php admin session session - php

I'm trying to make an admin account for my website using php. I'm using the following code and I get "500 internal Server Error" I have no idea what i'm doing wrong.
I have the following php script in my index.php file for admin.
<?php
session_start();
if(!isset($_SESSION["manager"])){
header("Location: admin_login.php");
exit();
}
$id = preg_replace('#[^0-9]#i', '', $_SESSION["id"]);
$manager = preg_replace('#[^0-9]#i', '', $_SESSION["manager"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]);
include "../scripts/db_connect.php";
$sql_str = mysql_query("SELECT * FROM admins WHERE userName = '$userName' AND password = '$password' LIMIT 1");
$exist_Count = mysql_num_rows('$sql_str');
if($exist_Count == 0){
header('location: ../index.php');
exit();
}
?>
and the following code is for admin_login.php file where I ask the user to sign in
<?php
if(isset($_POST["userName"]) && isset($_POST["password"])){
$manager = $_POST["userName"];
$password = $_POST["password"];
include "../scripts/db_connect.php";
$results = mysql_query("SELECT id FROM admins WHERE userName = '$manager' AND password ='$password' LIMIT 1");
$existCount = mysql_num_rows($results);
if($existCount == 1){
while($row = mysql_fetch_array($results)){
$id = $row["id"];
}
$_SESSION["id"] = $id;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
header("Location: index.php");
exit();
}
else{
echo 'Invalid Information';
exit();
}
}
?>


You forgot to add session_start() on your admin_login.php
<?php
session_start(); //<---------- Here
if(isset($_POST["userName"]) && isset($_POST["password"])){
$manager = $_POST["userName"];
$password = $_POST["password"];
include "../scripts/db_connect.php";
$results = ......
//.... rest of your code............

Related

php Header location not letting me into admin area

I recently started learning PHP. I've been working on a basic login page. Everything works great locally, but when it's uploaded to ipage, it just reloads the login page. If I enter incorrect login info, it tells me that I entered something wrong.
Here's my code...
login.php:
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (isset($_POST['submit'])) {
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$uid = strip_tags($uid);
$pwd = strip_tags($pwd);
$uid = stripcslashes($uid);
$pwd = stripcslashes($pwd);
$uid = mysqli_real_escape_string($db, $uid);
$pwd = mysqli_real_escape_string($db, $pwd);
$sql = "SELECT * FROM users WHERE uid='$uid' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['pwd'];
$pwd = password_verify($pwd, $row['pwd']);
if ($pwd == $db_password) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
}
?>
dashboard.php:
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (!isset($_SESSION['id'])) {
header("Location: http://website.com/login.php");
exit();
}
?>
any help would be appreciated very much...

I think the problem of your code lies in here
if ($pwd == $db_password) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
password_verify() returns TRUE or FALSE and you are trying to check if it is equal to $db_password. As fas as I know this will not be true so even though the password you are typing in is correct, the page won't go anywhere because the if statement is not working properly.
So in your case, this is how I think you should have your code
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (isset($_POST['submit'])) {
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$uid = strip_tags($uid);
//$pwd = strip_tags($pwd);
$uid = stripcslashes($uid);
//$pwd = stripcslashes($pwd);
$uid = mysqli_real_escape_string($db, $uid);
//$pwd = mysqli_real_escape_string($db, $pwd);
$sql = "SELECT * FROM users WHERE uid='$uid' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['pwd'];
$pwd = password_verify($pwd, $db_password);
if ( $pwd === TRUE ) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
}

Undefined Index error

It occurs undefined index error for the first time while redirecting to the same page after login, how can I solve this problem?
Here's my code:
code on index-page
<?php
session_start();
$error = $_SESSION['error'];
$conn = mysql_connect("localhost", "root", "");
mysql_select_db("db_food", $conn);
$row = mysql_query("select * from tbl_temp order by id DESC", $conn);
$row = mysql_fetch_array($row);
$user = $row['user'];
$pass = $row['pass'];
?>
code for the page After form submission
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if($username =='' || $password == '') {
$error = "Username or Password cant' be empty......";
header("location: index.php");
} else {
$data = mysql_query("select * from tbl_user where username='$username' && password='$password'", $conn);
$num = mysql_num_rows($data);
if($num==1) {
$row = mysql_fetch_array($data);
$_SESSION['name'] = $row['name'];
$_SESSION['id'] = $row['id'];
$_SESSION['user'] = $row['username'];
exit;
} else {
$error= "Either Username or Password wrong!!!";
header("location: index.php");
}
}
$_SESSION['error'] = $error;
?>
I want to display the error message in the index page.

check first by isset
$error = "";
if(isset($_SESSION['error'])){
$error = $_SESSION['error'];
}

How to add a remember me function in login?

session_start();
if(isset($_POST['submit'])) {
$uname = $_POST['uname'];
$pw = $_POST['pw'];
require_once('db.php');
$sql = 'SELECT * FROM users_table
WHERE username="'.mysql_escape_string($uname).'" AND password="'.mysql_escape_string(md5($pw)).'"
LIMIT 0, 1
';
$qry = mysql_query($sql);
$count = mysql_num_rows($qry);
if($count > 0) {
$_SESSION['username'] = $uname;
$_SESSION['password'] = $pw;
header('Location: products_list.php');
} else {
header('Location: index.php?error=1');
}
}

use setcookie() function to set the cookie and then retrieve it when user acess the login restricted pages
setcookie description

I have done it using the Cookie, it runs amazingly perfect...
Only thing you need to do is just add encoding in cookies for security...
session_start();
if($_SERVER['REQUEST_METHOD']=='POST' && !empty($_POST['submit'])) {
$uname = $_POST['uname'];
$pw = $_POST['pw'];
require_once('db.php');
//Checking whether the cookies are set or not
if(!empty($_COOKIES['Last_Login_UserID']) && !empty($_COOKIES['Last_Login_Password'])){
if($_COOKIES['Last_Login_UserID']==$uname && $_COOKIES['Last_Login_Password']==$pw){
//Cookies are perfect give access
$_SESSION['username'] = $uname;
$_SESSION['password'] = $pw;
header('Location: products_list.php');
}else{
//Cookies cookies are wrong
login_check($uname,$pw);
}
}else{
//Cookies are not set so check the database
login_check($uname,$pw);
}
//Function to check the login
function login_check($uname,$pw){
$sql = 'SELECT * FROM users_table WHERE username="'.mysql_escape_string($uname).'" AND password="'.mysql_escape_string(md5($pw)).'" LIMIT 0, 1 ;';
$qry = mysql_query($sql);
$count = mysql_num_rows($qry);
if($count == 1) {
$_SESSION['username'] = $uname;
$_SESSION['password'] = $pw;
if(!empty($_POST['remember_me']) && $_POST['remember_me']==true){
setcookie('Last_Login_UserID',$_SESSION['username'],(60*60*24),"/");
setcookie('Last_Login_Password',$_SESSION['password'],(60*60*24),"/");
}
header('Location: products_list.php');
} else {
header('Location: index.php?error=1');
}
}}

if session redirect to homepage

if(!$_SESSION['username']) {
$ip = $db->real_escape_string(VisitorIP());
$username = $db->real_escape_string($_POST['username']);
$password = $db->real_escape_string($_POST['password']);
$salt = "****";
$password = md5($password . $salt);
$result = $db->query("SELECT * FROM TABLE WHERE username='$username' and password='$password'");
$count = mysqli_num_rows($result);
if ($count == 1){
$bannedq = $db->query("SELECT banned FROM TABLE WHERE username='$username' AND password='$password'");
$banned = $bannedq->fetch_row();
if($banned[0] == "1") {
$failedLogin="1";
$message = 'You are banned and you cannot login';
} else {
$ip = $db->real_escape_string(VisitorIP());
$db->query("UPDATE h_users SET lastlogin=now(), lastip = '$ip' WHERE username='$username'");
header("Location: home");
session_start();
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
$failedLogin = "1";
$message = 'Username or Password WRONG!';
}
}
} else {
header("location: home");
}
Hello programmers,
I am trying to setup a login system in my website. Until now it was working fine but when the session is set and the user gets redirected to the homepage now if he goes to the login screen and the session is set i want him to redirect to the homepage and not see the login screen again.
But my after i added this part :
if(!$_SESSION['username']) {
it does not work

You have to take your session start and put it there before you use it, so write this before your if statement:
session_start();
if(!$_SESSION['username']) {
//...
And delete this one here:
/...
session_start();
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
/...
(Also i would add a die(); or exit(); after each header, it makes sure nothing gets executed after the header)

Okay guys thanks for your help <3 <3
I changed my code to this and everything went fine
session_start();
if(!isset($_SESSION['username'])) {
if(isset($_POST['username']) && isset($_POST['password'])) {
$ip = $db->real_escape_string(VisitorIP());
$username = $db->real_escape_string($_POST['username']);
$password = $db->real_escape_string($_POST['password']);
$salt = "ho073";
$password = md5($password . $salt);
$result = $db->query("SELECT * FROM TABLE WHERE username='$username' and password='$password'");
$count = mysqli_num_rows($result);
if ($count == 1){
$bannedq = $db->query("SELECT banned FROM TABLE WHERE username='$username' AND password='$password'");
$banned = $bannedq->fetch_row();
if($banned[0] == "1") {
$failedLogin="1";
$message = 'You are banned and you cannot login';
} else {
$ip = $db->real_escape_string(VisitorIP());
$db->query("UPDATE TABLE SET lastlogin=now(), lastip = '$ip' WHERE username='$username'");
header("Location: home");
$_SESSION['username'] = $username;
$failedLogin = "1";
$message = 'Username or Password WRONG!';
}
}
}
include'templates/login.html';
} else {
header("location: home");
die();
}
Much love for you <3

executing queries using php

I'm the following query to verify the login information posted by the form. But whenever I run the query i get internal server error. I'm not sure what i'm doing wrong.
<?php
if(isset($_POST["userName"]) && isset($_POST["password"])){
$userName = $_POST["userName"];
$password = $_POST["password"];
include "http://evocature.com/scripts/db_connect.php";
$results = mysql_query("SELECT id
FROM admins
WHERE userName = '$userName'
AND password ='$password' LIMIT 1");
$existCount = mysql_num_rows($results);
if($existCount == 1){
while($row = mysql_fetch_array($results)){
$id = $row["id"];
}
$_SESSION["id"] = $id;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
header("Location: http://www.evocature.com/admin/index.php");
exit();
}
else{
echo 'Invalid Information';
exit();
}
}

I belive you cant include http pages . Well not in this method .

Categories