So i'm writing a simple login script and I ran into some problems. I was able to create the login.php file that works with this dashboard.php file below. Let me describe the scenario: User come into the main page, which is the login page. Enters username and password. If entered correctly user will see the output "dashboard succesfull". If entered wrongly it will redirect them to loginfailed.php. Problem is that the browser does not remember that the user has already been logged in. If I re-enter this page, it will directly goes to loginfailed.php. So my obivous n00b question here is......is there a way to make the browser remember that the user has already been logged in?
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$password = stripslashes($password);
$dblink = mysql_connect("localhost", "root", "");
mysql_select_db("user",$dblink);
$sql = "select * from members where username = '$username' and password = '$password'";
$result = mysql_query($sql) or die ( mysql_error() );
$count = 0;
while ($line = mysql_fetch_assoc($result)) {
$count++;
}
if ($count == 1) {
$_SESSION['loggedIn'] = "true";
echo "<a href='dashboard.php'>dashboard succesfull</a>";
} else {
$_SESSION['loggedIn'] = "false";
header("Location: loginfailed.php");
}
?>
Sure. You just need to put, at the top of the page but below session_start(), something like:
if(isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == 'true') {
# do something. maybe redirect and then exit?
}
Also, I'd suggest using a session name and escaping the username and password before putting them in your SQL.
Related
I have this form programmed to log a user in. I have confirmed that it does in fact set a session for a user, but for some reason, it forwards the user to the page to connect to the database. I have this page linked in the code because I obviously need to consult the database to confirm the user has an account, but I don't understand why it goes to this page and then just stays there. Help would be appreciated. Index2.php (set as that right now so users won't see it when they go to the site) is supposed to be set as the redirected page after login. The user is supposed to be able to see the homepage even without logging in, but certain content only appears in the user is logged in.
<?php
session_start();
include("db_connect.php");
if($_SERVER['REQUEST_METHOD'] == "POST")
{
//something was posted
$email = $_POST['email'];
$password = $_POST['password'];
if(!empty($email) && !empty($password))
{
//read from database
$query = "select * from users_listers where email = '$email' limit 1";
$result = mysqli_query($conn, $query);
if($result)
{
if($result && mysqli_num_rows($result) > 0)
{
$user_data = mysqli_fetch_assoc($result);
if($user_data['password'] === $password)
{
$_SESSION['user_lister_id'];
header("Location: ../index2.php");
die;
}
}
}
echo "wrong username or password!";
}else
{
echo "wrong username or password!";
}
}
?>
Thank you for the help!
When I coded my php login system (In MySQLi), I get an error that do not actually checks if username or password is wrong, idk what to do abot this. Please help me out here.
<?php
// If logged in
if(isset($_SESSION['user_id'])) {
header('Location: index.php');
}else {}
//error_reporting(0);
//MySQLi Login form
//Database connection
$con = mysqli_connect('localhost', 'root', '', 'console');
//Actual Login form
if(isset($_POST['login'])) {
session_start();
//Explainging details
$username = $_POST['username'];
$password = $_POST['password'];
//Fetching data
$result = $con->query("SELECT * FROM users WHERE username='$username' AND password='$password'");
$row = $result->fetch_array(MYSQLI_BOTH);
//Logging in
$_SESSION['user_id'] = $row['user_id'];
header('Location: index.php');
}else{
$wrong = 'Username or password is wrong';
}
?>
Also i got a check.php that redirects you to /notloggedin.php if not logged in, but IF the user is logged in it will display their User_ID, but when user logsIn with wrong details then go to check.php it does not show anything and it does not redirect the users to /notloggedin.php.
So what do I do with that? Is there something I forgot to add, or something i did wrong???Can you write a example if you have any ideas?? Thanks.
EDIT:
Now instead of using MySQLi I got an idea from #christoandrew, so i made everything into functions. What the functions tells the system to do is its gonna check for the username first, if the username exists its gonna make a $_SESSION()for the username. Then again using the $_SESSION() to find the User_ID to the username then its gonna look for the password for the same User_ID. Then when its checked everything it will destroy all 'Sessions' it made and create a $_SESSION() for all information like User_ID, Email, Username, Password, Etc... Thanks for all the help i got in my way!
if(isset($_POST['login'])) {
session_start();
//Explainging details
$username = $_POST['username'];
$password = $_POST['password'];
//Fetching data
$result = $con->query("SELECT * FROM users WHERE username='$username' AND password='$password'");
$row = $result->fetch_array(MYSQLI_BOTH);
// Try checking if there are actually rows that are returned
// If the rows are greater than zero then the user exists else the
// user supplied wrong credentials
if(mysqli_num_rows($row) > 0){
//Logging in
$_SESSION['user_id'] = $row['user_id'];
header('Location: index.php');
}else{
$wrong = 'Username or password is wrong';
}
// The else block below is not necessary and the validation is misplaced
}
you need start the session:
session_start();
Please help me. I got this error everytime I tried to login. - "This webpage has a redirect loop ERR_TOO_MANY_REDIRECTS"
Please help me and I'll appreciate your help very much. thanks.
This is my index.php
<?php
include('login.php'); // Includes Login Script
?>
This is my login.php
<?php
session_start();
$error = "";
if (isset($_POST['submit'])) {
if (empty($_POST['email']) || empty($_POST['password'])) {
$error = "Username or Password is invalid";
} else {
// Define $username and $password
$usernameLogin = $_POST['email'];
$passwordLogin = $_POST['password'];
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "apple", "Apple318992");
// To protect MySQL injection for Security purpose
$username = stripslashes($usernameLogin);
$password = stripslashes($passwordLogin);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
// Selecting Database
$db = mysql_select_db("TS", $connection);
// SQL query to fetch information of registerd users and finds user match.
$query = mysql_query("select * from Users where password='$password' AND email='$usernameLogin'", $connection);
$rows = mysql_num_rows($query);
if ($rows == 1) {
$_SESSION['login_user'] = $usernameLogin; // Initializing Session
} else {
$error = "Username or Password is invalid";
}
}
}
if (isset($_SESSION["login_user"])) {
header("Location:timesheets.php");
}
?>
This is my session.php
<?php
include ('DBConnect.php');
session_start(); // Starting Session
// Storing Session
$user_check = $_SESSION['login_user'];
// SQL Query To Fetch Complete Information Of User
$ses_sql = mysql_query("select email from Users where email='$user_check'", $conn);
$row = mysql_fetch_assoc($ses_sql);
$login_session = $row['email'];
if (!isset($login_session)) {
mysql_close($conn); // Closing Connection
header('Location: index.php'); // Redirecting To Home Page
}
?>
instead of : header('Location: index.php');
try to do it with javascript :
echo '< script> document.location.href="index.php"< /script>';
In your session.php you have to destroy the session because it might be set still but without that the query can find a existing user?
To unset sessions do this:
unset(); for all the session variables unset($_SESSION['login_user']); for a specific session
Please put that before redirecting to index.php.
Otherwise I don't know how to help you sorry.
Also do you have php error / debug enabled? Normally session_start(); should be at very first line in your php file if I am correct, or it throws error.
I wrote custom login script for users to login to the main control page. I found out that even when users are not login they can still visit the main control of which I want someone to help me to write a restrict access to page().
Please look through my php login script and based on that code help me write the restrict access to the main control page. assume that my main crontrol page is: cecontrolpage.php
I know we use $_SESSION to that but I have little idea of it.
this is my login.php code which is working fine:
<?php
Session_start();
$Email = $_POST["email"];
$Password = $_POST["password"];
$cn = "localhost";
$db_username = "root";
$pas = "***";
$db_name = "cemembers";
//Open a connection to a MySQL Server
if ($Email && $Password) {
$connect = mysqli_connect($cn, $db_username, $pas, $db_name) or die("Could not connect to database");
//sending MySqli query
$query = mysqli_query($connect, "SELECT * FROM users WHERE Email= '$Email'");
$numrows = mysqli_num_rows($query);
//After PHP declaration we are going to create index file[form]
if ($numrows !== 0) {
while ($row = mysqli_fetch_array($query)) {
$dbEmail = $row["Email"];
$dbPassword = $row["Password"];
}
if ($Email == $dbEmail && $Password == $dbPassword) {
header("location:ce membership birthday system control_pannel.php");
#$_SESSION("Email") == $Email;
} else
header("location:index.php?login_attempt=1");
} else
header("location:index.php?login_attempt=2");
} else
header("Location:index.php?login_attempt=0");
?>
please can someone help me write the php code to restrict access to cecontrol.php ??
Please STEP by STEP with php comments on each part.
First you need to check if the user is logged in:
you do that by checking if the session has been set.
//Check if the user is logged in
function userlogged_in()
{
return(isset($_SESSION['userid']))?true:false;
}
Then you need to redirect the user to a page that says the access to is not authorised, they need to be logged in to view that page:
You do this by checking if the userlogged_in function returned a true or false
function user_restricted()
{
if (userlogged_in()=== false)
{
header('Location: permission.php ');
exit();
}
}
Then you need to call the user_restricted() function on each page, just after starting the session.
First you have to save user values in session after authentication from database like
$_SESSION['username'] = "name"; $_SESSION['user_id'] = 1;
function check_session() {
session_start();
if ($_SESSION['user_id']=='')
{
// redirect to login
}
}
On every page that you want to restrict access you can call check_session().
Okay, What I have here is a simple php login session. Sometimes session destroy even I don't destroy the session. In my Index.php, there's a link for editing record. My problem is, if session destroy and I click edit, the page open's in modal or fancybox and shows login.php and after I login it's goes to index.html. What I need to do is instead of going into index.html, I need to redirect to edit.php with GET value to continue the edit process. Any help?
Index.php
<a class="fancybox" href="edit.php?pn='.$row["id"].'"><img src="images/edit.png"></a>
Edit.php
<?php
session_start();
include('connect.php');
$tbl_name="login_admin";
if(! isset($_SESSION['id'])){
header('location:login.php');
exit;
}
$id = $_SESSION['id'];
$sql = $mysqli->query("SELECT * FROM $tbl_name WHERE username='$id'");
$accounts = $sql->fetch_assoc();
$term= $mysqli->real_escape_string($_GET["pn"]);
?>
Login.php
<?php
require_once('connect2.php');
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
$submit = $_POST['submit'];
if($username && $password){
$sql = sprintf("SELECT * FROM $tbl_name WHERE username='$username' AND password='$password'");
$result = #mysql_query($sql);
$accounts = #mysql_fetch_array($result);
}
if($accounts){
$_SESSION['id'] = $accounts['username'];
header("location:index.html");
exit;
}elseif($submit){
$msg = 'Invalid Username or Password';
}
?>
Unfortunately you can't continue the edit process, but you can redirect user to edit page after login.
There are more ways how to to it, I will show one of them.
before redirecting user to login script, save his original URL to session (another way would be to pass it to login.php as GET parameter - don't forget validation in that way):
Edit.php:
<?php
session_start();
include('connect.php');
$tbl_name="login_admin";
if(! isset($_SESSION['id'])){
$_SESSION['original_url']=$_SERVER['REQUEST_URI']
header('location:login.php');
exit;
}
// rest of the code.....
Then redirect user to that page instead of default index.html page
Login.php:
<?php
require_once('connect2.php');
session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$submit = $_POST['submit'];
// Security note: see I've sanitized $username and $password with mysql_real_escape_string() to avoid SQL injection
if($username && $password){
$sql = sprintf("SELECT * FROM $tbl_name WHERE username='$username' AND password='$password'");
$result = mysql_query($sql);
$accounts = mysql_fetch_array($result);
}
// when account was found store identity to session
if($accounts){
$_SESSION['id'] = $accounts['username'];
if (isset($_SESSION['original_url']) {
// if user came from internal url, redirect to it and remove it from session
$originalUrl = $_SESSION['original_url'];
unset($_SESSION['original_url']);
header("location:".$originalUrl);
exit;
} else {
// redirect user to default page after login
header("location:index.html");
exit;
}
} elseif($submit){
// login form was sent, but user with given password not found
$msg = 'Invalid Username or Password';
}
?>