i have a login system to backoffice, but user verification don't work.
My code to login is:
$userName = isset($_POST["user-name"]) ? $_POST["user-name"]: '';
$userPass = isset($_POST["user-pass"]) ? $_POST["user-pass"]: '';
if ($userName != '0' && $userPass != '0'){
$criptSen = hash("whirlpool", $userPass);
$rediURL = isset($_GET["url"]) ? $_GET["url"]: '';
$SQL = "SELECT Usuario, Senha, Rank FROM utilizadores WHERE Usuario='$userName' AND Senha='$criptSen' limit 1";
$query = mysql_query($SQL);
if (mysql_num_rows($query)>0)
{
$row = mysql_fetch_array($query);
$_SESSION['Usuario'] = $row['Usuario'];
$_SESSION['Rank'] = $row['Rank'];
mysql_free_result($query);
if($row['Rank'] == 0){
header("Location: membro.php");
} else {
if($row['Rank'] == 1) {
header("Location: admin/index1.php");
}
}
} else {
if (isset($query)){
mysql_free_result($query);
}
header('location: index.php');
}
} else {
header('location: index.php');
}
?>
My code to verify session is true is:
When i login he doens't work fine, i think this code is wrong and i need your help to build it correctly.
<?php
#$Usuario = $_SESSION["Usuario"];
#$Rank = $_SESSION['Rank']
if(!(isset($Usuario) && isset($Senha))){
$url = explode("/", $_SERVER["REQUEST_URI"]);
header("Location: index1.php?url=$url[3]");
} else if(isset($Usuario) && isset($Senha)){
$SQL = mysql_query("SELECT Usuario, Senha FROM utilizadores WHERE Usuario='$Usuario' AND Senha='$Senha' AND Rank=1");
if(mysql_num_rows($SQL) == 0){
echo "<script>alert(\"Area Restrita\");</scrpit>";
header("Location: ../index.php");
}
}
?>
Related
So I have this piece of code that I just followed some guide to create,
<?php
session_start();
if (isset($_POST['submit'])) {
include 'db.conf.php';
$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['pwd']);
$_SESSION['uid'] = $uid;
//Error handleri
//Check jesu inputi empty
if (empty($uid) || empty($pwd))
{
header("Location: ../index.php?login=empty");
exit();
}
else
{
$sql = "SELECT * FROM users WHERE user_uid = '$uid' OR user_email = '$uid'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1)
{
header("Location: ../index.php?login=usernamenepostoji");
exit();
}
else
{
if ($row = mysqli_fetch_assoc($result)) {
//Dehashiranje
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if ($hashedPwdCheck == false) {
header("Location: ../index.php?login=invalidpass");
exit();
}
elseif ($hashedPwdCheck == true)
{
//Logiranje
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../index.php?login=success");
exit();
}
}
}
}
}
else
{
header("Location: ../index.php?login=error");
exit();
}
?>
It's just simple error handling and logging in that works. I understand it and wanted to recreate it with a bit more oop.
<?php
session_start();
include 'db.conf.php';
class Login
{
public $username;
public $password;
function __construct()
{
$this->username = $_POST['uid'];
$this->password = $_POST['pwd'];
$this->checkinputs();
}
function checkinputs()
{
if (empty($this->username) || empty($this->password))
{
header("Location: ../index.php?login=empty");
exit();
}
else
{
$username = $this->username;
$sql = "SELECT * FROM users WHERE user_uid =".$username;
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1)
{
header("Location: ../index.php?login=usernamenepostoji");
exit();
}
else
{
if ($row = mysqli_fetch_assoc($result)) {
//Dehashiranje
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if ($hashedPwdCheck == false) {
header("Location: ../index.php?login=invalidpass");
exit();
}
elseif ($hashedPwdCheck == true)
{
//Logiranje
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_email'] = $row['user_email'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../index.php?login=success");
exit();
}
}
}
}
}
}
?>
This is what I got, it's literally the same code just using functions and other things to 'seperate' it into chunks. It doesn't work. I keep getting stuck on the if $resultCheck < 1 header which means that the username doesn't exist. Though I'm sure it does since nothing changed in the db. So it lead me to thinking its the $conn, it just doesn't connect to the database. I've dumped the $username variable in a file to check if it works, it does. I just have no idea how to proceed.
$conn doesn't exist in method checkinputs().
Either make it global:
function checkinputs()
{
global $conn;
...
}
which I would not recommend (because using globals is disencouraged).
or pass it into Login::_construct() and set it to $this->conn (then use it as $this->conn: $result = mysqli_query($this->conn, $sql);):
function __construct($conn)
{
$this->conn = $conn; // maybe also check if you have a valid connection!
$this->username = $_POST['uid'];
$this->password = $_POST['pwd'];
$this->checkinputs();
}
function checkinputs()
{
// no global now!
....
$result = mysqli_query($this->conn, $sql);
....
}
BUT: please switch to prepared stements. This code is vulnerable to sql injection!
related: Reference: What is variable scope, which variables are accessible from where and what are "undefined variable" errors?
I'm just a beginner in PHP. I'm making a website, and it needs to store the time for login and logout of every user. I found this code for it but it's in ASP.
I tried to make it into PHP but I'm unknowledgeable what will I put in the INSERT INTO of sessionid and logintime.
Table name: userlogtime
logid, userid, sessionid, logintime, logouttime, offline
Here's my code:
<?php
if(isset($_POST['submit'])) {
include 'dbheader.php';
$username = mysqli_real_escape_string($conn, $_POST['uname']);
$password = mysqli_real_escape_string($conn, $_POST['pwd']);
//Error handlers
//Check if inputs are empty
if(empty($username) || empty($password)) {
echo '<script type="text/javascript">alert("Please fill out the following");
window.history.back();
</script>';
exit();
} else {
$sql = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if($resultCheck < 1) {
echo '<script type="text/javascript">alert("Login error");
window.history.back();
</script>';
//set the user id value from the Members table in a session variable
$_SESSION('member') = $row($userid);
$sql ="UPDATE userlogtime SET offline=True WHERE offline=False AND userid="$_SESSION('member')"";
$sql = "INSERT INTO userlogtime (userid, sessionid, logintime) VALUES ('$_SESSION('member'), );";
exit();
} else {
if ($row = mysqli_fetch_assoc($result)) {
//De-hashing the password
$hashedPwdCheck = password_verify($password, $row['password']);
if ($hashedPwdCheck == false) {
echo '<script type="text/javascript">alert("Login error");
window.history.back();
</script>';
exit();
} elseif($hashedPwdCheck == true) {
$_SESSION['username'] = $row['username'];
$_SESSION['firstname'] = $row['firstname'];
$_SESSION['role'] = $row['Role'];
$_SESSION['image'] = $row['image'];
if($_SESSION['role'] == "User"){
header("Location: user.php");
exit();
}
}
}
}
}
} else {
header("Location: user.php?login=error");
exit();
}
$sql = "INSERT INTO userlogtime (userid, sessionid, logintime) VALUES ('$_SESSION('member'), ".session_id().",now());";
How can I redirect two users according to their roles? I have database user type 1 and type 0. My log-in code is like this. Type 1 is suppose to be an admin and type 0 is a regular user.
<?php
session_start();
if(isset($_POST['submit'])){
include 'dbh.inc.php';
$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['pwd']);
if (empty($uid) || empty($pwd)){
header("Location: ../index.php?login=empty");
exit();
} else {
$sql = "SELECT * FROM users WHERE user_uid='$uid'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck < 1) {
header("Location: ../index.php?login=error");
exit();
} else {
if ($row = mysqli_fetch_assoc($result)){
$hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
if($hashedPwdCheck == false){
header("Location: ../index.php?login=error");
exit();
} elseif ($hashedPwdCheck == true) {
$_SESSION['u_id'] = $row['user_id'];
$_SESSION['u_first'] = $row['user_first'];
$_SESSION['u_last'] = $row['user_last'];
$_SESSION['u_uid'] = $row['user_uid'];
header("Location: ../main.php?login=success");
exit();
}
}
}
}
} else {
header("Location: ../index.php?login=error");
exit();
}
you can do this easily by if()..else... but at all don't use directly header to redirect, I suggest you use this function to redirect:
function redirect($url){
if (headers_sent()){
die('<script type="text/javascript">window.location.href=\'' . $url . '\';</script>');
}else{
header('Location: ' . $url);
die();
}
}
this is what you need to do:
if($type == 1)
redirect($admin_url);
else
redirect($user_url);
Changed my code to the following thanks to the tips. But I'm still not redirected to the user.php. Added the variable $rowcount and give it a value. If the query has a value of a user it have to be redirected to the user.php page.
<?php
include("inc/header.php");
?>
<?php
if(isset($_POST["submit"])) {
$username = trim($_POST["username"]);
$password = trim($_POST["password"]);
if($username == "" && $password == "") {
echo "Please fill in all the details";
exit;
}
if($username == "admin" &$password == "test") {
$_SESSION["admin"] = true;
header("location: admin-panel.php");
}
$rowcount = 0;
$password_secure = md5($password);
if($username != "" && $password != "") {
$sql = "SELECT * FROM user WHERE username = '".mysqli_escape_string($connection, $username)."'
AND password = '".mysqli_escape_string($connection, $password_secure)."'";
$query = mysqli_query($connection, $sql);
$rowcount = mysqli_num_rows($query);
} else {
echo "Username of password was not right, please try again.";
}
if($rowcount != 0) {
$row = mysql_fetch_array($connection, $query);
$_SESSION["username"] = $row["username"];
$_SESSION["login"] = true;
header("location: user.php");
exit;
}
}
?>
<?php
include("inc/footer.php");
?>
// if logged in, redirect towards user account
if($logged_in) {
header("Location: useraccount.php");
exit(0);
}
Change $logged_in with your php stracture
Your $rowcount must to be declared at outside of the "if":
$rowcount=0;
if($username != "" && $password != "") {
$sql = "SELECT * FROM user WHERE username = '".$username."'
AND password = '".$password_secure."'";
$query = mysqli_query($connection, $sql);
$rowcount = mysqli_num_rows($query);
}
Add session_start() at the top of your page. Also change the following code.
session_start();
..
..
if($rowcount == 1)
{
while($row = mysqli_fetch_array($query))
{
$_SESSION["username"] = $row["username"];
$_SESSION["login"] = true;
}
header("location: user.php");
}
In user.php, first check whether user is logged in or not. For that write a simple function -
function is_loggedin()
{
if(isset($_SESSION['username']) && isset($_SESSION['login']))
return TRUE;
else
return FALSE;
}
If return FALSE, redirect back to Login page.
I have this code and I have tried everything i can think of to get it to work on my WAMP local server any help would be greatly appreciated. I am PHP stupid. This works on a live server but not my WAMP server. I do get logged in just the pages do not seem to be passing the session variable to the proper user level. That's what's not working sorry for the poor description the first time.
if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['login']))
{
if ($level == "Administrator") {
echo 'My Content';
}
elseif ($level == "Bank Officer") {
echo "";
}
elseif ($level == "Agent") {
echo "";
}
elseif(!empty($_POST['login']) && !empty($_POST['password']))
{
$login = mysql_real_escape_string($_POST['login']);
$password = $_POST['password'];
$checklevel = mysql_query("SELECT * FROM users WHERE login = '".$login."' AND password = '".$password."' ");
if(mysql_num_rows($checklevel) == 1)
{
$row = mysql_fetch_array($checklevel);
$level = $row['level'];
$_SESSION['level'] = $level;
}
$checklogin = mysql_query("SELECT * FROM users WHERE login = '".$login."' AND password = '".$password."' AND level='".$level."'");
if(mysql_num_rows($checklogin) == 1)
{
$row = mysql_fetch_array($checklogin);
$firstname = $row['firstname'];
$login = $row['login'];
$agent = $row['agent'];
$_SESSION['agent'] = $agent;
$_SESSION['firstname'] = $firstname;
$_SESSION['login'] = $login;
$_SESSION['LoggedIn'] = 1;
Thanks you for any help at all.
if ($_SESSION['level'] == "Bank Officer")
{
header('Location: index3.php');
exit;
}
elseif ($_SESSION['level'] == "Agent")
{
header('Location: index4.php');
exit;
}
elseif ($_SESSION['level'] == "Bank Manager")
{
header('Location: index5.php');
exit;
}
else
{
echo "Contact Administrator";
exit;
}