Clever Geek Handbook

Php session and problems with post on login page

Ok, so we got some basic HTML here

<form action="main_login.php" method="post" style="text-align:right;">
    Username:   
    <input type="text" name="username" value="" size=20  style="display:inline-block;margin-left:10px"required>
    <br> 
    Password:  
    <input type="password" name="password" value="" size=20 style="margin-left:12px"required> 
    <br>  
    <input type="submit" value="Log In" style="margin-left:75px"=> 
</form>

And 2 php files main login.php

<?php
    session_start();
    $con = mysqli_connect("localhost", "root", "", "complaints"); 
    if (!$con) { 
        die('Could not connect: ' . mysql_error()); 
    } 
    $myusername=$_POST["username"];
    $mypassword=$_POST["password"];
    echo $myusername . "<br>";  
    echo $mypassword . "<br>";



    // MySQL injection 
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    $sql="SELECT * FROM register WHERE username='$myusername' and password='$mypassword'";
    $result=mysqli_query($con,$sql);
    // Mysql_num_row is counting table row
    $count=mysqli_num_rows($result);
    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count==1){
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    $_SESSION['username']=$myusername;
    $_SESSION['password']=$mypassword;
    header("location:login_success.php");
    }
    else {
    echo "Wrong Username or Password";
    }
    mysqli_close($con);
?>

If login successfully redirects login.php here

<?php
    session_start();
    if ( isset( $_SESSION['username'] ) ){
    header("location:main_login.php");
    }
?>

<html>
<body>
    Login Successful
</body>
</html>

Ok, so im new in php and don't know much about sessions. At first I used session_register and session_is_registered, but as I found out, these functions are no longer used. so i changed to sessions but my problem keeps popping up here

$myusername=$_POST["username"];
$mypassword=$_POST["password"];

I cannot use $ _POST to get data from a form. Also I don't know if I have set the session functions correctly.

Edit: The usernames and passwords in html are the same as used in php, I was just wrong here.

+3


source to share


3 answers


Edit: The usernames and passwords in html are the same as used in php, I was just wrong here.

Edit: Ok, so you made a typo in the form fields. You are still mixing MySQL APIs, see below below about mixing function with mysql_real_escape_string()

.

Look at name="myusername"

both your POST assignment as well as the password for your password.

They don't match.

Change name="myusername"

toname="username"

and name="mypassword"

beforename="password"

according to

$myusername=$_POST["username"];
$mypassword=$_POST["password"];

Using error reporting would signal the index undefined and warnings already posted; See below. Strike>

You also have spaces in front <?php

, which cause the exit before the header. Delete them.

Also, you are mixing MySQL API with mysql_error()

. mysql_error()

should be read as mysqli_error($con)

below:

$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

which should be read as

$myusername = mysqli_real_escape_string($con,$myusername);
$mypassword = mysqli_real_escape_string($con,$mypassword);

or

$myusername = mysqli_real_escape_string($con,$_POST['username']);
$mypassword = mysqli_real_escape_string($con,$_POST['password']);
  • mysqli_

    and mysql_

    functions don't mix together.


As for security

I noticed that you can store passwords in plain text. If so, then it is extremely discouraged.

I recommend using CRYPT_BLOWFISH or PHP 5.5 password_hash()

. For PHP <5.5 use password_hash() compatibility pack

.

Also, as far as SQL injection is concerned, used mysqli

with prepared statements or PDO with prepared statements , they are much safer.



Footnote

It is best to add it exit;

after each heading.

header("location:login_success.php");
exit;

and for all headers.



Edit:

Delete

$myusername=$_POST["username"];
$mypassword=$_POST["password"];
echo $myusername . "<br>";  
echo $mypassword . "<br>";

then replace it with:

$myusername = stripslashes($_POST["username"]);
$mypassword = stripslashes($_POST["password"]);
$myusername = mysqli_real_escape_string($con,$_POST['username']);
$mypassword = mysqli_real_escape_string($con,$_POST['password']);


Edit # 2 :

This is what I tested your code with and got success, so I don't know what is wrong with your current code.

FORMAT HTML

<form action="main_login.php" method="post" style="text-align:right;">
    Username:   
    <input type="text" name="username" value="" size=20  style="display:inline-block;margin-left:10px"required>
    <br> 
    Password:  
    <input type="text" name="password" value="" size=20 style="margin-left:12px"required> 
    <br>  
    <input type="submit" value="Log In" style="margin-left:75px"=> 
</form>

MySQL

<?php

    $DB_HOST = 'xxx';
    $DB_USER = 'xxx';
    $DB_PASS = 'xxx';
    $DB_NAME = 'xxx';

    $conn = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
    if($conn->connect_errno > 0) {
      die('Connection failed [' . $conn->connect_error . ']');
    }

    $myusername = stripslashes($_POST["username"]);
    $mypassword = stripslashes($_POST["password"]);
    $myusername = mysqli_real_escape_string($conn,$_POST['username']);
    $mypassword = mysqli_real_escape_string($conn,$_POST['password']);


    echo $myusername; // echos
    echo "<br>";
    echo $mypassword; // echos


    $sql="SELECT * FROM register WHERE username='$myusername' and password='$mypassword'";
    $result=mysqli_query($conn,$sql);

    $count=mysqli_num_rows($result);

    if($count==1){
        echo "Yep";
    }
    else{
        echo "nope";
    }

NB: You should also clear your sessions ( destroy sessions ), there might be something on the server that caches old usernames and passwords.

Also make sure there are no spaces in the columns, the types are correct, and the lengths are long enough to store the data. Usually VARCHAR(255)

more than enough, but suggested when using hashed passwords generated password_hash()

by a function you should use when storing passwords.

See also:

on the stack.

+4


source 


   <?php
session_start();

First of all, there is space in the beginning.



It should be

<?php session_start();
+1


source


session problems for the login page can occur because the URL you open in the browser is not unique. for example, if you say that you are creating a login page for your site and you have successfully created sessions. Now if you come from a url say http://geekzgarage.com your session is limited to only that url. If you open the above url again like http://www.geekzgarage.com (check www. In both urls) then you are not logged in. So make sure your web page is always open in the same type of url. either www. or without www.

+1


source






More articles:


All Articles