0

When a user logs into my website login.php checks if they have the correct username password or if they are an administrator:

session_start ();

$username = '';
$password = '';
$dbusername = '';
$dbpassword = '';
if (isset($_POST['Email']) && isset($_POST['Password']))
{
    $username = $_POST['Email'];
    $password = md5($_POST['Password']);



$query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");


$numrow = mysql_num_rows ($query);
// user login
if ($numrow!=0)
{
    while ($row = mysql_fetch_assoc($query))
    {
        $dbusername = $row['Email'];
        $dbpassword = $row['Password'];
    }

    //Check to see if they match
    if ($username==$dbusername&&$password==$dbpassword)
    {
        header("Location: member.php");
        $_SESSION ['Email']=$username;

    }
    }
    else 
    {
        // admin login
        $query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
        $numrow2 = mysql_num_rows ($query2);
        if ($numrow2!=0)
        {
            while ($row = mysql_fetch_assoc($query2))
            {
                $dbusername = $row['Email'];
                $dbpassword = $row['Password'];
            }

            //Check to see if they match
          if ($username==$dbusername&&$password==$dbpassword)
            {
                header("Location: admin.php");
                $_SESSION ['Email']=$username;
            }
            else{

                echo "Incorrect password";
            }

        }
            else{
        if ($username!=$dbusername&&$password!=$dbpassword)
        {die("That user does not exist!");
        }
        }
    }
}

They are redirected to member.php (relevant code below)

session_start ();

     If (logged_in() === true)//Email 
           echo "Welcome, ".$_SESSION['Email']. "!<br><ahref='logout.php'>Logout</a>";
     else
    die ("You must be logged in");

This all works fine, the user is logged in and their username displays on the top of the page, but if the user goes back to the homepage or any other page on the website they are no longer logged in. Totally confused on how to do this, any help would be great.

Lairds
  • 87
  • 4
  • 12
  • 1
    As a side note, a `'` entered in the email field could cause an SQL injection. – Joachim Isaksson Mar 25 '13 at 22:51
  • @JoachimIsaksson only the `Email` field. `Password` is md5 hashed – Phil Mar 25 '13 at 22:52
  • Please read this regarding the MySQL extension http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php#answer-12860140 – Phil Mar 25 '13 at 22:52
  • @Phil Right you are, missed that. – Joachim Isaksson Mar 25 '13 at 22:52
  • 1
    You don't have to check if username and passwords match in your PHP; you're already doing that with your SQL. Also, using `md5` is no longer considered a secure way to store passwords, especially 'unsalted'. Read this question for some pointers: http://stackoverflow.com/questions/6774345/md5-security-is-fine – thaJeztah Mar 25 '13 at 23:01

1 Answers1

1

You need to set the Session-variables before you redirect the user

kero
  • 10,647
  • 5
  • 41
  • 51