I've tried adding a PHP session, so they don't have to fill in the same password all the time. If I go to the page and fill in the code it will show the page with the correct session but when I refresh the page the session is gone.
Code of the session:
<head>
<script>
{ background-color:#87CEFA; }
</script>
</head>
<?php
error_reporting(0);
session_start();
$_SESSION["pass"] = $_POST["code"];
$pass = $_POST["code"];
$con=mysqli_connect("localhost","bb","$pass","bb");
if (mysqli_connect_errno($con))
{
echo "Kan geen verbinding maken, de ingevulde code is verkeerd of de server is offline!";
echo 'Hello '.$_SESSION["pass"].'!';
}
$result = mysqli_query($con,"SELECT * FROM ftp");
while($row = mysqli_fetch_array($result))
{
$myuser = $row['user'];
$mypass = $row['pass'];
$myhost = $row['host'];
$conn_id = ftp_connect($myhost) or die("Couldn't connect to $myhost");
if (#ftp_login($conn_id, $myuser, $mypass))
{
//Path to your *.txt file:
$file = $ftp_server['DOCUMENT_ROOT'] . "bbbb";
$contents = file($file);
$string = implode($contents);
echo $string;
}
}
mysqli_close($con);
?>
Thanks.
On every page load you are running the code $_SESSION["pass"] = $_POST["code"];. Then you try to echo it like echo 'Hello '.$_SESSION["pass"].'!';. What you are essentially doing is echoing $_POST["code"]. Only when you submit the form will the $_POST variable be set.
You're overwriting your session variable on each page load. You need to check if the form was submitted before setting your session variable:
session_start();
$_SESSION["pass"] = $_POST["code"];
needs to be
session_start();
if ('POST' === $_SERVER['REQUEST_METHOD']) {
$_SESSION["pass"] = $_POST["code"];
}
You should check that your server configured correctly. Check session storage and stored data
You should start session before any output (check where you start session and you don't have space after ?>). Overriding of super globals values is bad practise
I'm sorry to say this but you seriously need to read more on php sessions.
I took some liberties rewriting and commenting but if there's anything you don't understand, please ask
combo script
<?php
// protect against any output, leave no spaces or shenanigans before the session_start()
// even warnings and errors
// this is the first thing that has to happen BEFORE ANY OUTPUT
session_start();
// is this a good idea when you're in development
error_reporting(0);
// we don't know if $_POST['whateva'] actually exists
if (isset($_POST['code'])) {
// this may not be such a good idea...
$_SESSION['pass'] = $_POST['code'];
}
$pass = isset($_POST['code']) ? $_POST['code'] : '';
$error = '';
try {
$con = mysqli_connect('localhost','bb',$pass,'bb');// is this barebones MVC? just curious
if (mysqli_connect_errno($con)) throw new Exception('Kan geen verbinding maken, de ingevulde code is verkeerd of de server is offline! Hello '.$_SESSION['pass'].'!');
$result = mysqli_query($con,'SELECT * FROM ftp');
$ftpContent = array();
while ($row = mysqli_fetch_array($result)) {
$myuser = $row['user'];
$mypass = $row['pass'];
$myhost = $row['host'];
if (!$conn_id = ftp_connect($myhost)) throw new Exception('Couldn\'t connect to '.$myhost);
if (#ftp_login($conn_id,$myuser,$mypass)) {
//Path to your *.txt file:
$file = $ftp_server['DOCUMENT_ROOT'].'bbbb';// where does this $ftp_server come from????
$contents = file($file);
$string = implode($contents);
$ftpContent[$myuser] = $string;
}
}
mysqli_close($con);
} catch (Exception $e) {
$error = $e->getMessage();
}
// now output all your stuff here
?>
<!DOCTYPE html>
<html>
<head>
<style>body{background-color:#87cefa;}.error{color:#f00;}</style>
</head>
<body>
<?php if ($error) echo '<p class="error">There has been an error: '.$error.'</p>'; ?>
</body>
</html>
Don't copy paste this, look up what was done and evaluate what will happen, there's also a missing variable so you have to take care of that
Related
i have used this code for years and never experienced this, using a new hosting service prior to the ones i have always used and am getting this issue.
session_start();
$rec_page = $_SERVER['REQUEST_URI'];
$cPage = $_SERVER['PHP_SELF'];
if(!isset($_SESSION['isadmin'])){
header('location: login.php?l=i');
}
include('includes/constants.php');
include('includes/functions.php');
$admin_login = $_SESSION['login'];
$admin_psw = GetAdminInfo($admin_login,'1');
if(isset($_REQUEST['cmd'])){
if($_REQUEST['cmd']=="logout"){
session_destroy();
header('location: login.php');
}
}
this is the section of the code with the issues, once i login i get redirected to the login.php if i delete this
`if(!isset($_SESSION['isadmin'])){
header('location: login.php?l=i');
}`
i can login successfully but if i click on another page i will have to login again, so im guessing its a Session problem.
here is the action php for the login.php
<?php
include('../includes/constants.php');
include('../includes/functions.php');
if(isset($_POST['xin'])){
$ikey = addslashes($_POST['textKey']);
$nkey = addslashes($_POST['textname']);
$mysqli = mysqli_connect($dbserver,$dbuser,$dbpass) or die('Cannot connect to db');
mysqli_select_db($mysqli, $db_db) or die('Cannot select db');
$result=mysqli_query($mysqli, "SELECT * FROM admins WHERE login = '".$ikey."' && adminname = '".$nkey."'");
$cnt = mysqli_num_rows($result);
if($cnt > 0){
while($rw=mysqli_fetch_array($result)){
session_start();
$_SESSION['isadmin']=true;
$_SESSION['login'] = $ikey;
$_SESSION['adminname'] = $nkey;
header('location: ../index.php?cm='.$_SESSION['isadmin']);
}
}else{
header('location: ../login.php?err=1'.mysqli_error($mysqli));
}
mysqli_close($mysqli);
}
?>
use javascript instead of header. No long story
echo "<script>parent.self.location='index.php';</script>";
Please help me. I got this error everytime I tried to login. - "This webpage has a redirect loop ERR_TOO_MANY_REDIRECTS"
Please help me and I'll appreciate your help very much. thanks.
This is my index.php
<?php
include('login.php'); // Includes Login Script
?>
This is my login.php
<?php
session_start();
$error = "";
if (isset($_POST['submit'])) {
if (empty($_POST['email']) || empty($_POST['password'])) {
$error = "Username or Password is invalid";
} else {
// Define $username and $password
$usernameLogin = $_POST['email'];
$passwordLogin = $_POST['password'];
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "apple", "Apple318992");
// To protect MySQL injection for Security purpose
$username = stripslashes($usernameLogin);
$password = stripslashes($passwordLogin);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
// Selecting Database
$db = mysql_select_db("TS", $connection);
// SQL query to fetch information of registerd users and finds user match.
$query = mysql_query("select * from Users where password='$password' AND email='$usernameLogin'", $connection);
$rows = mysql_num_rows($query);
if ($rows == 1) {
$_SESSION['login_user'] = $usernameLogin; // Initializing Session
} else {
$error = "Username or Password is invalid";
}
}
}
if (isset($_SESSION["login_user"])) {
header("Location:timesheets.php");
}
?>
This is my session.php
<?php
include ('DBConnect.php');
session_start(); // Starting Session
// Storing Session
$user_check = $_SESSION['login_user'];
// SQL Query To Fetch Complete Information Of User
$ses_sql = mysql_query("select email from Users where email='$user_check'", $conn);
$row = mysql_fetch_assoc($ses_sql);
$login_session = $row['email'];
if (!isset($login_session)) {
mysql_close($conn); // Closing Connection
header('Location: index.php'); // Redirecting To Home Page
}
?>
instead of : header('Location: index.php');
try to do it with javascript :
echo '< script> document.location.href="index.php"< /script>';
In your session.php you have to destroy the session because it might be set still but without that the query can find a existing user?
To unset sessions do this:
unset(); for all the session variables unset($_SESSION['login_user']); for a specific session
Please put that before redirecting to index.php.
Otherwise I don't know how to help you sorry.
Also do you have php error / debug enabled? Normally session_start(); should be at very first line in your php file if I am correct, or it throws error.
Ok, So on my main login php page I have this:
<?php
session_start();
require 'connect.php';
if(mysqli_connect_errno()) {
echo 'Failed to Connect to MySQL' . mysqli_connect_errno();
}
if(isset($_POST['submit'])) {
//Variables
$user = $_POST['username'];
$pass = md5 ($_POST['password']);
//prevent MySQL Inject
$user = stripslashes($user);
$pass = stripslashes($pass);
$query = mysqli_query($con, "SELECT * FROM tech WHERE username = '$user' and password = '$pass'") or die("Can not query the DB");
$count = mysqli_num_rows($query);
if($count == 1) {
$_SESSION['username'] = $user;
$url = 'home.php';
echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL='.$url.'">';
} else {
echo 'Username and Password do not match! Try Again';
$url = 'carelogin.php';
echo '<META HTTP-EQUIV=Refresh CONTENT="2; URL='.$url.'">';
session_destroy();
}
}
?>
And then, On every page at the very top I have this.
<?php
session_start();
require_once 'connect.php';
if(!isset($_SESSION['username'])) {
echo "<h1>You are not an authorised user</h1>";
$url = 'carelogin.php';
echo '<META HTTP-EQUIV=Refresh CONTENT="1; URL='.$url.'">';
} else {
}
?>
After about 30 seconds or so from not touching my mouse on any of those pages if I click REFRESH or if I go forward or backwards, It keeps logging me out. I don't understand. I have all the sessions set but within just 30 seconds I get logged out.
Someone please modify my code to allow me to stay logged in until I click log out Thank you guys!
I think you will find that people will suggest a framework for this sort of thing, however, if you are going to attempt a login, you will probably want to split your script out more thoroughly to accommodate both cleaner and more expandable code. Also, make sure to use ini_set("display_errors",1); error_reporting(E_ALL); above session_start() to be alerted on any errors/warnings happening on the page when testing the site (turn off error reporting in live environment).
Here is a bit of more complex code than what you have, but it should protect you from injection. Note all the folders for each of the files should be in relation to the domain root. Also note, you need to store all your passwords in your database using the password_hash() function. You can use some of this, all of this, none of this, but if you do use it, make sure to look through the PHP manual to understand what all this is doing:
/core.processor/classes/class.DatabaseConfig.php
// This is your database. Fill out the credentials in the connect() method
// I use PDO because I think personally it's easier to use
class DatabaseConfig
{
private static $singleton;
public function __construct()
{
if(empty(self::$singleton))
self::$singleton = $this->connect();
return self::$singleton;
}
// This is the method that creates the database connection
public function connect($host = "localhost", $username = "username", $password = "password", $database = "database")
{
// Create connection options
// 1) Make PDO Exception errors, 2) Do real binding 3) By default prefer fetching associative arrays
$opts = array( PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_EMULATE_PREPARES => false,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC);
$conn = new PDO('mysql:host='.$host.';dbname='.$database, $username, $password,$opts);
// Send back the database connection. You can use a "utf-8" character setting here as well...
return $conn;
}
}
/core.processor/classes/class.QueryEngine.php
// This is a simple query engine. It allows for binding (or not binding)
class QueryEngine
{
private $results;
private static $singleton;
public function __construct()
{
if(empty(self::$singleton))
self::$singleton = $this;
return self::$singleton;
}
// This method sends queries to your database
public function query($sql = false,$bind = false)
{
$this->results = 0;
// Create database connection
$db = new DatabaseConfig();
// Attempt to connect and fetch data
try {
// Bind or not bind, provided there is a bind array
// This is important to look up!
if(!empty($bind)) {
$query = $db ->connect()
->prepare($sql);
$query->execute($bind);
}
else {
$query = $db ->connect()
->query($sql);
}
$this->results = $query;
}
catch (PDOException $e)
{
die($e->getMessage());
}
return $this;
}
// This method will fetch an the associative array if used with select statement
public function fetch()
{
while($row = $this->results->fetch())
$result[] = $row;
return (!empty($result))? $result : 0;
}
}
/core.processor/classes/class.HeaderProcessor.php
// This class deals with functions that should happen before the page outputs to the browswer
class HeaderProcessor
{
private static $userData;
// This method just sits and waits for actions to happen
// This method should expand with whatever you plan to do in the future
public static function eventListener($array = array())
{
if(isset($array['action'])) {
if($array['action'] == 'login') {
if(self::getLogin($array['username'],$array['password'])) {
if(self::setSession(self::$userData)) {
$_SESSION['password'] = NULL;
}
header("Location: home.php");
exit;
}
}
elseif($array['action'] == 'logout') {
session_destroy();
header("Location: loggedout.php");
exit;
}
}
}
// Process login
private static function getLogin($user,$pass)
{
$query = new QueryEngine();
$getUser = $query ->query("SELECT * FROM `users` WHERE `username` = :0",array($user))
->fetch();
if($getUser == 0)
return false;
self::$userData = $getUser[0];
// Verify the password hash (this is why you need to store your passwords differently in your db
return password_verify($pass,$getUser[0]['password']);
}
// Assign session variables
private static function setSession($userData)
{
$_SESSION = array_filter(array_merge($userData,$_SESSION));
return true;
}
// This can set options for your site, I just threw in timezone
// as well as the class autoloader
public static function initApp($settings = false)
{
$timezone = (!empty($settings['timezone']))? $settings['timezone'] : 'America/Los_Angeles';
include_once(FUNCTIONS_DIR."/function.autoLoader.php");
date_default_timezone_set($timezone);
}
}
/core.processor/functions/function.autoLoader.php
// This function will auto load your classes so you don't have to always
// include files. You could make a similar function to autoload functions
function autoLoader($class)
{
if(class_exists($class))
return true;
if(is_file($include = CLASS_DIR.'/class.'.$class.'.php'))
include_once($include);
}
/config.php
/*** This config is located in the root folder and goes on every page ***/
// Start session
session_start();
// Define common places
define("ROOT_DIR",__DIR__);
define("CLASS_DIR",ROOT_DIR.'/core.processor/classes');
define("FUNCTIONS_DIR",ROOT_DIR.'/core.processor/functions');
// Require the page initializer class
require_once(CLASS_DIR."/class.HeaderProcessor.php");
// Initialize the autoloader for classes
// Load timezone
// You can put any other preset in this method
HeaderProcessor::initApp();
// Here is where you put in events like login, logout, etc...
HeaderProcessor::eventListener($_POST);
// Use this function to help load up classes
spl_autoload_register('autoLoader');
/login.php
<?php
// add in the config file
require(__DIR__."/config.php");
?><!DOCTYPE html>
<html>
<meta charset="UTF-8">
<title>My Login</title>
<head>
</head>
<body>
<form id="loginForm" method="post" action="">
<input name="username" type="text" />
<input name="password" type="password" />
<input name="action" type="hidden" value="login" />
<input type="submit" value="LOGIN" />
</form>
</body>
</html>
Please increase session timeout with this:
// server should keep session data for AT LEAST 1 hour
ini_set('session.gc_maxlifetime', 3600);
// each client should remember their session id for EXACTLY 1 hour
session_set_cookie_params(3600);
session_start(); // ready to go!
First you need to find out what your php settings are:
create an info.php file at the root of your project with the following lines:
<?php
phpinfo();
Load the page on your browser and locate the following variable:
session.gc_maxlifetime
It is likely that your sessions have been set to expire after a very short period of time (the default is about 24 mins but the value displayed is in seconds - 1440). In your case, this value might be equal to 30
To change it to your preferred length of time, you need to change your php settings as follows(ensure you have the right permissions to make write changes on your server):
Locate your php.ini settings file. It is likely located in the following location on your linux server:
/etc/php/7.0/apache2/php.ini
You should open this file with your editor of choice, e.g. nano on your command line as follows:
sudo nano /etc/php/7.0/apache2/php.ini
Locate the following variable:
session.gc_maxlifetime
Change the corresponding value to a longer time span such as 1 day which you can calculate as follows: 1day * 24hrs * 60mins * 60secs = 86400secs
Set it up as follows:
session.gc_maxlifetime = 86400
Save the file and restart apache as follows from your command line:
sudo service apache2 restart
Reload your info.php file and the changes should have taken effect.
EDIT: I remove my first Suggestion
Or try my code
Here it will check if you are connected to your database I name it connect.inc.php
<?php
if(!mysql_connect('localhost', 'root', '')|| !mysql_select_db('byp_db'))
{
die(mysql_error());
}
?>
Next I created my core.inc.php where it will check if you are already in session you will use the loggedin() method in that
<?php
error_reporting(E_ALL ^ E_NOTICE);
ob_start();
session_start();
$current_file = $_SERVER['SCRIPT_NAME'];
$http_referer = $_SERVER['HTTP_REFERER'];
function loggedin() {
if(isset($_SESSION['user_p_info_id'])&&!empty($_SESSION['user_p_info_id'])) {
return true;
}else {
return false;
}
}
function getuserfield($field){
$query = "SELECT `$field` FROM `user_p_info` where `user_p_info_id`='".$_SESSION['user_p_info_id']."'";
if($query_run = mysql_query($query)){
if($query_result = mysql_result($query_run, 0, $field)){
return $query_result;
}
}
}
?>
Next is you will create your log-in form
<?php
require 'connections/connect.inc.php';
require 'connections/core.inc.php';
if(isset($_POST['uname']) && isset($_POST['password'])){
$uname = $_POST['uname'];
$pword = $_POST['password'];
//echo $uname;
//echo $pword;
if(!empty($uname)&&!empty($pword)){
$query_login = "SELECT * FROM user_a_info where username = '$uname' and password = '$pword'";
//echo $query_login;
$query_result = mysql_query($query_login);
$num_rows = mysql_num_rows($query_result);
if($num_rows == 0){
?>
<script type="text/javascript">
alert("Invalid Data !");
</script>
<?php
}else{
//echo "validated";
$user_p_info_id = mysql_result($query_result, 0, 'user_p_info_id');
$_SESSION['user_p_info_id']=$user_p_info_id;
header('Location: index.php');
}
}
}
?>
<form action="login.php" method="POST">
<p> USERNAME : <input type="text" name="uname" /> </p>
<p> PASSWORD : <input type="password" name="password" /> </p>
<p> <input type="submit" value="LOGIN" /> </p>
</form>
And then your log-out function will look like this
<?php
require 'core.inc.php';
session_destroy();
header('Location: ../index.php');
?>
Just take note that if you want to check whether you are in session or not just put this condition
<?php
require 'connections/connect.inc.php';
require 'connections/core.inc.php';
if(loggedin()) {
// Do something
}
?>
Hope this helps
I'm having trouble trying to make work a php. Here's the code:
<?php
$host = "localhost";
$user = "ff";
$pass = "ff";
$db = "ff";
$login = mysqli_connect ($host,$user,$pass,$db);
if (!$login) die ("Connection Error to Database <br/>". mysqli_error());
$username = $_POST["username"];
$password = $_POST["password"];
$result = mysqli_query($login, "SELECT * FROM users WHERE username = '$username'");
if($row = mysqli_fetch_array($result))
{
if($row["password"] == $password)
{
session_start();
$_SESSION['username'] = $username;
header("Location: ../index.php");
}
else
{
?>
<script>
alert("Wrong password");
location.href = "../login.html";
</script>
<?
}
}
else
{
?>
<script>
alert("Wrong username");
location.href = "../login.html";
</script>
<?
}
mysqli_free_result($result);
mysqli_close();
?>
Using localhost there isn't any error, but uploading to my server appears something like:
"The website detected an error in http://****/php/validate.php http://****/php/validate.php. blablabla"
The php try to connect to a double URL (sorry for my bad english).
What am I doing wrong?
It's highly likely that on your production server it doesn't allow you to use shorttags (<?) like you are using in the areas where you're outputting Javascript. Your local server probably allows these so you wouldn't have noticed.
You should probably use a header redirect here too with a message attached or in the session, and output that message on another page, but that's another issue.
Change <? to <?php to make sure.
On my offline dev server, I have the following code:
<?php //submit_build.php
include_once 'header.php';
require_once 'login_users.php';
include_once 'functions.php';
if(empty($_SESSION['username']))
die ("You must be logged in to use this page");
$choice = $_GET['choice'];
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
mysql_select_db($db_database)
or die("Unable to select database: " . mysql_error());
if (isset($_POST['buildname']) &&
isset($_POST['weapon']) &&
isset($_POST['mod1']) &&
isset($_POST['description']) &&
isset($_POST['category']) &&
isset($_POST['hidden']) &&
isset($_POST['password']))
{
$buildname = clean(sanitizeString($_POST['buildname']));
$buildurl = urlencode($buildname);
$section = $choice;
$weapon = sanitizeString($_POST['weapon']);
$modcap = sanitizeString($_POST['modcap']);
$mod1 = sanitizeString($_POST['mod1']);
$mod2 = sanitizeString($_POST['mod2']);
$mod3 = sanitizeString($_POST['mod3']);
$mod4 = sanitizeString($_POST['mod4']);
$mod5 = sanitizeString($_POST['mod5']);
$mod6 = sanitizeString($_POST['mod6']);
$mod7 = sanitizeString($_POST['mod7']);
$mod8 = sanitizeString($_POST['mod8']);
$polarity1 = sanitizeString($_POST['polarity1']);
$polarity2 = sanitizeString($_POST['polarity2']);
$polarity3 = sanitizeString($_POST['polarity3']);
$polarity4 = sanitizeString($_POST['polarity4']);
$polarity5 = sanitizeString($_POST['polarity5']);
$polarity6 = sanitizeString($_POST['polarity6']);
$polarity7 = sanitizeString($_POST['polarity7']);
$polarity8 = sanitizeString($_POST['polarity8']);
$description = sanitizeString($_POST['description']);
$category = sanitizeString($_POST['category']);
$hidden = sanitizeString($_POST['hidden']);
$pw_check = sanitizeString($_POST['password']);
$pw_check = md5($pw_check);
if ($pw_check == ($_SESSION['password']))
{
$add_build = "INSERT INTO weapons VALUES(NULL,'$username', '$buildname', '$section', '$weapon', '$modcap', '$mod1', '$mod2', '$mod3', '$mod4', '$mod5', '$mod6', '$mod7', '$mod8', '$polarity1', '$polarity2', '$polarity3', '$polarity4', '$polarity5', '$polarity6', '$polarity7', '$polarity8', '$category', '$hidden', '$description', NULL, '{$_SESSION['ipaddress']}', '$buildurl')";
mysql_query($add_build);
header("Location: account.php");
}
else{
die("Incorrect password.");
}
}
Followed by some more PHP, and HTML later on in the document.
NOTE The file header.php contains HTML.
My code works perfectly offline. I can click submit, and I will be redirected to account.php.
However as soon as I upload the files to my remote server, the code still works perfectly but the redirect does not. Instead of redirecting, it just brings me back to the same page. The data that was entered DOES however get submitted to MySQL, so it's just the redirect that isnt working.
Can someone tell me how I would get this
header(Location: account.php);
to work? Where should I place it? Or where should I move
include_once 'header.php';
to make it work?
Thanks so much!
EDIT:
Here is my authenticate.php file.. up to where the html begins. Maybe you can see an issue here.
<?php // authenticate.php
include_once 'functions.php';
require_once 'login_users.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to database:" . mysql_error());
mysql_select_db($db_database)
or die("Unable to find database:" . mysql_error());
if (!empty($_POST['username']) &&
(!empty($_POST['pw_temp'])))
{
$username = sanitizeString($_POST['username']);
$pw_temp = sanitizeString($_POST['pw_temp']);
$pw_temp = md5($pw_temp);
$query = "SELECT username,password FROM users WHERE username='$username' AND password='$pw_temp'";
if (mysql_num_rows(mysql_query($query)) == 0)
{
die("Wrong info");
}
else
{
session_start();
$_SESSION['username'] = $username;
$_SESSION['password'] = $pw_temp;
$_SESSION['ipaddress'] = $_SERVER['REMOTE_ADDR'];
header('Location: index.php');
exit;
}
}else{
include_once 'header.php';
echo <<<_END
<html xmlns="http://www.w3.org/1999/xhtml">
Its a good idea to exit; after a header() as otherwise your code will continue in the current script. Which probably means it will send itself again. So you may well be running account.php but this page is then being sent and overwriting account.php making it look like account.php is not being run.