0

Ok I am trying to create a simple login here but my login code as well as the intropage wont work properly. Tried to tweak the code for SESSION but find no luck.

Here's the code for my login.php:

<?php require_once("includes/connection.php"); ?>
<?php include("includes/header.php"); ?>


<?php

if(isset($_POST["login"])){

if(!empty($_POST['username']) && !empty($_POST['password'])) {
    $username=$_POST['username'];
    $password=$_POST['password'];


    $query=mysql_query("SELECT * FROM usertbl WHERE username='".$username."' AND password='".$password."'");


    $numrows=mysql_num_rows($query);
    if($numrows!=0)
    {
    while($row=mysql_fetch_assoc($query))
    {
    $dbusername=$row['username'];
    $dbpassword=$row['password'];
    }

    if($username == $dbusername && $password == $dbpassword)
    {
    session_start();
    $_SESSION['session_username']=$username;

    /* Redirect browser */
    header("Location: intropage.php");
    }
    } else {
    $message = "Invalid username or password!";
    }

} else {
    $message = "All fields are required!";
}
}
?>




    <div class="container mlogin">
            <div id="login">
    <h1>LOGIN</h1>
<form name="loginform" id="loginform" action="" method="POST">
    <p>
        <label for="user_login">Username<br />
        <input type="text" name="username" id="username" class="input" value="" size="20" /></label>
    </p>
    <p>
        <label for="user_pass">Password<br />
        <input type="password" name="password" id="password" class="input" value="" size="20" /></label>
    </p>
        <p class="submit">
        <input type="submit" name="login" class="button" value="Log In" />
    </p>
        <p class="regtext">No account yet? <a href="register.php" >Register Here</a>!</p>
</form>

    </div>

    </div>


    <?php include("includes/footer.php"); ?>
    <?php if (!empty($message)) {echo "<p class=\"error\">" . "MESSAGE: ". $message . "</p>";} ?>

Then for here's the code for my intropage.php where in I redirect the page.

<?php 
session_start();
if(!isset($_SESSION["session_username"])){
    header("location:login.php");
} else {
?>


<?php include("includes/header.php"); ?>

    <h2>Welcome, <?php echo $_SESSION['session_username'];?>! </h2>
    <p><a href="logout.php">Logout</a> Here!</p>




<?php
}
?>

Any help please? Just wanna make this work or if anything you can tweak so that I can find where I made a mistake. A big thanks!

  • So, how far does your code (login.php) work till it breaks? Add error reporting to the top of your file(s) `error_reporting(E_ALL); ini_set('display_errors', 1);` during development and use `var_dump()` to track what is set and what is not. – Funk Forty Niner May 21 '14 at 03:11
  • Actually it is properly redirecting after login to intropage.php (which is good) however, if the SESSION is really working fine, it must stay on the intropage.php (and stay login until logout button was click) however when i press the back button it sends me to login.php again which is suppose to be on intropage.php since I am login. –  May 21 '14 at 03:16
  • 2
    Your login.php file or all other files used including intropage.php, needs to include `if(!isset($_SESSION["session_username"]))` or `if(isset($_SESSION["session_username"])){ // do something }else{ // do something else }` – Funk Forty Niner May 21 '14 at 03:19
  • Can be more specific where am I going to put that code? So that I can tweak it. Thanks. –  May 21 '14 at 03:26
  • You can place it under `session_start();` of all files. – Funk Forty Niner May 21 '14 at 03:28
  • 1
    see all those line drops between your PHP includes at the top of your script and the `session_start()` call? They are evaluated as `\n` and will mean that your sessions won't start as they need to be started before *anything* is sent to the browser (including new lines). – scrowler May 21 '14 at 04:11
  • @SamNorton I posted something for you below which worked for me. – Funk Forty Niner May 21 '14 at 04:23

4 Answers4

2

You need to check if the session name is set inside all pages using if(isset($_SESSION["session_username"]))

login.php

<?php

error_reporting(E_ALL); ini_set('display_errors', 1);
session_start();

?>

<?php require_once("includes/connection.php"); ?>
<?php include("includes/header.php"); ?>

<?php

if(isset($_SESSION["session_username"])){
// echo "Session is set"; // for testing purposes
header("Location: intropage.php");
}

else{
echo "You are not logged in.";
}

if(isset($_POST["login"])){

if(!empty($_POST['username']) && !empty($_POST['password'])) {
    $username=$_POST['username'];
    $password=$_POST['password'];

    $query =mysql_query("SELECT * FROM usertbl WHERE username='".$username."' AND password='".$password."'");

    $numrows=mysql_num_rows($query);
    if($numrows!=0)

    {
    while($row=mysql_fetch_assoc($query))
    {
    $dbusername=$row['username'];
    $dbpassword=$row['password'];
    }

    if($username == $dbusername && $password == $dbpassword)

    {

// old placement
//    session_start();
    $_SESSION['session_username']=$username;

    /* Redirect browser */
    header("Location: intropage.php");
    }
    } else {
//    $message = "Invalid username or password!";

echo  "Invalid username or password!";
    }

} else {
    $message = "All fields are required!";
}
}
?>




    <div class="container mlogin">
            <div id="login">
    <h1>LOGIN</h1>
<form name="loginform" id="loginform" action="" method="POST">
    <p>
        <label for="user_login">Username<br />
        <input type="text" name="username" id="username" class="input" value="" size="20" /></label>
    </p>
    <p>
        <label for="user_pass">Password<br />
        <input type="password" name="password" id="password" class="input" value="" size="20" /></label>
    </p>
        <p class="submit">
        <input type="submit" name="login" class="button" value="Log In" />
    </p>
        <p class="regtext">No account yet? <a href="register.php" >Register Here</a>!</p>
</form>

    </div>

    </div>

Footnotes:

Your present code is open to SQL injection. Use prepared statements, or PDO.

mysql_* functions deprecation notice:

http://www.php.net/manual/en/intro.mysql.php

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.

These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/.

Documentation for MySQL can be found at » http://dev.mysql.com/doc/.

Passwords

I noticed that you may be storing passwords in plain text. This is not recommended.

Use one of the following:

Other links:

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0
<?php
session_start();

require_once("includes/connection.php");
include("includes/header.php");
$message = '';

if(isset($_REQUEST["login"])) {
    if((isset($_POST['username']) && strlen(trim($_POST['username'])) > 0) && (isset($_POST['password']) && strlen(trim($_POST['password'])) > 0)) {
        $username = filter_var($_POST['username'],FILTER_SANITIZE_STRING);
        $password = filter_var($_POST['password'],FILTER_SANITIZE_STRING);

        $query = mysql_query("SELECT * FROM usertbl WHERE username='".$username."' AND password='".$password."' LIMIT 1");

        if(mysql_num_rows($query) == 1) {
            $row = mysql_fetch_assoc($query));

            $_SESSION['session_username'] = $row['username'];

            /* Redirect browser */
            header("Location: intropage.php");
        } else {
            $message = "Invalid username or password!";
        }
    } else {
        $message = "All fields are required!";
    }
}
?>
<div class="container mlogin">
    <div id="login">
        <h1>LOGIN</h1>
        <form name="loginform" id="loginform" action="" method="POST">
        <p>
            <label for="user_login">Username<br />
                <input type="text" name="username" id="username" class="input" value="" size="20" />
            </label>
        </p>
        <p>
            <label for="user_pass">Password<br />
                <input type="password" name="password" id="password" class="input" value="" size="20" />
            </label>
        </p>
        <p class="submit">
            <input type="submit" name="login" class="button" value="Log In" />
        </p>
        <p class="regtext">No account yet? <a href="register.php" >Register Here</a>!</p>
        </form>
    </div>
</div>
<?php
include("includes/footer.php");
if (!empty($message)) {
echo "<p class=\"error\">" . "MESSAGE: ". $message . "</p>";
}
?>

That won't do it, session_start needs to be at the top of the file to work properly. So either include it at the beginning of the file "includes/header.php" (which you are including in your login page) or in some other include file which you will be using in all of your pages.

Tanatos
  • 1,857
  • 1
  • 13
  • 12
  • I tried to include it on a new include file name "session.php" and I tried to put it under the however it doesnt display the login.php anymore. Instead its directing me to intropage.php and gives me an error "The Webpage cannot be load it has a looping on it" –  May 21 '14 at 03:55
  • try the updated code above instead of yours in login. – Tanatos May 21 '14 at 04:09
  • Thanks, Tried to copy the same code on my codes however it still directs me to login.php even though I am login already. It must stay to intropage.php :( –  May 21 '14 at 04:21
0

Put your session_start() into your top of the page.

i have just commented your code. and its worked for me. Just copy and run this code directly.

<?php session_start();
//require_once("includes/connection.php"); ?>
<?php //include("includes/header.php"); ?>


<?php

if(isset($_POST["login"])){

if(!empty($_POST['username']) && !empty($_POST['password'])) {
    $username=$_POST['username'];
    $password=$_POST['password'];


   /* $query=mysql_query("SELECT * FROM usertbl WHERE username='".$username."' AND password='".$password."'");


    $numrows=mysql_num_rows($query);
    if($numrows!=0)
    {
    while($row=mysql_fetch_assoc($query))
    {
    $dbusername=$row['username'];
    $dbpassword=$row['password'];
    }

    if($username == $dbusername && $password == $dbpassword)
    {*/

    $_SESSION['session_username']=$username;
    print_r($_SESSION);

    /* Redirect browser */
   /* header("Location: intropage.php");
    }
    } else {
    $message = "Invalid username or password!";
    }
*/
} else {
    $message = "All fields are required!";
}
}
?>




    <div class="container mlogin">
            <div id="login">
    <h1>LOGIN</h1>
<form name="loginform" id="loginform" action="" method="POST">
    <p>
        <label for="user_login">Username<br />
        <input type="text" name="username" id="username" class="input" value="" size="20" /></label>
    </p>
    <p>
        <label for="user_pass">Password<br />
        <input type="password" name="password" id="password" class="input" value="" size="20" /></label>
    </p>
        <p class="submit">
        <input type="submit" name="login" class="button" value="Log In" />
    </p>
        <p class="regtext">No account yet? <a href="register.php" >Register Here</a>!</p>
</form>

    </div>

    </div>


    <?php include("includes/footer.php"); ?>
    <?php if (!empty($message)) {echo "<p class=\"error\">" . "MESSAGE: ". $message . "</p>";} ?>
Padmanathan J
  • 4,614
  • 5
  • 37
  • 75
0

You are unnecessarily checking session username in intropage.php
you should remove the code 

 if(!isset($_SESSION["session_username"])){
header("location:login.php");

From intro file and start session only once and it should be in header file's first line.