1

When a user logs in they are redirected to member.php, below is the log in code followed by member.php code.

login.php

        <?php

        session_start ();
        include 'core/init.php';


        $username = '';
        $password = '';
        $dbusername = '';
        $dbpassword = '';
        if (isset($_POST['Email']) && isset($_POST['Password']))
        {
            $username = $_POST['Email'];
            $password = md5($_POST['Password']);



        $query = mysql_query("SELECT * FROM member WHERE Email ='$username' AND Password='$password'");


        $numrow = mysql_num_rows ($query);
        // user login
        if ($numrow!=0)
        {
            while ($row = mysql_fetch_assoc($query))
            {
                $dbusername = $row['Email'];
                $dbpassword = $row['Password'];
            }

            //Check to see if they match
            if ($username==$dbusername&&$password==$dbpassword)
            {

                $_SESSION ['Email']=$username;
                header("Location: member.php");


            }
            }
            else 
            {
                // admin login
                $query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
                $numrow2 = mysql_num_rows ($query2);
                if ($numrow2!=0)
                {
                    while ($row = mysql_fetch_assoc($query2))
                    {
                        $dbusername = $row['Email'];
                        $dbpassword = $row['Password'];
                    }

                    //Check to see if they match
                  if ($username==$dbusername&&$password==$dbpassword)
                    {

                        $_SESSION ['Email']=$username;
                        header("Location: admin.php");

                    }
                    else{

                        echo "Incorrect password";
                    }

                }
                    else{
                if ($username!=$dbusername&&$password!=$dbpassword)
                {die("That user does not exist!");
                }
                }
            }
        }
                /*if ($numrow2!=0)
                {
                    while ($row = mysql_fetch_assoc($query2))
                    {
                $dbusername = $row['Email'];
                if ($username!=$dbusername)
                {die("That user does not exist!");
                }
                }
                }

        else
            die("Please enter your email address and password");
        */
  ?>

member.php code (I know this is messy. Sorry, just need to get it working for now)

 <div id="header"> 

                            <div id= "logout"> 
                            <?php
                                if(isset($_GET['username']) === true & empty ($_GET['username']) === false) 
                                        $username = $_GET ['username'];

                                            if (user_exists($username) === true) {

                                        echo "<p>Welcome, ".$_SESSION['Email']. "!<br><a href='logout.php'>Logout</a>\n<a href='index.php'>Back to homepage</a></p>";
                            ?></div>
                            </div>  

                            <div id="main-content">
                            <?php
                                //get username from user id
                                $MemberID  = user_id_from_username($username);
                                $profile_data =user_data($MemberID, 'Name','Email');//Need to pull out stuff from oddjob table
                            ?>
                                    <h1><?php echo $profile_data['Name']; ?>'s profile</h1>
                                    <p><?php echo $profile_data['Email'];?></p>
                            <?php
                                } else {
                                    echo '<p>Sorry, cannot find that user on system.</p>';
                                }


                            ?>

At the moment I have set member.php so that if I type a username (which is the users email address) into the URL it displays some profile data specific to that user.

However, when I log in as a user, and get redirected to member.php I just see a blank page and the username doesn't show up in the URL, just an error message saying ' Undefined variable: username' for that user and I don't know how to edit this so that it works and the member is sent to their own profile page.

Relevant functions below: functions.php 

        function logged_in() {
            return (isset($_SESSION['MemberID'])) ? true : false; //Email
        }

        function user_data($MemberID){
                $data = array();
                $MemberID =(int)$MemberID;

                $func_num_args = func_num_args();
                $func_get_args = func_get_args();

                if ($func_num_args >1) {
                    unset($func_get_args[0]);

                    $fields = '`' . implode('`,`', $func_get_args) . '`';   
                    $data = mysql_fetch_assoc(mysql_query("SELECT $fields FROM `member` WHERE `MemberID` = $MemberID"));//expects parameter 1 to be resourse

                    return $data;
                }
        }

        function user_id_from_username($username) {
            $username = sanitize($username);
            return mysql_result(mysql_query("SELECT `MemberID` FROM `member` WHERE `Email` = '$username'"),0, 'MemberID');

Init.php:

            if (logged_in() ===true) {
                $session_MemberID = $_SESSION['MemberID'];//undefined?
                $user_data= user_data($session_MemberID,'MemberID','Name','Address','Postcode','DOB','Mobile','Email','Password','RepeatPassword');
                exit();
                }

To be honest Ive been looking at this code for so long now, I'm completely blind/lost as to how to fix this. Please help if you can.

Index.php

        <div id= "login">
            <form action="login.php" method="post">
            <?php

                if (logged_in() === true) {
                    echo "<p>Welcome, ".$_SESSION['Email']. "!<br><a href='logout.php'>Logout</a>";
                        }else

                            echo"<h4>Username: <input type='text' name='Email'><br>
                                Password: <input type='Password' name='Password'>
                                <input type='submit' value='Log In'><br> 
                                <a href='register2.php'>Register?</a>


            </form>"
            ?>
Lairds
  • 87
  • 4
  • 12
  • 1
    **You shouldn't use `mysql_*` functions in new code** ([why?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php)), they are [deprecated](https://wiki.php.net/rfc/mysql_deprecation). Use [PDO or MySQLi](http://php.net/manual/en/mysqlinfo.api.choosing.php) instead. Also your script is vulnerable to **SQL injections**, that you should probably fix first – kero Mar 28 '13 at 12:55
  • when is your login.php called? aka before keader, in header, in body, or after body? – NoLiver92 Mar 28 '13 at 12:57
  • @NoLiver92 the login is called in the header of index.php, ive added it now. – Lairds Mar 28 '13 at 21:37
  • @kingkero oh no :( Thanks for letting me know, will look into it. – Lairds Mar 28 '13 at 21:37
  • @user2171737 see my answer regarding where the command should be – NoLiver92 Mar 28 '13 at 22:23

2 Answers2

1

On your member.php page you try to get the username from $_GET but you don't pass any parameter when you redirect the user in login.php.

Either rely only on the $_SESSION which you set or change your redirect:

header('Location: member.php?username='.$username);
Marshall
  • 329
  • 1
  • 7
  • Thank you @Marshall! now the login page diaplays and it shows the users username in the URL. If i want the user to be able to go back to index.php whilst still logged in would I need to to something similar to the above? At the moment I get an error message saying that memberID on init.php is undefined. – Lairds Mar 28 '13 at 21:25
0

This header command:

header("Location: member.php");

Must be above the head. it can only be called if no other html code has been sent to the user. E.g.:

<?php
header("Location: member.php");
?>
<html>
<head>
</head>
<body>
</body>
</html>
NoLiver92
  • 882
  • 3
  • 15
  • 39
  • Thanks for the reply. The redirect to member.php works fine now since i added header(Location: member.php?username='.$username) now I can't get from the member.php page back to the index page whilst still logged in as the user. Keep getting Notice: Undefined index: MemberID in oddjobexchange\core\init.php on line 10 Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in oddjobexchange\core\functions\user.php on line 18. Finding this whole user profile thing very confusing! – Lairds Mar 28 '13 at 22:41