if(!$_SESSION['username']) {
$ip = $db->real_escape_string(VisitorIP());
$username = $db->real_escape_string($_POST['username']);
$password = $db->real_escape_string($_POST['password']);
$salt = "****";
$password = md5($password . $salt);
$result = $db->query("SELECT * FROM TABLE WHERE username='$username' and password='$password'");
$count = mysqli_num_rows($result);
if ($count == 1){
$bannedq = $db->query("SELECT banned FROM TABLE WHERE username='$username' AND password='$password'");
$banned = $bannedq->fetch_row();
if($banned[0] == "1") {
$failedLogin="1";
$message = 'You are banned and you cannot login';
} else {
$ip = $db->real_escape_string(VisitorIP());
$db->query("UPDATE h_users SET lastlogin=now(), lastip = '$ip' WHERE username='$username'");
header("Location: home");
session_start();
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
$failedLogin = "1";
$message = 'Username or Password WRONG!';
}
}
} else {
header("location: home");
}
Hello programmers,
I am trying to setup a login system in my website. Until now it was working fine but when the session is set and the user gets redirected to the homepage now if he goes to the login screen and the session is set i want him to redirect to the homepage and not see the login screen again.
But my after i added this part :
if(!$_SESSION['username']) {
it does not work
You have to take your session start and put it there before you use it, so write this before your if statement:
session_start();
if(!$_SESSION['username']) {
//...
And delete this one here:
/...
session_start();
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
/...
(Also i would add a die(); or exit(); after each header, it makes sure nothing gets executed after the header)
Okay guys thanks for your help <3 <3
I changed my code to this and everything went fine
session_start();
if(!isset($_SESSION['username'])) {
if(isset($_POST['username']) && isset($_POST['password'])) {
$ip = $db->real_escape_string(VisitorIP());
$username = $db->real_escape_string($_POST['username']);
$password = $db->real_escape_string($_POST['password']);
$salt = "ho073";
$password = md5($password . $salt);
$result = $db->query("SELECT * FROM TABLE WHERE username='$username' and password='$password'");
$count = mysqli_num_rows($result);
if ($count == 1){
$bannedq = $db->query("SELECT banned FROM TABLE WHERE username='$username' AND password='$password'");
$banned = $bannedq->fetch_row();
if($banned[0] == "1") {
$failedLogin="1";
$message = 'You are banned and you cannot login';
} else {
$ip = $db->real_escape_string(VisitorIP());
$db->query("UPDATE TABLE SET lastlogin=now(), lastip = '$ip' WHERE username='$username'");
header("Location: home");
$_SESSION['username'] = $username;
$failedLogin = "1";
$message = 'Username or Password WRONG!';
}
}
}
include'templates/login.html';
} else {
header("location: home");
die();
}
Much love for you <3
Related
I recently started learning PHP. I've been working on a basic login page. Everything works great locally, but when it's uploaded to ipage, it just reloads the login page. If I enter incorrect login info, it tells me that I entered something wrong.
Here's my code...
login.php:
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (isset($_POST['submit'])) {
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$uid = strip_tags($uid);
$pwd = strip_tags($pwd);
$uid = stripcslashes($uid);
$pwd = stripcslashes($pwd);
$uid = mysqli_real_escape_string($db, $uid);
$pwd = mysqli_real_escape_string($db, $pwd);
$sql = "SELECT * FROM users WHERE uid='$uid' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['pwd'];
$pwd = password_verify($pwd, $row['pwd']);
if ($pwd == $db_password) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
}
?>
dashboard.php:
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (!isset($_SESSION['id'])) {
header("Location: http://website.com/login.php");
exit();
}
?>
any help would be appreciated very much...
I think the problem of your code lies in here
if ($pwd == $db_password) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
password_verify() returns TRUE or FALSE and you are trying to check if it is equal to $db_password. As fas as I know this will not be true so even though the password you are typing in is correct, the page won't go anywhere because the if statement is not working properly.
So in your case, this is how I think you should have your code
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (isset($_POST['submit'])) {
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$uid = strip_tags($uid);
//$pwd = strip_tags($pwd);
$uid = stripcslashes($uid);
//$pwd = stripcslashes($pwd);
$uid = mysqli_real_escape_string($db, $uid);
//$pwd = mysqli_real_escape_string($db, $pwd);
$sql = "SELECT * FROM users WHERE uid='$uid' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['pwd'];
$pwd = password_verify($pwd, $db_password);
if ( $pwd === TRUE ) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
}
session_start();
if(isset($_POST['submit'])) {
$uname = $_POST['uname'];
$pw = $_POST['pw'];
require_once('db.php');
$sql = 'SELECT * FROM users_table
WHERE username="'.mysql_escape_string($uname).'" AND password="'.mysql_escape_string(md5($pw)).'"
LIMIT 0, 1
';
$qry = mysql_query($sql);
$count = mysql_num_rows($qry);
if($count > 0) {
$_SESSION['username'] = $uname;
$_SESSION['password'] = $pw;
header('Location: products_list.php');
} else {
header('Location: index.php?error=1');
}
}
use setcookie() function to set the cookie and then retrieve it when user acess the login restricted pages
setcookie description
I have done it using the Cookie, it runs amazingly perfect...
Only thing you need to do is just add encoding in cookies for security...
session_start();
if($_SERVER['REQUEST_METHOD']=='POST' && !empty($_POST['submit'])) {
$uname = $_POST['uname'];
$pw = $_POST['pw'];
require_once('db.php');
//Checking whether the cookies are set or not
if(!empty($_COOKIES['Last_Login_UserID']) && !empty($_COOKIES['Last_Login_Password'])){
if($_COOKIES['Last_Login_UserID']==$uname && $_COOKIES['Last_Login_Password']==$pw){
//Cookies are perfect give access
$_SESSION['username'] = $uname;
$_SESSION['password'] = $pw;
header('Location: products_list.php');
}else{
//Cookies cookies are wrong
login_check($uname,$pw);
}
}else{
//Cookies are not set so check the database
login_check($uname,$pw);
}
//Function to check the login
function login_check($uname,$pw){
$sql = 'SELECT * FROM users_table WHERE username="'.mysql_escape_string($uname).'" AND password="'.mysql_escape_string(md5($pw)).'" LIMIT 0, 1 ;';
$qry = mysql_query($sql);
$count = mysql_num_rows($qry);
if($count == 1) {
$_SESSION['username'] = $uname;
$_SESSION['password'] = $pw;
if(!empty($_POST['remember_me']) && $_POST['remember_me']==true){
setcookie('Last_Login_UserID',$_SESSION['username'],(60*60*24),"/");
setcookie('Last_Login_Password',$_SESSION['password'],(60*60*24),"/");
}
header('Location: products_list.php');
} else {
header('Location: index.php?error=1');
}
}}
I'm trying to make an admin account for my website using php. I'm using the following code and I get "500 internal Server Error" I have no idea what i'm doing wrong.
I have the following php script in my index.php file for admin.
<?php
session_start();
if(!isset($_SESSION["manager"])){
header("Location: admin_login.php");
exit();
}
$id = preg_replace('#[^0-9]#i', '', $_SESSION["id"]);
$manager = preg_replace('#[^0-9]#i', '', $_SESSION["manager"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]);
include "../scripts/db_connect.php";
$sql_str = mysql_query("SELECT * FROM admins WHERE userName = '$userName' AND password = '$password' LIMIT 1");
$exist_Count = mysql_num_rows('$sql_str');
if($exist_Count == 0){
header('location: ../index.php');
exit();
}
?>
and the following code is for admin_login.php file where I ask the user to sign in
<?php
if(isset($_POST["userName"]) && isset($_POST["password"])){
$manager = $_POST["userName"];
$password = $_POST["password"];
include "../scripts/db_connect.php";
$results = mysql_query("SELECT id FROM admins WHERE userName = '$manager' AND password ='$password' LIMIT 1");
$existCount = mysql_num_rows($results);
if($existCount == 1){
while($row = mysql_fetch_array($results)){
$id = $row["id"];
}
$_SESSION["id"] = $id;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
header("Location: index.php");
exit();
}
else{
echo 'Invalid Information';
exit();
}
}
?>
You forgot to add session_start() on your admin_login.php
<?php
session_start(); //<---------- Here
if(isset($_POST["userName"]) && isset($_POST["password"])){
$manager = $_POST["userName"];
$password = $_POST["password"];
include "../scripts/db_connect.php";
$results = ......
//.... rest of your code............
so I have my site which i am coding, in my login.php, this is the source:
<?php
include "out_config.php";
session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
if(!$username) {
header("Location: ../index?errormsg=nousername");
}
if(!$password) {
header("Location: ../index?errormsg=nopassword");
}
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
if($rankcheck == "Administrator" || $rankcheck == "Client") {
$check = 1;
}
else {
$check = 0;
}
if($_SERVER['REQUEST_METHOD'] == 'POST') {
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count==1 && $check == 1) {
$_SESSION['username'] = $username;
header("Location: ../home");
}
else {
header("location: ../index?errormsg=invalidlogin");
}
}
?>
1st: I know MySQL is depreciated but I want to use MySQL because my Host Supports MySQL more than MySQLi/PDO.
2nd: You can see my $rankcheck won't work. My rank check lines are included in out_config.php, the source for it is:
<?php
<Removed Details>
$connect = mysql_connect($host, $username, $password);
$selectdb = mysql_select_db($db);
$IP = getenv('REMOTE_ADDR');
$sql2 = mysql_query("SELECT `rank` FROM `users` where username='$user'");
if(isset($_SESSION['username'])) {
$user = $_SESSION['username'];
$rankcheck = mysql_result($sql2,0);
}
?>
So you can see, it looks all fine. :P
Now, the problem is that I am trying to allow access to this area only to people who are ranked 'Administrator' and 'Client' so it won't work. My Database structure is:
http://i.stack.imgur.com/AAzr9.png
It does not grant access to User and Awaiting usergroup members. But it does not even let Administrator's and Clients. ( I am sure there is no Password Encryption yet ).
If you could help me, it would be really helpful!
in the moment you are including your "out_config.php" $username and $password is not set
change to this:
<?php
session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
include "out_config.php";
if(!$username) {
header("Location: ../index?errormsg=nousername");
}
if(!$password) {
header("Location: ../index?errormsg=nopassword");
}
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
if($rankcheck == "Administrator" || $rankcheck == "Client") {
$check = 1;
}
else {
$check = 0;
}
if($_SERVER['REQUEST_METHOD'] == 'POST') {
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count==1 && $check == 1) {
$_SESSION['username'] = $username;
header("Location: ../home");
}
else {
header("location: ../index?errormsg=invalidlogin");
}
}
?>
When a user logs into my website login.php checks if they have the correct username password or if they are an administrator:
session_start ();
$username = '';
$password = '';
$dbusername = '';
$dbpassword = '';
if (isset($_POST['Email']) && isset($_POST['Password']))
{
$username = $_POST['Email'];
$password = md5($_POST['Password']);
$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");
$numrow = mysql_num_rows ($query);
// user login
if ($numrow!=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['Email'];
$dbpassword = $row['Password'];
}
//Check to see if they match
if ($username==$dbusername&&$password==$dbpassword)
{
header("Location: member.php");
$_SESSION ['Email']=$username;
}
}
else
{
// admin login
$query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
$numrow2 = mysql_num_rows ($query2);
if ($numrow2!=0)
{
while ($row = mysql_fetch_assoc($query2))
{
$dbusername = $row['Email'];
$dbpassword = $row['Password'];
}
//Check to see if they match
if ($username==$dbusername&&$password==$dbpassword)
{
header("Location: admin.php");
$_SESSION ['Email']=$username;
}
else{
echo "Incorrect password";
}
}
else{
if ($username!=$dbusername&&$password!=$dbpassword)
{die("That user does not exist!");
}
}
}
}
They are redirected to member.php (relevant code below)
session_start ();
If (logged_in() === true)//Email
echo "Welcome, ".$_SESSION['Email']. "!<br><ahref='logout.php'>Logout</a>";
else
die ("You must be logged in");
This all works fine, the user is logged in and their username displays on the top of the page, but if the user goes back to the homepage or any other page on the website they are no longer logged in. Totally confused on how to do this, any help would be great.
You need to set the Session-variables before you redirect the user