Okay this is definitley an easy question and a stupid one but since I have been developing on localhost i didn't even realise it was a problem. The header to redirect to members page in the loginscript is not working because it is positioned incorrectly. This did not cause a problem on wamp but is on the live server. The script is included in an html file for reasons too long to tell here. Nothing is echoed in the script until something goes wrong but then the script is stopped. Where should i put the redirect header?
Here is the login script:
<?php
// Connects to your Database
include ("database.php");
//Checks if there is a login cookie
if(isset($_SESSION['username']))
//if there is, it logs you in and directes you to the members page
{
echo '<div id="probwarn"><t1><b>You are already logged in! You do not need to do it again.</b></t1></div>';
}
//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted
$flag = 0; // Safety net, if this gets to 1 at any point in the process, we don't upload.
// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
echo('<div id="probwarn"><t1>You did not fill in a required field.</t1></div>');
$flag = $flag + 1;
}
// checks it against the database
$pass = htmlspecialchars(mysql_real_escape_string($_POST['pass']));
$username = htmlspecialchars(mysql_real_escape_string($_POST['username']));
$check = mysql_query("SELECT * FROM members WHERE username = '".$username."'")or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
if($flag == 0) {
echo('<div id="probwarn"><t1>You must <b>register</b> first.</t1></div>') ;
}
$flag = $flag + 1;
}
$check = mysql_query("SELECT * FROM members WHERE username = '".$username."'")or die(mysql_error());
$pass = htmlspecialchars(mysql_real_escape_string($_POST['pass']));
$username = htmlspecialchars(mysql_real_escape_string($_POST['username']));
while($info = mysql_fetch_array( $check ))
{
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);
//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
if($flag == 0) {
echo('<div id="probwarn"><t1>Incorrect password, please try again.</t1> </div>');
$flag ++;
} }
}
// if login is ok then we add a cookie
if($flag == 0) {
$pass = htmlspecialchars(mysql_real_escape_string($_POST['pass']));
$username = htmlspecialchars(mysql_real_escape_string($_POST['username']));
$_SESSION['username']=$username;
$_SESSION['password']=$pass;
//then redirect them to the members area
//THIS IS THE HEADER
header("Location: ../members.html");
}
}
else
// if they are not logged in
?>
LOGIN FORM IS USUALLY HERE
You forgot to exit after setting a Location header. Unless you know exactly what you're doing, you should ALWAYS put exit (or die()) after a Location header.
you can use header('Location: address') everywhere of your code, but it's better to use exit() function after header, if redirection not executed, other codes doesn't execute.
Related
Hello everybody I am trying to make a login script in PHP.. it works well i am able to login but i got this strange bug or whatever to call it... you see when i login as an ordinary user it works fine, but when i login as admin i get loged in but in the same time it says my login failed...
I got this welcome message:
<?php echo "<h3 id ='tjena'> Welcome ".$_SESSION['user']."</h3>";?>
so i know that i am actully logged in...
However i also got a header which are supposed to lead me to ?success but of some reason it fails and directs me to ?error
Here is my code:
while($row = $result->fetch_object()) {
if($username == $row->username) {
$checkPassword = password_verify($password,$row->password);
if($checkPassword ){
session_start();
$_SESSION['loggedIn'] = true;
$_SESSION['user'] = $row->username;
$_SESSION['admin'] = $row->admin;
$_SESSION['LAST_ACTIVITY'] = time();
header("Location:index.php?success");
$fail = false;
}
} else {
$fail = true;
}
}
if($fail){
header("Location:index.php?error");
}
Does somebody know what is causing this error? Thans in advance!
The PHP script does redirect the user to another page, but that script is not stopping its execution, unless you tell it to.
That is why i think adding a line with exit(); will do the trick.
while($row = $result->fetch_object()) {
if($username == $row->username) {
$checkPassword = password_verify($password,$row->password);
if($checkPassword ){
session_start();
$_SESSION['loggedIn'] = true;
$_SESSION['user'] = $row->username;
$_SESSION['admin'] = $row->admin;
$_SESSION['LAST_ACTIVITY'] = time();
header("Location:index.php?success");
exit();
$fail = false;
}
} else {
$fail = true;
}
}
if($fail){
header("Location:index.php?error");
}
Where is the code that checks if you are a normal user or admin? You have $_SESSSION['user'] and $_SESSSION['admin'] if $checkpassword is true.
session_start(); should definitely be put at the very top + write a simple if statement to check for user or admin.
you should put $fail = false; before the header("Location: index.php?success") statement.
I have generated a php file that has information stored in a database. To access this a person must use a login in page.
However, when you are using MAMP how can you prevent someone from accessing the file through writing the IP address and php file name e.g. 123.456.78.00:80/fileone.php. I want this fileone.php to be hidden and for them to only access it through a login page.
Thanks in advance.
<?php
session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
mysql_connect("localhost", "root","root") or die(mysql_error()); //Connect to server
mysql_select_db("first_db") or die("Cannot connect to database"); //Connect to database
$query = mysql_query("SELECT * from users WHERE username='$username'"); //Query the users table if there are matching rows equal to $username
$exists = mysql_num_rows($query); //Checks if username exists
$table_users = "";
$table_password = "";
if($exists > 0) //IF there are no returning rows or no existing username
{
while($row = mysql_fetch_assoc($query)) //display all rows from query
{
$table_users = $row['username']; // the first username row is passed on to $table_users, and so on until the query is finished
$table_password = $row['password']; // the first password row is passed on to $table_users, and so on until the query is finished
$table_id = $row['id'];
$page_id = $row['page'];
}
if(($username == $table_users) && ($password == $table_password)) // checks if there are any matching fields
{
if($password == $table_password)
{
$_SESSION['user'] = $username; //set the username in a session. This serves as a global variable
//echo $table_id;
//echo $page_id;
redirect ($page_id); //take the user to the page specified in the users table
}
else
{
echo "Login Failed";
}
}
else
{
Print '<script>alert("1. Incorrect Password!");</script>'; //Prompts the user
Print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
}
}
else
{
Print '<script>alert("Incorrect Username!");</script>'; //Prompts the user
Print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
}
function redirect($page_id)
{
/* Redirect browser */
header('Location: ' . $page_id);
/* Make sure that code below does not get executed when we redirect. */
exit;
}
?>
Login check
if(isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] === true) {
"Your script"
}
If you have a profile for your users, like a normal user = 0 and an admin = 1 you can do it like this
if(isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] === true && $_SESSION['profile'] == 1) {
"Your script"
}
Set sessions
To set set the sessions to true you need this
if(isset($_POST['submit'])) {
$_SESSION['loggedIn'] = true;
// for set a profile
$_SESSION['profile'] = 1;
}
Maybe I didn't understand you good, but to be sure I will explain something:
You said attached checklogin.php, but you can't use that to deny access for non members. If they know that the file exists, they can type it in the URL and still read fileone.php. The first coding block need to be in your fileone.php.
Session time
Search in your php.ini for 'session.gc_maxlifetime'. There will be a number and that is the time in seconds.
I have a login script where a page (index.php) can request the user to login (protect.php) however all that I see on index.php is a blank white screen with no source and no error messages. I should at least be seeing login.php to ask the user to log in. This script worked for a few minuets than just decided to stop working
This exact script has worked before in many other web apps that I have created however this one does not work. After hours of debugging I am still unable to find a solution to this problem.
index.php:
<?php
$allow=array('0','1','2');
require("users/protect.php");
?>
<script>window.location="/setup.php";</script>
protect.php:
<?php
session_start();
// --------------------------------THE VARIABLES---------------------------------- //
#include ("config.php");
// ----------------------------------THE CODE ------------------------------------ //
function clearance ($user_value, $pass_value, $level_value, $userlevel_value, $table_value, $column1, $column2, $path) { // Function to see if user can login
$check = mysql_query ("SELECT $userlevel_value FROM $table_value WHERE email='$user_value' AND password='$pass_value'"); // Query to see if user exists
$verify = mysql_num_rows ($check);
$get = mysql_fetch_array ($check);
if (count ($level_value) != 0) { // If the allow array contains userlevels
if (in_array ($get[$userlevel_value], $level_value) && $verify > 0) { // Search allow to see if userlevels match
$_SESSION['username'] = $user_value; // Register sessions
$_SESSION['password'] = sha1 ($pass_value); // sha1 password for extra security
$_SESSION['userlevel'] = $get[$userlevel_value];
}
} else {
if ($verify == 0) { // If attempt fails then redirect to login page
$_SESSION = array();
$error = "Sorry but your login details were incorrect";
#include ("login.php");
exit;
}
if ($verify > 0) { // If attempt is good then register the user
$_SESSION['username'] = $user_value;
$_SESSION['password'] = sha1 ($pass_value);
}
}
}
function protect ($level_value, $password_value, $userlevel_value, $table_value, $column1, $path) { // Function to keep pages secure
if (!isset ($_SESSION['username'])) { // If session doesn't exist then get user to login
if (isset ($_POST['username']) && isset ($_POST['password'])) {
$error = "Sorry but your login details were incorrect";
}
$_SESSION = array();
#include ("login.php");
exit;
} else { // If user is logged in check to see if session is valid and that they have the required userlevel
$check = mysql_query ("SELECT $password_value, $userlevel_value FROM $table_value WHERE $column1='$_SESSION[username]'"); // Query to see if user exists
$verify = mysql_num_rows ($check);
$get = mysql_fetch_array ($check);
if ($verify == 0) {
$_SESSION = array();
$error = "Sorry but your login details were incorrect";
#include ("login.php");
exit;
}
if ($verify > 0 && count ($level_value) != 0) {
if (!in_array ($get[$userlevel_value], $level_value)) { // Check to see if the users userlevel allows them to view the page
$error = "Sorry but your login details were incorrect";
#include ("login.php");
exit; // Ensure no other data is sent
}
}
}
}
if (isset ($_POST['username']) && isset ($_POST['password'])) { // If user submits login information then validate it
clearance ($_POST['username'], $_POST['password'], $allow, $userlevel, $table, $username, $password, $path);
}
protect ($allow, $password, $userlevel, $table, $username, $path);
mysql_close ($link); // Close the database connection for security reasons
// -----------------------------------THE END ------------------------------------ //
?>
I used the following script from about.com: http://php.about.com/od/finishedphp1/ss/php_login_code_2.htm
The problem is that a few times it gives me this error: The page isn't redirecting properly. Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
Code:
<?php
session_start();
// Process the POST variables
$username = $_SESSION["user_name"];
//$password = $_POST["password"];
// Set up the session variables
$_SESSION["user_name"] = $username;
$ugh = $_REQUEST['url_name'];
if($_POST){
$_SESSION['user_name']=$_POST["user_name"];
$_SESSION['password']=$_POST["password"];
}
$secret = $info['password'];
//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))
//if there is, it logs you in and directes you to the members page
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT user_name, password
FROM users WHERE user_name = '$username'
and url_name='$ugh'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if (# $info['password'] != $pass)
{
}
else
{
header("Location: home.php");
}
}
}
//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted
// makes sure they filled it in
if(!$_POST['user_name'] | !$_POST['password']) {
die('You did not fill in a required field.');
}
// checks it against the database
if (!get_magic_quotes_gpc()) {
$_POST['user_name'] = addslashes($_POST['user_name']);
}
$check = mysql_query("SELECT user_name,password
FROM users WHERE user_name = '".$_POST['user_name']."'
and url_name='".$ugh."'")or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database.
<a href=add.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['password'] = md5($_POST['password']);
$_POST['password'] = $_POST['password'];
//gives error if the password is wrong
if (# $_POST['password'] != $info['password']) {
die('Incorrect password, please try again');
}
else
{
// if login is ok then we add a cookie
$_POST['user_name'] = stripslashes($_POST['user_name']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['user_name'], $hour);
setcookie(Key_my_site, $_POST['password'], $hour);
//then redirect them to the members area
header("Location: home.php");
}
}
}
else
{
// if they are not logged in
?>
2nd code:
Then on each member page i use the following to make sure their login is correct:
// Process the POST variables
$email = $_SESSION["user_name"];
// Set up the session variables
$_SESSION["user_name"] = $username;
if(!isset($_SESSION['user_name'])) { header("Location: log.php");}
To paraphrase Blowski: http://kb.mozillazine.org/The_page_is_not_redirecting_properly
It's like firefox has reached it's maximum recursion depth: it has detected a seemingly endless loop of redirects
What's the name of the files in the above scripts? If the name of the first script is home.php, then when a user visits home.php, it will keep reloading if the password is incorrect, so Firefox will return that message.
Alternatively, do you have anything in your .htaccess which is causing it?
I have enabled vanity urls (user.domain.com). When a session expires or somebody clears the cookies, the page would get redirected to user.domain.com which has the login page. So, on all pages i am using the following code:
if(!isset($_SESSION['user_name'])) { header("Location: http://$_SERVER[HTTP_HOST]");}
2 of of 10 times i get a redirect error saying that the page is redirecting too many times.
Could this be the reason? And if it is what can i do to redirect in a way that won't cause such issues.
Thanks.
Login code:
<?php
session_start();
// Process the POST variables
$username = $_SESSION["user_name"];
//$password = $_POST["password"];
// Set up the session variables
$_SESSION["user_name"] = $username;
$ugData = $_REQUEST['sub_name'];
if($_POST){
$_SESSION['user_name']=$_POST["user_name"];
$_SESSION['password']=$_POST["password"];
}
$secret = $info['password'];
//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))
//if there is, it logs you in and directes you to the members page
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT user_name, password FROM accounts WHERE user_name = '$username' and sub_name='$ugData'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if (# $info['password'] != $pass)
{
}
else
{
header("Location: home.php");
}
}
}
//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted
// makes sure they filled it in
if(!$_POST['user_name'] | !$_POST['password']) {
die('You did not fill in a required field.');
}
// checks it against the database
if (!get_magic_quotes_gpc()) {
$_POST['user_name'] = addslashes($_POST['user_name']);
}
$check = mysql_query("SELECT user_name,password FROM accounts
WHERE user_name = '".$_POST['user_name']."'
and sub_name='".$ugData."'")or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database.
<a href=add.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['password'] = md5($_POST['password']);
$_POST['password'] = $_POST['password'];
//gives error if the password is wrong
if (# $_POST['password'] != $info['password']) {
die('Incorrect password, please try again');
}
else
{
// if login is ok then we add a cookie
$_POST['user_name'] = stripslashes($_POST['user_name']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['user_name'], $hour);
setcookie(Key_my_site, $_POST['password'], $hour);
//then redirect them to the members area
header("Location: home.php");
}
}
}
else
{
?>
The header("Location: http://{$_SERVER['HTTP_HOST']}"); isn't the problem per-say.
However, if you do have that code on your login page then yes, you'll just keep redirecting yourself to the home page because you won't be able to login.
Make sure that you do not redirect the user if he's on the login page.
EDIT: Try header('Location: /'); Maybe you have some weird server issue which causes $_SERVER['HTTP_HOST'] do sometimes be null.
Assuming that redirecting to http://yourserver/ means http://yourserver/index.php, then you should change the if to read
if(!isset($_SESSION['user_name']) && $_SERVER['PHP_SELF'] != '/index.php')
{
header("Location: http://$_SERVER[HTTP_HOST]");
}
This will avoid endless redirects.
Try using this with a die():
if(!isset($_SESSION['user_name'])) { header("Location: http://user.domain.com"); die();}
If url changes from user to user grab username from db first, and use it in redirection. Try something like:
...
$username = $row["username"];
...
and use it:
if(!isset($_SESSION['user_name'])) { header("Location: http://".$username.".domain.com"); die();}