
<?php
require 'condb.php';
if (isset($_POST['btn-signup']))
{
//FetchInputs
$usern = mysqli_real_escape_string($connection,$_POST['username']);
$email = mysqli_real_escape_string($connection,$_POST['email']);
$password = mysqli_real_escape_string($connection,$_POST['password']);
$repassword = mysqli_real_escape_string($connection,$_POST['repassword']);
$usern = trim($usern);
$email = trim($email);
$password = trim($password);
$repassword = trim($repassword);
//SearchUser
$searchusr = "SELECT username FROM $user_table WHERE username='$usern'";
$usersearched = mysqli_query($connection, $searchusr);
$countuser = mysqli_num_rows($usersearched);
//SearchEmail
$searcheml = "SELECT email FROM $user_table WHERE email='$email'";
$emlsearched = mysqli_query($connection, $searcheml);
$counteml = mysqli_num_rows($emlsearched);
//RegisteringUser
if ($countuser == 0)
{
if ($counteml == 0)
{
$ctime = time();
$cday = date("Y-m-d",$ctime);
$aCode = uniqid();
$adduser = "INSERT INTO $user_table(username, email, password, realname, activationcode, verified, joindate, type, points) VALUES ('$usern','$email','$password','$name','$aCode','n','$cday','Free',$signPoints)";
if (mysqli_query($connection, $adduser))
{
?><script>alert('You have been registered');</script><?php
}
else {
?><script>alert('Couldnt Register, please contact Admin<br><?mysqli_error($connection);?>');</script><?php
}
} else {
?><script>alert('Email already exists!');</script><?php
}
} else {
?><script>alert('Username already exists!');</script><?php
}
}
?>
condb.php
$connection = mysqli_connect($db_server, $db_user, $db_pass);
mysqli_select_db($connection, $db_name);
if(!$connection) {
die ("Connection Failed: " . mysqli_connect_error);
}
if (isset($_POST['btn-login']))
{
$uname = mysqli_real_escape_string($connection,$_POST['uname']);
$upass = mysqli_real_escape_string($connection,$_POST['upass']);
//FindUser
$finduser = "SELECT * FROM $user_table WHERE username='$uname' AND password='$upass'";
$findinguser = mysqli_query($connection,$finduser);
$founduser = mysqli_num_rows($findinguser);
//ConfirmPassword
if ($founduser > 0)
{
session_start();
$_SESSION['username'] = $username;
$_SESSION['username'] = true;
if ($findinguser != false)
{
while ($fetchD = mysqli_fetch_array($findinguser, MYSQLI_ASSOC))
{
$fetchD['username'] = $usernn;
$fetchD['email'] = $email;
$fetchD['userid'] = $uid;
$fetchD['realname'] = $rlnm;
$fetchD['points'] = $pts;
$fetchD['type'] = $membertype ;
}
header("Location: start.php");
} else {
echo mysqli_error();
}
} else {
header("Location: index.php");
?><script>alert('Wrong details, please fill in correct password and email');</script><?php
}
}
I am not asking you to build a script.. just little help please? (Thank you so so so so so much, as i am a self-learner, you don't have to say everything.. just a clue is enough for me)
may be you can try this code
<?php
require_once 'require.inc.php';
//session_start();
if (isset($_POST['btn-login']))
{
$uname = mysqli_real_escape_string($_POST['uname']);
$upass = mysqli_real_escape_string($_POST['upass']);
$search = mysqli_query($connection, "SELECT username, userid, password from $user_table WHERE username='$uname' AND password='$upass'");
$match = mysqli_fetch_assoc($search);
if ($match == 1 and $match['password'] == md5($upass))
{
$_SESSION['username'] = $match['userid'];
} else {
?>
<script>alert('Password or E-mail is wrong. If you havent registered, Please Register');</script>
<?php
}
}
if (isset($_SESSION['username']) or isset($match['userid'])){
header("Location:start.php");
}
if (isset($_POST['btn-signup']))
{
$name = mysqli_real_escape_string($_POST['name']);
$usern = mysqli_real_escape_string($_POST['username']);
$email = mysqli_real_escape_string($_POST['email']);
$password = mysqli_real_escape_string($_POST['password']);
$repassword = mysqli_real_escape_string($_POST['repassword']);
$name = trim($name);
$usern = trim($usern);
$email = trim($email);
$password = trim($password);
$repassword = trim($repassword);
$query = "SELECT email FROM $user_table WHERE email='$email'";
$result = mysqli_query($connection, $query);
$count = mysqli_num_rows($result);
$querytwo = "SELECT username FROM $user_table WHERE username='$usern'";
$resulttwo = mysqli_query($connection, $querytwo);
$counttwo = mysqli_num_rows($resulttwo);
if ($count == 0 AND $counttwo == 0)
{
if ($password == $repassword) {
if (mysqli_query($connection, "INSERT INTO $user_table(username, email, password, realname) VALUES ('$usern','$email','$password','$name')"))
{
?>
<script> alert ('Successfully registered'); </script>
<?php
}
}else {
?>
<script> alert ('The Password you entered, doesnt match.. Please fill in the same password'); </script>
<?php
}
}
else {
?>
<script> alert('Username or E-mail already exist'); </script>
<?php
}
}
?>
and this is for require.inc.php
<?php
global $username;
//require 'dconn.php';
session_start();
$_SESSION["username"] = $username;
$connection = mysqli_connect("localhost","root","", "test") or die(mysqli_error());
// Check Login
if (isset($_SESSION['username']) and isset ($match['userid']))
{
$Selection = "SELECT * FROM $user_table WHERE username='$username'";
$selectQuery = mysqli_query($connection, $Selection);
if ($selectQuery != false)
{
while ($fetchD = mysqli_fetch_assoc($selectQuery))
{
$usernn = $fetchD['username'];
$email = $fetchD['email'];
$uid = $fetchD['userid'];
}
} else {
echo mysqli_error();
}
}
?>
#suggestion, create session after user login and authorized then for each page start session and take session which you created and perform SQL queries using that session variable.
for example :
$_SESSION['user_name']=$row['username'];
for each page:
session_start();
$user_name=$_SESSION['user_name'];
SQL query
mysqli_query($con,"SELECT * FROM users where column_name='$user_name'");
I think you need to include dconn.php file in all files where you want to perform the mysql operation. If you have included it only in require.inc.php then you you it in all your other files.