0

I wrote some simple login script for a school assignment. I need to ask the user to log in redirect them to the main page, and display their username on top of the main page. I've been following the instructions I found online, but the username is not shown in the main page after the user logged in. Can someone take a look at my PHP code and give me some hints on how to resolve this? Thanks!

Here is my main php:

    <?php
    session_start();
    echo "You are logged in as " .$_SESSION['username'];
    echo "<p><a href=\"logout.php\">Click here to logout</a></p>";


    //Turn on error reporting
    ini_set('display_errors', 'On');
    //Connects to the database
    $mysqli = new mysqli("abc", "edf","xyz", "123");
    if($mysqli->connect_errno){
        echo "Connection error: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
    }
?>  


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
    <title>Test</title>
    <meta charset="UTF-8">  
    <style type="text/css">
        body {font-family:sans-serif;}
        h1 {color: #0000FF;text-align: center;}
        .fieldset-auto-width {display: inline-block;}
    </style>
</head>
<body>
    <div id="header" style="background-color:#FFA500;">
        <h1>Restaurant Review</h1>
    </div>
        //DO SOMETHING HERE
    <div id="content">
    <form method="post" action="addreview.php">     
    </div>
    </form>
</body>
</html>

Here is my login php

    <?php
    ob_start();

    $username = $_POST['username'];
    $password = $_POST['password'];


    //Turn on error reporting
    ini_set('display_errors', 'On');
    //Connects to the database
    $mysqli = new mysqli("abc", "edf","xyz", "123");
    if($mysqli->connect_errno){
        echo "Connection error " . $mysqli->connect_errno . " " . $mysqli->connect_error;
    }

    $username = mysqli_real_escape_string($mysqli, $username);
    $query = "SELECT password, salt FROM member WHERE username = '$username';";

    $result = mysqli_query($mysqli, $query);

    // User not found. So, redirect to login_form again.
    if (mysqli_num_rows($result) == 0)
    {
        header('Location: login.html');
    }

    $userData = mysqli_fetch_array($result, MYSQL_ASSOC);
    $hash = hash('cs494', $userData['salt'] . hash('cs494', $password));

    //Incorrect password. Redirect to login form again
    if ($hash != $userData['password'])
    {
        header('Location: login.html');
    }else {
    //redirect to main page after successful login
        session_start();
        $_SESSION['username'] = $username;
        header('Location: main.php');
    }


?>
Ozzy
  • 8,244
  • 7
  • 55
  • 95
user2203774
  • 609
  • 4
  • 13
  • 25
  • This calls for basic debugging. You are not catching query errors, use `mysql_error()` to see whether anything fails. See the manual on mysql_query() for details: http://php.net/mysql_query also note that the mysql library is deprecated – Pekka Aug 27 '13 at 18:58

1 Answers1

1

You are echo-ing outside of the HTML document, and it is probably on the page where you cannot see it. If you click View > Source you might see it printed at the top of the document before the <!DOCTYPE> declaration.

Instead of:

echo "You are logged in as " .$_SESSION['username'];
echo "<p><a href=\"logout.php\">Click here to logout</a></p>";
<!DOCTYPE html>
<html>...</html>

You should move the echo inside the document like:

<!DOCTYPE html>
<html>
<head>...</head>
<body>
<?php
  echo "You are logged in as " .$_SESSION['username'];
  echo "<p><a href=\"logout.php\">Click here to logout</a></p>";
?>
...
</body>
</html>
Ozzy
  • 8,244
  • 7
  • 55
  • 95
  • Thanks for the tip. I changed that, but I got the following message message: "Undefined variable: _SESSION in .../main.php on line 41". – user2203774 Aug 27 '13 at 19:08
  • Then you need to check your conditional statement: `if ($hash != $userData['password'])` because it is probably failing all the time so that the `$_SESSION['username']` variable does not get set. – Ozzy Aug 27 '13 at 19:12
  • Thanks. You are right. I don't think my conditional statement is working properly. I can't tell what went wrong yet. This is my first php project, but I will look into it. – user2203774 Aug 27 '13 at 19:24
  • @user2203774 See if you can get it working without the hashing (plain text passwords), then you will see that the hash is probably causing you the problem. If you have a database admin tool you can directly query the database to see that the stored password is actually hashed. – Ozzy Aug 27 '13 at 19:29