i have a problem with $_GET to authenticfiate an owner of his site.
im using this code to check, if the users id is registrated or not:
<?php
session_start();
include('scripts/db_connect.php');
if(isset($_SESSION['id'])){
$url_auth = $_GET['id'];
}else{
echo "no user found";
exit();
}
$sql = "SELECT * FROM table WHERE id='".$url_auth."'";
$query = $db->query($sql);
if($query->num_rows !=1){
header("Location: index.php");
exit();
i having problems with reading out that $_GET id. it seems that something is going wrong and i dont know why. is there maybe another way to check for users registration when someone is calling any id in the browser? thanks.
Try this way.
<?php
session_start();
include('scripts/db_connect.php');
$id=mysql_escape_string($_GET['id']); //Sanitized the variable to avoid SQL Injection attacks
$sql = "SELECT * FROM table WHERE id='".$id."'";
$query = $db->query($sql);
if($query->num_rows !=1){
header("Location: index.php");
exit();
}
else
{
$_SESSION["loggedIn"]="Success";
header("authenticationSuccess.php");
}
?>
Now check this $_SESSION["loggedIn"]="Success" on all your other pages to check whether the user is genuine.
Changes for Comment:
If you really think $_GET is the problem , try this.
<?php
session_start();
#extract($_GET);
include('scripts/db_connect.php');
$sql = "SELECT * FROM table WHERE id='".mysql_escape_string($id)."'";
$query = $db->query($sql);
if($query->num_rows !=1){
header("Location: index.php");
exit();
}
else
{
$_SESSION["loggedIn"]="Success";
header("authenticationSuccess.php");
}
?>
Related
I am trying to redirect a user to another page if the CHPassword column is "yes"
Currently if there user name and pass is valid I send them to dashboard.php if it is not I send them to index.php. Now I'm trying to check the database and if the CHPassword is yes. force them to change their password. (redirect to another page. Otherwise let them proceed to the dashboard. Here is the code currently.
// SQL query to fetch information of registerd users and finds user match.
$sql = "SELECT * FROM Employee where Password='$EPassword' AND UserName='$UserName'";
$result = mysqli_query($con, $sql) or die(mysqli_error($con));
$User = mysqli_fetch_array($result);
$row = mysqli_num_rows($result);
if ($row == 1)
{
$_SESSION["FName"] = $User['FName'];
$_SESSION["LName"] = $User['LName'];
$_SESSION["AccessLvl"] = $User['AccessLvl']; // Initializing Session header
header("location: Dashboard.php");
}
else
{
$_SESSION["error"] = "UserName Or Password is Incorrect. Please try Again";
header("location: index.php"); // Redirecting To Other Page
}
mysqli_close($con); // Closing Connection
}
}
All help would be great. Sorry guys still learning. Thanks in advance.
If your CHPassword has record like 'yes' /
if ($row == 1)
{
if($User["CHPassword"]=='yes'){
header("location: changepassword.php");
}
else{
$_SESSION["FName"] = $User['FName'];
$_SESSION["LName"] = $User['LName'];
$_SESSION["AccessLvl"] = $User['AccessLvl'];
header("location: Dashboard.php");
}
}
else{
$_SESSION["error"] ="UserName Or Password is Incorrect.";
header("location: index.php"); // Redirecting To Other Page
}
I am not sure if this is what you are looking for. But if you are trying to check the value for CHPassword that is returned from the query, and check if it is set to Yes, and redirect based on that, then this should work.
$sql = "SELECT * FROM Employee where Password='$EPassword' AND UserName='$UserName'";
$result = mysqli_query($con, $sql) or die(mysqli_error($con));
$User = mysqli_fetch_array($result);
$row = mysqli_num_rows($result);
if ($row == 1)
{
if ( $User['CHPassword'] == "Yes" )
{
//place header code here
}
$_SESSION["FName"] = $User['FName'];
$_SESSION["LName"] = $User['LName'];
$_SESSION["AccessLvl"] = $User['AccessLvl']; // Initializing Session header
header("location: Dashboard.php");
}
else
{
$_SESSION["error"] = "UserName Or Password is Incorrect. Please try Again";
header("location: index.php"); // Redirecting To Other Page
}
I am trying to create a logout page using session_destroy() but all i get is a blank page.
This is my code about logging in(I assume the problem has to be somewhere here but i am a beginner at this).
What i thought it will work is creating a session for the username since it is used at isset() but apparently its not working.
<?php
session_start();
$dbhost = "";
$dbuser = "";
$dbpassword = '';
$db= 'system_dev';
mysql_connect($dbhost,$dbuser,$dbpassword);
mysql_select_db($db);
include 'test.php';
if (isset($_POST['username'] )) {
$username=$_POST['username'];
$password=$_POST['password'];
$_SESSION['username']=$username;
$sql ="Select * FROM Company WHERE username='".$username."'AND password = '".$password."'LIMIT 1";
$sqlid = "Select CompanyId FROM Company WHERE username='".$username."'";
$result = mysql_query($sql);
$resultid= mysql_query($sqlid) or die('Query failed: '. mysql_error());
while ($row =mysql_fetch_array($resultid,MYSQL_ASSOC) ) {
echo "<tr>\n";
foreach ($row as $col_value){
echo "$col_value\n";
}
}
$company = mysql_free_result($resultid);
$_SESSION['CompanyId'] = $col_value;
}
if ( mysql_num_rows ($result)==1){
header ("Location: webdesign.php");
exit();
}
else {
echo "Invalid input";
exit();
}
?>
On the code of "logout.php" I have only written this:
<?php
session_start();
session_destroy();
header ("website.php");
?>
Thanks in advance and sorry if the answer is not how it should be. I have read the rules but this is the 2nd post so far. I believe i will get better someday :)
You should use Location in your header argument like header("Location: page.php");
you can place this header after you destroyed the session, that should not give any problems.
As Dorco said:
You should use Location in your header
So the logout function should looks like this:
session_destroy();
session_regenerate_id(TRUE);
header("Location: login.php");
die();
And I strongly suggest you, so not simply insert the post value into the SQL query. That will cause a SQL injection. Use prepare statement instead. PHP: Prepared Statement
I have created a website with a functioning login system and in my database in the users table there is a column names type with either standard or admin. I have created a page for the admin only to edit products etc however i'm stuck on how to set it so only the 'admin' can view the page instead of just anyone that is logged in. Heres what I have so far?
admin.php
<?session_start(); ?>
<?php
include 'login.php'; // this includes all my login form and login action
include 'connection.php'; // this is my database connection
$query1 = "SELECT type FROM users";
$result = mysqli_query($query1);
$user = mysqli_fetch_array($result);
$_SESSION['usertype'] = $user['usertype'];
if($_SESSION['type'] = 'admin'){
//admin content here
{
<?php
if ($_SESSION['type']) = 'standard')
{
echo 'you must be an admin to see this page';
}
?>
loginaction.php
<?php
session_start();
include'connection.php';
$email = trim($_POST["email"]);
$password = trim($_POST["password"]);
$password=md5($_POST["password"]);
if (empty($email) or empty($password)) {
header("Location: homepage.php?form=invalid"); //Redirection information
exit;
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL))
{
echo "E-mail is not valid";
header("Location: homepage.php?email=invalid");
exit;
}
$query = "SELECT * FROM users WHERE email= '$email' AND password = '$password' ";
$result = mysqli_query($connection, $query) or exit("Error in query: $query. " . mysqli_error());
if ($row = mysqli_fetch_assoc($result)) {//Then we have a successful login
$_SESSION["authenticatedUserEmail"] = $email;
$_SESSION['ID'] = $row['ID'];
$_SESSION["password"] = $row['password'];
header("Location: homepage.php");
} else {//Login was unsuccessful
echo "User does not exist";
header("Location: login.php?user=invalid");
}
?>
You are not using comaprisons instead setting values for variables in the conditions where you check for the user type.
if($_SESSION['type'] ='admin'){ `should be` if($_SESSION['type'] == 'admin'){
<? session_start(); ?>
<? php
include 'login.php'; // this includes all my login form and login action
include 'connection.php'; // this is my database connection
$query1 = "SELECT type FROM users";
$result = mysqli_query($query1);
$user = mysqli_fetch_array($result);
$_SESSION['usertype'] = $user['usertype'];
if ($_SESSION['type'] == 'admin') {
//admin content here
}
if ($_SESSION['type']) == 'standard') {
echo 'you must be an admin to see this page';
} ?>
There are other errors in the code such as not putting the curly braces to end the statements correctly. This code should work, however it is a very unsafe code as anyone with sql injection and good programming knowledge will "tear" your website apart and worse, they steal and manipulate your data.
You should use mysql_real_escape_string() to make the input from users sql injection proof to fairly high extent.
Multiple problems seems in your code too, along with the problem mentioned by #Vish in the answers:
$result = mysqli_query($query1);
Expected a connection link as first argument.
Again:
you are trying to fetch type from the user table. But using usertype in mysqli_fetch_array. Seems it is incorrect. And the $_SESSION['type'] variable is really $_SESSION['usertype'] ?
A modified code.
$query1 = "SELECT type FROM users";
$result = mysqli_query($connection, $query1);
$user = mysqli_fetch_array($result);
$_SESSION['usertype'] = $user['type'];
if($_SESSION['usertype'] == 'admin')
{
//admin content here
}
elseif ($_SESSION['usertype']) == 'standard')
{
echo 'you must be an admin to see this page';
}
P.S: Not sure it will solve your problem
Im trying to update records in my table with the followin, my problem is however that my browser outputs an empty white page with no source, Can anybody see what I'm doing wrong?
<?php
require 'dbconfig.php';
//Always place this code at the top of the Page
session_start();
if (!isset($_SESSION['id'])) {
// Redirection to login page twitter or facebook
header("location: index.php");
}
function safe($value){
return mysql_real_escape_string($value);
}
// Variables
$_SESSION['username'];
$_SESSION['oauth_provider'];
$uid = $_SESSION['id'];
$email = safe($_POST["email"]);
$credits = safe($_POST["credits"]);
$query = mysql_query("UPDATE users SET email= '$email' WHERE id='$uid'") or die(mysql_error());
?>
You have assigned a variable to your query, but you are not running it.
$query = mysql_query("UPDATE users SET email= '$email' WHERE id='$uid'") or die(mysql_error());
So, the above is just a redundant code. to run it, you should call $query, like this
if($query){
echo 'Updated performed';
}else{
echo 'Update failed';
}
Note I'm not encouraging you to use mysql_ functions as they are weak, vulnerable and deprecated. Intead you should learn more about PDO
You are not displaying anything after DB operation. So nothing will be printed.
you can do like this:
$query = mysql_query("UPDATE users SET email= '$email' WHERE id='$uid'") or die(mysql_error());
$sql_query = mysql_query($query);
if(mysql_affected_rows()) {
$msg = "something has changed!";
} else {
$msg = "nothing has changed!";
}
I am trying to do a simple login with PHP and mysql, and using Sessions as well. I have the code, which should work in theory, however it keeps redirecting me to the login page (refreshing it) instead of taking me to the profile.
$username = $_POST['username'];
$query = "SELECT `confirmcode` FROM `fb_network` WHERE `username` = '$username' AND `status`='Confirmed' ";
$result = mysql_query($query);
if (mysql_num_rows($result) == 1){
$result2 = mysql_query($query);
$row = mysql_fetch_row($result2);
$_SESSION['conf_code'] = $row[0];
$uid = $row[0];
session_register($uid);
header('location:profile.php?conf='.$row[0]);
}
else{
echo 'Wrong username';
}
no it shouldn't work in theory
try this
<?php
$username = mysql_real_escape_string($_POST['username']);
$query = "SELECT `confirmcode` FROM `fb_network`
WHERE `username` = '$username' AND `status`='Confirmed' ";
$result = mysql_query($query) or trigger_error(mysql_error().$query);
if ($row = mysql_fetch_row($result)){
session_start();
$_SESSION['conf_code'] = $row[0];
header('Location: profile.php');
exit;
} else {
echo 'Wrong username';
}
but there can be other issues, from code you didn't post here r other reasons.
as a matter of fact, only debugging can tell you what's the problem for sure
I would use a user defined function and make it to check the login credentials and return true or false from the function.
you can use something like this.
function check_login ($username, $password) {
$query = "SELECT `confirmcode` FROM `fb_network` WHERE `username` = '$username' AND `status`='Confirmed' ";
$result = mysql_query($query);
$row = mysql_fetch_array($result);
if( mysql_num_rows($result) == 0) {
return false;
}
if( mysql_num_rows($result) == 1) {
$_SESSION['loggedin'] = "true";
header('location:profile.php?conf='.$row[0]);
return true;
}
}
and then call the function easily and display the appropriate message.
check the following code..
<?php
session_start();
/** If the User is already Logged in then redirect to login.php **/
if(isset($_SESSION['loggedin'])){
header("Location: login.php");
}
else {
if( check_login($_POST['username'], $_POST['password'])) {
header('location:profile.php?conf='.$row[0]);
}
}
althoough the code is not exact but this might be enough to get you going.
I see that your code has only two options - display "wrong code" or redirect to the other page. no place where you are redirecting to the login page?
You need to initiate the session by sessions_start() before the rest of the code.
If you have any sort of 'test' script on the profile page that re-directs you if you're not logged in, it may be that the above code logs you in, but does not carry the session variable correctly to the profile page...and subsequently sends the user back to log in again.
Make sure the session is properly initiated on each page using the variable and make sure they match on both ends.
You have two main problems:
You are not using session_start to tell PHP to start tracking sessions
You are using session_register. session_register requires register_globals to be on, which it hopefully is not in your environment. It also expects its argument to be a string which is the name of the variable you wish to store. You should instead use $_SESSION['uid'] = $row[0];
You should also read about SQL injection, a very serious and common security flaw that your code exhibits.
Here is a corrected version of your code:
<?php
session_start(); //it's fine to just do this by habit at the top of every page
$username = $_POST['username'];
//I added mysql_real_escape_string - please read about "sql injection", as it is a very serious and common problem!
$query = "SELECT `confirmcode` FROM `fb_network` WHERE `username` = '".mysql_real_escape_string($username)."' AND `status`='Confirmed' ";
$result = mysql_query($query);
if (mysql_num_rows($result) == 1) {
$result2 = mysql_query($query);
$row = mysql_fetch_row($result2);
$_SESSION['conf_code'] = $row[0];
//not sure if this is what you weree going for or not
$_SESSION['uid'] = $row[0];
header('location:profile.php?conf='.$row[0]);
}
else {
echo 'Wrong username';
}
Then in profile.php, to check if someone is logged in:
<?php
session_start();
if( ! isset($_SESSION['uid']))
//Not logged in!
if( $_SESSION['uid'] != $_GET['conf'])
//trying to access someone else's page!