access page only if logged in with php - php

I'm new to PHP, and I want to make possible to access a page only if a person is logged in.
login2.php:
<?php
$host="hostxyz";
$dbusername="userxyz";
$dbpassword="xyz";
$db_name="dbxyz";
$tbl_name="tblxyz";
mysql_connect("$host", "$dbusername", "$dbpassword")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$username=$_POST['username'];
$password=$_POST['pwd'];
$encryptedpwd=sha1($password);
$username = stripslashes($username);
$encryptedpwd = stripslashes($encryptedpwd);
$username = mysql_real_escape_string($username);
$encryptedpwd = mysql_real_escape_string($encryptedpwd);
$sql="SELECT * FROM $tbl_name WHERE username='$username' and pwd='$encryptedpwd'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
$_SESSION['username'] = $username;
$_SESSION['pwd'] = $encryptedpwd;
header("location:login_success.php");
}
else {
echo "Username e/o password errata.";
}
?>
login_success.php:
<?php
session_start();
if($_SESSION['username']){
header("location:area_utenti.php");
}
?>
<html>
<body>
Login Successful
</body>
</html>
area_utenti.php (member_area.php translated):
<?php
session_start();
if(!isset($_SESSION['username'])) {
header("location:dologin.html");
}
?>
<html>
<head>
<title>Area Utenti</title>
</head>
<body>
<p>Sei loggato, bravoh!</p>
</body>
</html>
dologin.html is simply a page where unregistered/unlogged users are redirected if they try to access to member area.
The problem is that after I log in, I should be redirected to area_utenti.php, but area_utenti.php redirects me to dologin.html. What did I do wrong?
Sorry for bad English.
P.S.: I tried to search for solutions on StackOverflow, and I tried to apply them, but they didn't work.


You forgot to start the session in one of your scripts, maybe thats the issue, might worth checking it:
<?php
session_start();
$host="hostxyz";
$dbusername="userxyz";
$dbpassword="xyz";
$db_name="dbxyz";
$tbl_name="tblxyz";
//...rest of your code...

Related

Admin link does not having access to admin links its shows to all others users to onyl admin role can see admin links

This first is panel.php file and second is session file and 3rd is login.php file file. I want panel.php file shows only if logged user is administrator then show only admin links and if other then show other links. i don't know what happened with this code i tried but it showing all links to all users . kindly find the error please
panel.php file
<?php
include('session.php');
?>
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<?php
if($_SESSION['role']=='Administrator')
{
?>
<li>Add Publisher</li>
<?php
}else{
?>
<li>Mailbox</li>
<?php
}
?>
</body>
</html>
session.php file
<?php
$connection = mysql_connect("localhost", "root", "");
$db = mysql_select_db("simple_db", $connection);
session_start();// Starting Session
// Storing Session
$user_check=$_SESSION['login_user'];
$role_check=$_SESSION['role'];
// SQL Query To Fetch Complete Information Of User
$ses_sql=mysql_query("SELECT * FROM simple_db WHERE email_n='$user_check' ", $connection);
$row = mysql_fetch_assoc($ses_sql);
$login_session =$row['email_n'];
if(!isset($login_session)){
mysql_close($connection); // Closing Connection
header('Location: login.php'); // Redirecting To Home Page
}
?>
login.php file
<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['email_n']) || empty($_POST['email_p'])) {
$error = "Email or Password is invalid";
}
else
{
// Define $username and $password
$email_n = $_POST['email_n'];
$email_p = $_POST['email_p'];
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "root", "");
// To protect MySQL injection for Security purpose
$email_n = stripslashes($email_n);
$email_p = stripslashes($email_p);
$email_n = mysql_real_escape_string($mail_n);
$email_p = mysql_real_escape_string($email_p);
// Selecting Database
$db = mysql_select_db("simple_db", $connection);
// SQL query to fetch information of registerd users and finds user match.
$query = mysql_query("SELECT * FROM simple_db WHERE email_n='$email_n' AND email_p = '$email_p' ", $connection);
$rows = mysql_num_rows($query);
if ($rows == 1) {
$_SESSION['login_user']=$email_n;
$_SESSION['role']=$row->Role;
// Initializing Session
header("location: panel.php"); // Redirecting To Other Page
} else {
$error = "Email or Password is invalid";
}
mysql_close($connection); // Closing Connection
}
}
?>

Php login page code issue. Login page load message display invalid login

Every time at login page load message display invaild login. It is not checking the if condition directly goes to else. I echo my sql query and it is perfectly working fine. But I am not understand where I am making mistake. can you please help me.
my code below,
<?php
#$error = "";
$servername = "localhost";
$username = "";
$password = "";
$dbname = "lg_db";
$tb_name = "lgin";
mysql_connect("$servername", "$username", "$password")or die("Cannot connect");
mysql_select_db("$dbname")or die("Cannot connect to Database");
$username = $_POST['username'];
$pass = $_POST['password'];
$username=stripslashes($username);
$pass=stripslashes($pass);
$username=mysql_real_escape_string($username);
$pass=mysql_real_escape_string($pass);
$sql="SELECT * FROM $tb_name WHERE Name='$username' and Password='$pass'";
$result=mysql_query($sql);
$count1=mysql_num_rows($result);
if($count1 >=1)
{
session_start();
$_SESSION['simple_login'] = $username;
header("Location: index_new.php");
exit();
}else{
$error="Invalid Login";
}
?>

Thank you for your support and help! My problem got resolved. I have added if($_SERVER["REQUEST_METHOD"] == "POST") and before that POST data from html file.

Session variable not set at first try

I am using a session variable to check if the user is logged in. But the first time you submit the login form the session variable is somehow unset, but ONLY the first time.
If I submit the login form twice it works.
Or let's say I have submitted the form twice in order to log in. Then log out. Now I only need to submit the form once to log in.
Here is the code im using to log in the user:
<?php
session_start();
define('DB_NAME', 'madsanker_dk_db');
define('DB_USER', 'madsanker_dk');
define('DB_PASSWORD', '');
define('DB_HOST', 'mysql43.unoeuro.com');
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD);
if (!$link) {
die('Could not connect: ' .mysqli_error());
}
$db_selected = mysqli_select_db( $link, DB_NAME);
if (!$db_selected) {
die('Could not connect: ' .mysqli_connect_error());
}
$username = $_POST['username'];
$password = $_POST['password'];
$username = mysqli_real_escape_string($link,$username);
$password = mysqli_real_escape_string($link,$password);
$password = md5($password);
$sql = "SELECT * FROM mainLogin WHERE username = '$username'";
$result = mysqli_query($link, $sql);
$count=mysqli_num_rows($result);
if($count==1){
$row = mysqli_fetch_assoc($result);
if ($password == $row['password']){
SETTING THE VARIABLE HERE --> $_SESSION['login'] = $username;
echo "<script> window.location.assign('http://www.madsanker.dk'); </script>";
return true;
}
else {
echo "<script> window.location.assign('http://www.madsanker.dk/loginpage'); </script>";
return false;
}
}else{
echo "<script> window.location.assign('http://www.madsanker.dk/loginpage'); </script>";
return false;
}
mysqli_close($link);
?>
I am sure that the variable is being set the first time, because if I echo the variable and do exit(); right after it has been set it show up correctly.
The page I am redirecting to looks like this:
<?php
session_start();
$_SESSION['activePage'] = "home";
?>
<!DOCTYPE html>
<html>
<head>
<title>Madsanker</title>
<link rel="stylesheet" href="main.css" name="pageStyle" type="text/css">
<?php include "nav-bar.php"; ?>
</head>
<body>
<h2>Welcome to Madsanker.dk</h2>
<?php include "chatIframe.php" ?>
</body>
</html>
Even if I put var_dump($_SESSION['login']); exit(); at the top of the document it says NULL the first, and the second time it displays the username correctly.
I have been trying to fix this for about an hour now and I really can see why this is not working.

Please check if you are accessing the first time to your site without www. because the second time your are redirecting to www.madsanker.dk so the are two different domains.
Hope that helps :D

session stays to the login page

When I go to the index page directly, it direct me to the login page. And when I enter the email and password and submit that, it stays on the login page.
I think the problem is in the session between the config file and the index page.
Here is the config: (please don't focus to mysql, i still want to use it)
<?php
ob_start();
error_reporting(E_ALL ^ E_NOTICE);
ini_set("display_errors", true);
error_reporting(-1);
ini_set('display_errors', 'On');
mysql_connect("","","") or die("cannot connect");
mysql_select_db("") or die("Gagal");
$myemail= $_POST['myemail'];
$mypassword= $_POST['mypassword'];
$sql= "SELECT * FROM user WHERE myemail='".$myemail."' and mypassword='".$mypassword."'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1)
{
echo "Login successful";
session_register("myemail");
session_register("mypassword");
header("location:index.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
Then in the index page I have this session in the header:
<?php
session_start();
if(!session_is_resgitered(myemail)){
header("location:login.html);
}
?>
Please help me to clear this one, I have tried so many ways just to achieve this login function. Thank you.

in config php: you can do like this.
if($count==1)
{
echo "Login successful";
$_SESSION['user_loggedin']=$yourEmail; // this will create a session variable
//session_register("myemail");
//session_register("mypassword");
header("location:index.php");
}
and in index.php
<?php
session_start();
$checkUser= $_SESSION['user_loggedin']; //here you can access the logged in user if it is logged in
//check the user
if(strlen($checkUser)){
// user is logged in and access other details for current user
}else{
// user is not logged in
}
?>

login proccess file
<?php
session_start();
ob_start();
mysql_connect("localhost","root","") or die("cannot connect");
mysql_select_db("yourdatabase") or die("Gagal");
$myemail = $_POST['myemail'];
$mypassword = $_POST['mypassword'];
$sql = mysql_query("SELECT * FROM user WHERE email = '{$email}' AND password = '{$password}'");
$count = mysql_num_rows($sql);
if ( $count == 1 ) {
$_SESSION['email'] = $myemail;
$_SESSION['password'] = $mypassword;
header("location: index.php");
} else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
your index file
<?php
session_start();
echo $_SESSION['email']; // try this first, if you make it right from the login page then it will give a value
// if ( $_SESSION['email'] == null && $_SESSION['password'] == null ) {
// header("location:login.html");
// }
?>

PHP Session value changing from page to page

I made a custom login script, and it works just fine. However, after it redirects to the homepage, the $_SESSION['username'] value is changed to 'root', no matter what value it had before hand. which 'root' is the username for my database login.
I have to type all of this in by hand, so it might have an obvious error or two-
main_login.php (php include_once on sidebar.php which is included on every page)
<?php
if(!isset ($_SESSION["username"])){
?>
<!-- Simple login form action="checklogin.php" method="post"-->
<?php
}else{
?>
<!-- Table to display welcome user, and logout link -->
checklogin.php:
session_start();
$db_name = "database";
$tbl_name = "users";
mysql_connect("localhost","root","password") or die("Cannot connect to SQL server");
mysql_select_db("$db_name")or die("Cannot select database.");
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password = md5($password);
$sql = "SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count == 1){
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
header("location:login_success.php");
}
else{
echo "<script type='text/javascript'>\n";
echo "setTimeout('redirect();',2000);\n";
echo "function redirect(){\n";
echo "window.location = 'index.php';\n";
echo "}\n";
echo "</script>\n";
echo "Wrong Username or Password";
login_success.php:
<?php
session_start();
if(!isset($_SESSION['username'])){
header("location:index.php");
}else{
session_regenerate_id();
}
// Apply permissions - problem existed before all of this code
mysql_connect("localhost","root","password") or die("Cannot connect to database.");
mysql_select_db("database") or die("Cannot select database.");
$username = $_SESSION['username'];
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_num_rows($result);
mysql_close();
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
?>
<html>
<head>
<script type="text/javascripnt">
setTimeout("redirect();",4000);
function redirect(){
window.location = "index.php";
}
</script>
</head>
<body>
Login Successful.
<?php echo "Welcome ".$_SESSION["username"].".";
var_dump($_SESSION); // var_dump reveals that $_SESSION['username'] is still the login name.
?>
</body>
</html>
Once it goes through that whole process, everything is good. However, when it redirects to index.php, $_SESSION['username'] is now 'root'.
I'm asking to see if anyone has any idea why that might be happening (So I can understand the problem and prevent it in the future), and a fix to implement.
Thanks everyone.

The answer is very simple:
There is some code in your application which changes $_SESSION['username'] value to 'root'.
you have to investigate your code and find that place. Not a big deal

this part seems weird:
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_num_rows($result);
mysql_close();
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
try this:
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($result);
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
msql_close();

Why are you setting the $_SESSION['username'] variable again on login_success.php You're setting the variables on check_login.php, correct?
Here is what I would do
On login_success.php print out your session variables to see whats going on. I can almost gaurantee something is happening with your sql query. Set a condition to make sure you're actually getting results.
print_r($_SESSION);
if(!$_SESSION['username']) die('no session user name');
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query($result);
if(mysql_num_rows($result) == 1){
$_SESSION['username'] = mysql_result($result,0,'username'); //why do you need this?
$_SESSION['permissions'] = mysql_result($result,0,'permissions');
mysql_close();
}
else die('no user found');
Also on your checklogin page change the if statement to look for an actual variable in $_SESSION['username'] not just if it is set, I try to stay away from isset().
For the love of god don't store plain text passwords, it doesn't cost anything to implement a secure password hashing scheme. Its super easy to leverage php's crypt() function, also check this out for an open source secure method. http://www.openwall.com/phpass/

Well,
Your comment sense is probably right, you are setting it to root without realizing it. I just realized, after 2 hours of troubleshooting, that's what I was doing!
No matter what I tried, $_SESSION['username'] was changing from a real username to 'root'.
I finally realized that $_SESSION['username'] was NOT actually changing anywhere, but $username was. Here is why:
<?php
if(!empty($_SESSION['username'])){
$username = $_SESSION['username'];
require_once '../includes/connect_to_db.php';
echo $_SESSION['username']. ' is correct but '. $username. 'is not.';
}
?>
Finally we see in the required file connect_to_db.php:
<?php
$host="localhost"; // Host name
$username="root"; // mysql username
$password=""; // mysql password
$db_name="BH_web_DB"; // Database name
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect: ". mysql_error());
mysql_select_db("$db_name")or die("cannot select DB");
?>
Simple fix:
$db_username="root"; // mysql username
So I was in fact setting it too root =) hope this helps another.

I was having the same issue, turns out I didn't session start on the page where it displays 'root'.
if (!session_id()) session_start();
This helped!

Categories