After submitting the login form, the url remains in the php action
Hi I am currently working on user login where there can be two different situations where a person submits a form.
What I'm trying to accomplish is that if someone logs in, they'll either be redirected to the user page or the admin page, depending on which table their username is in.
My problem is that after submitting the form, the browser shows a blank page with no errors, with the url being the php action of the form.
Here is my html file
<?php
//Start session
//error_reporting = E_ALL & ~E_NOTICE;
ini_set( 'error_reporting', E_ALL & ~E_NOTICE);
session_start();
//Unset the variables stored in session
unset($_SESSION['SESS_MEMBER_ID']);
unset($_SESSION['SESS_USERNAME']);
unset($_SESSION['SESS_PASSWORD']);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" href="css/style.css" title="" />
<link rel="stylesheet" href="css/animate.css" title="" />
<link href='http://fonts.googleapis.com/css?family=Open+Sans:400,600,700,300' rel='stylesheet' type='text/css'>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.js"> </script>
<script src="js/mouseEvents.js"></script>
<title>Grey Avenue Item Inventory Login</title>
</head>
<body>
<div id="container">
<div id="mainform" >
<div id="formcontainer" class="animated fadeInDown">
<div id="formheader">
<div class="logocont">
<a href="#"><span class="logoImg"></span></a>
<h2 class="textheader">Inventory System Log-In</h2>
</div>
</div>
<form action="login.php" method="post" id="loginform">
<div class="inputbox"> <input type="text" name="username" placeholder="Username" maxlength="12"/></div>
<div class="inputbox"> <input type="password" name="password" placeholder="Password" maxlength="12"/></div>
</form>
<div id="loginbutton">
<button type="submit" form="loginform" class="loginbutton" value="Log In">
<span class="loginbut_text">Log In</span>
</button>
<button class="regbutton" value="Register">
<span class="loginbut_text">Register</span>
</button>
</div>
<div id="errormsg">
<?php
if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) {
echo '<ul class="err">';
foreach($_SESSION['ERRMSG_ARR'] as $msg) {
echo '<li>',$msg,'</li>';
}
echo '</ul>';
unset($_SESSION['ERRMSG_ARR']);
}
?>
</div>
</div>
</div>
</div>
</body>
</html>
And my login.php file is
<?php
session_start();
require("connect.php");
require("lib/password.php");
//Array to store validation errors
$errmsg_arr = array();
//Validation error flag
$errflag = false;
$username = $_POST["username"];
$password = $_POST["password"];
//Input Validations
if($username == "") {
$errmsg_arr[] = "*Username missing";
$errflag = true;
}
if($password == "") {
$errmsg_arr[] = "*Password missing";
$errflag = true;
}
//If there are input validations, redirect back to the login form
if($errflag) {
$_SESSION["ERRMSG_ARR"] = $errmsg_arr;
session_write_close();
header("location: index.php");
die();
}
if ($sql = $conn->prepare("SELECT id, username, password, firstName, lastName FROM users WHERE username = ?")){
$sql->bind_param("s", $username) ;
$sql->execute();
$sql->store_result();
$result = $sql->num_rows;
$sql->bind_result($id, $username, $passwordhash, $firstName, $lastName);
$sql->fetch();
if ($result > 0){
if(password_verify($password, $passwordhash)){
session_regenerate_id();
$_SESSION["SESS_MEMBER_ID"] = $id;
$_SESSION["SESS_USERNAME"] = $username;
$_SESSION["SESS_PASSWORD"] = $password;
$_SESSION["SESS_FIRSTNAME"] = $firstName;
$_SESSION["SESS_LASTNAME"] = $lastName;
session_write_close();
header("location: inventory.php");
die();
}
else {
//Login failed
$errmsg_arr[] = "Username and Password do not match";
$errflag = true;
if($errflag) {
$_SESSION["ERRMSG_ARR"] = $errmsg_arr;
session_write_close();
header("location:index.php");
die();
}
}
}
}
else {
if($sql = $conn->prepare("SELECT id, username, password, firstName, lastName FROM admin WHERE username=?")){
$sql->bind_param("s", $username);
$sql->execute();
$sql->store_result();
$result = $sql->num_rows;
$sql->bind_result($id, $username, $passwordhash, $firstName, $lastName);
$sql->fetch();
if($result > 0){
if(password_verify($password, $passwordhash)){
session_regenerate_id();
$_SESSION["SESS_MEMBER_ID"] = $id;
$_SESSION["SESS_USERNAME"] = $username;
$_SESSION["SESS_PASSWORD"] = $password;
$_SESSION["SESS_FIRSTNAME"] = $firstName;
$_SESSION["SESS_LASTNAME"] = $lastName;
session_write_close();
header("location: http://www.greyavenue.ph/shoplogin/inventoryadmin.php");
die();
}
else {
//Login failed
$errmsg_arr[] = "Username and Password do not match";
$errflag = true;
if($errflag) {
$_SESSION["ERRMSG_ARR"] = $errmsg_arr;
session_write_close();
header("location: index.php");
die();
}
}
}
else{
//Login failed
$errmsg_arr[] = "Username and Password not found";
$errflag = true;
if($errflag) {
$_SESSION["ERRMSG_ARR"] = $errmsg_arr;
session_write_close();
header("location: http://www.greyavenue.ph/shoplogin/index.php");
die();
}
}
}
}
?>
I'm confused because the login seems to work and redirect the browser to the pages when I don't rewrite the password before, but now, after changing the code with the hash function, the url stays in that php file.
Take a close look at the effort you take to read and answer my question ahead of time! Thank!
source to share
There is a logical error:
your beef split code:
if ($sql = $conn->prepare("SELECT id, username, password, firstName, lastName FROM users WHERE username = ?")){
// retrieve result
if ($result > 0){
// check result
}
}
else {
// select from admin
}
In case you don't have a tupel user / pwd that doesn't fit $result
is 0. In this particular cse, none of the redirect branches will be removed and the page will just appear blank.
you need to change something like this:
if ($sql = $conn->prepare("SELECT id, username, password, firstName, lastName FROM users WHERE username = ?")){
// handle sql error
}
// retrieve result
if ($result > 0){
// check result, either logged in or error
}
// no result in users, check admin:
if ($sql = $conn->prepare("SELECT id, username, password, firstName, lastName FROM admin WHERE username = ?")){
// handle sql error
}
// retrieve result
if ($result > 0){
// check result, either logged in or error
}
source to share
It seems that the error message is disabled (you set it in your "html" file, but not in login.php) and at the same time there is a problem in your password_verify () function.
You should also post this feature so we can take a look.
UPDATE Also, if you are using what appears to be password_verify, which is not built-in and your PHP is 5.5 or higher, you can try to define a function with a reserved name (password_verify) and thus get a fatal error, as you can see, no errors displayed on your server.
source to share
make changes to your html
<form action="login.php" method="post" id="loginform">
<div class="inputbox"> <input type="text" name="username" placeholder="Username" maxlength="12"/></div>
<div class="inputbox"> <input type="password" name="password" placeholder="Password" maxlength="12"/></div>
<div id="loginbutton">
<button type="submit" form="loginform" class="loginbutton" value="Log In">
<span class="loginbut_text">Log In</span>
</button>
<button class="regbutton" value="Register">
<span class="loginbut_text">Register</span>
</button>
</form>
source to share