0

I have made a simple login script here. There are 3 files, 1 is functions.php(Containing the login function), then there is userdashboard.php, which contains some user functions and then another file users.php which processes the login.

The problem is, whenever I login, the login in successful but it throws the error :- unknow variable username.

It should display the username of the person logged in, what am I doing wrong ? Here's the code :-

functions.php

<?php
include 'dbconnector.php';
function checklogin($username,$password)
{
    include 'dbconnector.php';
    $userexists=false;
    $username=mysql_real_escape_string($username);
    $password=mysql_real_escape_string($password);
    $password=md5($password);
    $query="select * from f_users where username = '" . $username . "' and password = '" . $password . "'";
    $result=mysql_query($query,$db) or die (mysql_error($db));
    if(mysql_num_rows($result) > 0)
    {
        $userexists=true;
    }
    else
    {
        $userexists=false;
    }
    return $userexists;
}

userdashboard.php

<?php
include('dbconnector.php');
session_start();
if(isset($_SESSION['logged']) && $_SESSION['logged']=1)
{
    $_SESSION['username']=$username;
    echo "Hello " . $username;
}
else
{
    header('Location:login.php');
}
echo '<a href="logout.php">logout</a>';
?>

file where login is processed.

include 'functions.php';
.
.
.
case 'login':
        $username=$_POST['username'];
        $password=$_POST['password'];
        $username=mysql_real_escape_string($username);
        $password=mysql_real_escape_string($password);
        $password=md5($password);
        if((!empty($username)) && (!empty($password)))
        {
            if(!checklogin($username,$password))
            {
                $_SESSION['logged']=1;
                $_SESSION['username']=$username;
                header('Location:userdashboard.php');
            }
            else
            {
                echo "Invalid combination of username and password";
                echo "redirecting to the login page";
                header('refresh:2;URL=login.php');
            }
        }
        else
        {
            echo "username or password fields cannot be empty, redirecting";
            header('refresh:2;URL=login.php');
        }
        break;

Thanks for the fix Houssni. I have a weird error here.

Even if I try a valid combination of username and password, it always goes to the else part and throws the error. What wrong am I doing here ?

$username=mysql_real_escape_string($username);
            $password=mysql_real_escape_string($password);
            $password=md5($password);
            $query="select * from f_users where username = '" . $username . "' and password = '" . $password . "'";
            $result=mysql_query($query,$db) or die (mysql_error($db));
            if(mysql_num_rows($result) > 0)
            {
                session_start();
                $_SESSION['logged']=1;
                $_SESSION['username']=$username;
                header('Location:userdashboard.php');
                exit();
            }
            else
            {
                echo mysql_num_rows($result);
                echo "Invalid combination of username and password";
                echo "redirecting to the login page";
                header('refresh:2;URL=login.php');
                exit();
            }
Ankur
  • 171
  • 3
  • 13
  • 1
    You need to add `session_start()` to all of your script/pages – Sal00m Nov 06 '13 at 12:02
  • 1
    Did you call `session_start()` in `functions.php` or the last file? – TiMESPLiNTER Nov 06 '13 at 12:02
  • Please don't use `mysql_*` functions anymore, they are deprecated. See [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) for details. Instead you should learn about [prepared statements](http://bobby-tables.com/php.html) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you can't decide which, [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you. If you pick PDO, [here is a good tutorial](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers). – Marcel Korpel Nov 06 '13 at 12:05
  • BTW, you shouldn't only hash a password with MD5, that's not safe enough. Use bcrypt instead. And first using `mysql_real_escape_string` and then hashing that string doesn't make sense, too. – Marcel Korpel Nov 06 '13 at 12:05
  • `if(!checklogin($username,$password))` why if function returns false you log the user in? i think you should remove `!` – Sal00m Nov 06 '13 at 12:10

3 Answers3

2

$username is a parameter so you can only use it in its function scope. Get the username by $_POST or set the $_SESSION in that function. Or in userdashboard.php you should assign the variable $username again and give its value.

And in functions.php you have another include inside this function. You are including this file twice if you call this function.

And in the end of where you call you header("Location: ") you should call exit() because else it will keep running the PHP code of that page.

2

There is another error in your userdashboard.php

change 

if(isset($_SESSION['logged']) && $_SESSION['logged']=1)
{
$_SESSION['username']=$username;
echo "Hello " . $username;
}

To

if(isset($_SESSION['logged']) && $_SESSION['logged']==1)
{
  $_SESSION['username']=$username;
   echo "Hello " . $username;
}
Pavan Kumar
  • 406
  • 1
  • 4
  • 16
0

session_start() function need to include in condition section,

    if((!empty($username)) && (!empty($password)))
    {
        if(!checklogin($username,$password))
        {
            session_start(); // added session start
            $_SESSION['logged']=1;
            $_SESSION['username']=$username;
            header('Location:userdashboard.php');
            exit();
        }
        else
        {
            echo "Invalid combination of username and password";
            echo "redirecting to the login page";
            header('refresh:2;URL=login.php');
            exit();
        }
    }
Krish R
  • 22,583
  • 7
  • 50
  • 59