what is wrong if my code or my database?
my code
if(isset($login)){
if($sbg=='administrator'){
$login = mysql_query("SELECT * FROM administrator WHERE email='$email' AND password='$pass'");
$rows= mysql_num_rows($login);
if($rows==0){
$data = mysql_fetch_array($login);
$_SESSION['login'] = true;
$_SESSION['nama'] = $data['nama'];
$_SESSION['email'] = $data['email'];
$_SESSION['password'] = $data['password'];
}else{
Looks like you have to change
if($rows==0)
with
if($rows>0)
you put your code in wrong if.
if($rows!=0){
$data = mysql_fetch_array($login);
$_SESSION['login'] = true;
$_SESSION['nama'] = $data['nama'];
$_SESSION['email'] = $data['email'];
$_SESSION['password'] = $data['password'];
}else{
if(isset($login)){
if($sbg=='administrator'){
$login = mysql_query("SELECT * FROM administrator WHERE email='$email' AND password='$pass'");
$rows= mysql_num_rows($login);
if($rows>0){
$data = mysql_fetch_assoc($login);
session_start();
$_SESSION['login'] = true;
$_SESSION['nama'] = $data['nama'];
$_SESSION['email'] = $data['email'];
$_SESSION['password'] = $data['password'];
}else{
}
you can just echo $rows to know if has some result if $rows shows 0 or nothing please check your mysql query.
Related
I recently started learning PHP. I've been working on a basic login page. Everything works great locally, but when it's uploaded to ipage, it just reloads the login page. If I enter incorrect login info, it tells me that I entered something wrong.
Here's my code...
login.php:
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (isset($_POST['submit'])) {
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$uid = strip_tags($uid);
$pwd = strip_tags($pwd);
$uid = stripcslashes($uid);
$pwd = stripcslashes($pwd);
$uid = mysqli_real_escape_string($db, $uid);
$pwd = mysqli_real_escape_string($db, $pwd);
$sql = "SELECT * FROM users WHERE uid='$uid' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['pwd'];
$pwd = password_verify($pwd, $row['pwd']);
if ($pwd == $db_password) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
}
?>
dashboard.php:
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (!isset($_SESSION['id'])) {
header("Location: http://website.com/login.php");
exit();
}
?>
any help would be appreciated very much...
I think the problem of your code lies in here
if ($pwd == $db_password) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
password_verify() returns TRUE or FALSE and you are trying to check if it is equal to $db_password. As fas as I know this will not be true so even though the password you are typing in is correct, the page won't go anywhere because the if statement is not working properly.
So in your case, this is how I think you should have your code
<?php
ob_start();
session_start();
require 'connect.inc.php';
if (isset($_POST['submit'])) {
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$uid = strip_tags($uid);
//$pwd = strip_tags($pwd);
$uid = stripcslashes($uid);
//$pwd = stripcslashes($pwd);
$uid = mysqli_real_escape_string($db, $uid);
//$pwd = mysqli_real_escape_string($db, $pwd);
$sql = "SELECT * FROM users WHERE uid='$uid' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['pwd'];
$pwd = password_verify($pwd, $db_password);
if ( $pwd === TRUE ) {
//$_SESSION['username'] = $uid;
$_SESSION['id'] = $id;
header("Location: http://website.com/dashboard.php");
exit;
}else {
echo 'You didn\'t enter the correct information';
}
}
ill like to remove the sha1 encryption on this code so i can store my password as typed in the database instead of the encrypted code. Am new to coding so I need help
The code (settings_model.php)
<?php
$settings = new Datasettings();
if(isset($_GET['q'])){
$settings->$_GET['q']();
}
class Datasettings {
function __construct(){
if(!isset($_SESSION['id'])){
header('location:../../');
}
}
function changepassword(){
include('../../config.php');
$username = $_GET['username'];
$password = $_GET['password'];
$current = sha1($_POST['current']);
$new = sha1($_POST['new']);
$confirm = sha1($_POST['confirm']);
$q = "select * from userdata where username='$username' and password='$current'";
$r = mysqli_query($db,$q);
if(mysqli_num_rows($r) > 0){
if($new == $confirm){
$r2 = mysqli_query($db,"update userdata set password='$new' where username='$username' and password='$current'");
header('location:../settings.php?msg=success&username='.$username.'');
}else{
header('location:../settings.php?msg=error&username='.$username.'');
}
}else{
header('location:../settings.php?msg=error&username='.$username.'');
}
}
function addaccount(){
include('../../config.php');
$level = $_GET['level'];
$id = $_GET['id'];
$q = "select * from $level where id=$id";
$r = mysqli_query($db,$q);
$row = mysqli_fetch_array($r);
if($level == 'student'){
$username = $row['studid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}else{
$username = $row['teachid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}
$verify = $this->verifyusername($username);
if($verify){
$q2 = "insert into userdata values(null,'$username','$password','$fname','$lname','$level')";
mysqli_query($db,$q2);
header('location:../'.$level.'list.php?r=added an account');
}else{
header('location:../'.$level.'list.php?r=updated');
}
}
function verifyusername($user){
$q = "select * from userdata where username='$user'";
$r = mysql_query($q);
if(mysql_num_rows($r) < 1){
return true;
}else{
return false;
}
}
function getuser($search){
include('../config1.php');
$user = $_SESSION['id'];
$q = "select * from userdata where username !='$user' and username like '%$search%' order by lname asc";
$r = mysqli_query($db, $q);
return $r;
}
function addaccounts(){
include('../../config1.php');
extract($_POST);
$q = "select * from $level where id=$id";
$r = mysqli_query($db,$q);
$row = mysqli_fetch_array($r);
if($level == 'student'){
$username = $row['studid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}else{
$username = $row['teachid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}
$verify = $this->verifyusername($username);
if($verify){
$q2 = "insert into userdata values(null,'$username','$password','$fname','$lname','$level')";
mysqli_query($db,$q2);
header('location:../'.$level.'list.php?r=added an account');
}else{
header('location:../'.$level.'list.php?r=updated');
}
}
}
?>
please help need an answer soon. thanks.
just change this line
$confirm = sha1($_POST['confirm']);
to this
$confirm = $_POST['confirm'];
I am trying to change the value of an ENUM in a mySQL database that will help identify when a user is logged on or logged off on a website to be displayed to all users of the site. I set an ENUM column with possible values of 0 and 1. 0 being logged off, and 1 being logged on. But it doesnt seem to be changing anything. Here is my code:
//LOGIN
session_start();
$username = ($_POST['username']);
$password = ($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '$username' LIMIT 1";
$query = mysqli_query($conn, $sql);
if ($query) {
$row = mysqli_fetch_row($query);
$userid = $row[0];
$dbusername = $row[1];
$dbpassword = $row[2];
$email = $row[4];
$status = $row[7];
$permit = $row[6];
$active = $row[5];
$fname = $row[8];
$lname = $row[9];
$dob = $row[10];
$signupdate = $row[3];
$ipadd = $row[11];
$loggedin = $row[12];
}
if ($username == $dbusername && $password == $dbpassword){
$_SESSION['username'] = $username;
$_SESSION['id'] = $userid;
$_SESSION['email'] = $email;
$_SESSION['status'] = $status;
$_SESSION['permit'] = $permit;
$_SESSION['email_activation'] = $active;
$_SESSION['first_name'] = $fname;
$_SESSION['last_name'] = $lname;
$_SESSION['dob'] = $dob;
$_SESSION['sign_up_date'] = $signupdate;
$_SESSION['ipv4'] = $ipadd;
$_SESSION['loggedin'] = $loggedin;
$sql = "UPDATE username SET loggedin = '1'";
header("Location: ../main.php");
Replace your update query with this one
"UPDATE users SET loggedin = '1' where `id` = $userid ";
//LOGIN
session_start();
$username = ($_POST['username']);
$password = ($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '$username' LIMIT 1";
$query = mysqli_query($conn, $sql);
if ($query) {
$row = mysqli_fetch_row($query);
$userid = $row[0];
$dbusername = $row[1];
$dbpassword = $row[2];
$email = $row[4];
$status = $row[7];
$permit = $row[6];
$active = $row[5];
$fname = $row[8];
$lname = $row[9];
$dob = $row[10];
$signupdate = $row[3];
$ipadd = $row[11];
$loggedin = $row[12];
$sql = "UPDATE users SET loggedin = '1' where id = '$userid'";
mysqli_query($conn, $sql);
}
if ($username == $dbusername && $password == $dbpassword){
$_SESSION['username'] = $username;
$_SESSION['id'] = $userid;
$_SESSION['email'] = $email;
$_SESSION['status'] = $status;
$_SESSION['permit'] = $permit;
$_SESSION['email_activation'] = $active;
$_SESSION['first_name'] = $fname;
$_SESSION['last_name'] = $lname;
$_SESSION['dob'] = $dob;
$_SESSION['sign_up_date'] = $signupdate;
$_SESSION['ipv4'] = $ipadd;
$_SESSION['loggedin'] = $loggedin;
header("Location: ../main.php");
during registration, the user's password is saved in the database as an encrypted BCRYPT password.
My question is: Why can't I verify the encrypted database password with the entered password?
CODE:
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$veri_password' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);
//ERRS ARRAY DECLARED
$errors = array();
//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}
?>
I'm receiving an error that says 'account does not exist' even when I enter valid information.
Thanks,
-Eugene
EDIT CHANGED TO THIS:
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
if($veri_password === true){
//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);
//ERRS ARRAY ESTABLISHED
$errors = array();
//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}
}
?>
change to:
$sql = "SELECT id, username FROM users WHERE email='$email'";
Also change:
$veri_password = password_verify($password, $user_pass);
to
if(!password_verify($password, $user_pass)){
echo 'invalid password';
exit;
}
anyway, your code is vulnerable to sql injection. please consider using prepared statements in your queries or escape input strings with mysql_real_escape_string. . And also it is recommended to use mysqli or pdo instead of procedural methods
if(!$_SESSION['username']) {
$ip = $db->real_escape_string(VisitorIP());
$username = $db->real_escape_string($_POST['username']);
$password = $db->real_escape_string($_POST['password']);
$salt = "****";
$password = md5($password . $salt);
$result = $db->query("SELECT * FROM TABLE WHERE username='$username' and password='$password'");
$count = mysqli_num_rows($result);
if ($count == 1){
$bannedq = $db->query("SELECT banned FROM TABLE WHERE username='$username' AND password='$password'");
$banned = $bannedq->fetch_row();
if($banned[0] == "1") {
$failedLogin="1";
$message = 'You are banned and you cannot login';
} else {
$ip = $db->real_escape_string(VisitorIP());
$db->query("UPDATE h_users SET lastlogin=now(), lastip = '$ip' WHERE username='$username'");
header("Location: home");
session_start();
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
$failedLogin = "1";
$message = 'Username or Password WRONG!';
}
}
} else {
header("location: home");
}
Hello programmers,
I am trying to setup a login system in my website. Until now it was working fine but when the session is set and the user gets redirected to the homepage now if he goes to the login screen and the session is set i want him to redirect to the homepage and not see the login screen again.
But my after i added this part :
if(!$_SESSION['username']) {
it does not work
You have to take your session start and put it there before you use it, so write this before your if statement:
session_start();
if(!$_SESSION['username']) {
//...
And delete this one here:
/...
session_start();
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
/...
(Also i would add a die(); or exit(); after each header, it makes sure nothing gets executed after the header)
Okay guys thanks for your help <3 <3
I changed my code to this and everything went fine
session_start();
if(!isset($_SESSION['username'])) {
if(isset($_POST['username']) && isset($_POST['password'])) {
$ip = $db->real_escape_string(VisitorIP());
$username = $db->real_escape_string($_POST['username']);
$password = $db->real_escape_string($_POST['password']);
$salt = "ho073";
$password = md5($password . $salt);
$result = $db->query("SELECT * FROM TABLE WHERE username='$username' and password='$password'");
$count = mysqli_num_rows($result);
if ($count == 1){
$bannedq = $db->query("SELECT banned FROM TABLE WHERE username='$username' AND password='$password'");
$banned = $bannedq->fetch_row();
if($banned[0] == "1") {
$failedLogin="1";
$message = 'You are banned and you cannot login';
} else {
$ip = $db->real_escape_string(VisitorIP());
$db->query("UPDATE TABLE SET lastlogin=now(), lastip = '$ip' WHERE username='$username'");
header("Location: home");
$_SESSION['username'] = $username;
$failedLogin = "1";
$message = 'Username or Password WRONG!';
}
}
}
include'templates/login.html';
} else {
header("location: home");
die();
}
Much love for you <3