-1

I'm working on a php script that checks a user who has logged in, it includes making sure they have entered both email address and password, connecting to sql and checking data, registering session, and updating the log in time.

The script doesn't work, when user completes form and is directed to this page, it goes right to the error message on the bottom after the ELSE statement. It doesn't update the 'last_login' in sql.

I was wondering how I begin to start troubleshooting this script, where can I place error handling?

session_start();  
include 'dbconuser.php';
//post var
$email_address = $_POST['email_address'];
$password = $_POST['password'];
//check both fields completed
if((!$email_address) || (!$password))
{
  echo "Please enter ALL of the information!<br/>";
  include 'login.htm';
  exit();
}

$password = md5($password);
//connect and check data
$sql = mysqli_query($connection, "SELECT * FROM users WHERE email_address='$email_address' AND password='$password' AND activated='1'");
$login_check = mysqli_num_rows($sql);

if($login_check > 0)
{
   while($row = mysqli_fetch_array($sql))
   {   
      foreach( $row AS $key => $val )
      {   
         $key = stripslashes( $val );
      }

      // register session
      $_SESSION['first_name'] = $first_name;
      $_SESSION['last_name'] = $last_name;
      $_SESSION['email_address'] = $email_address;
      $_SESSION['user_level'] = $user_level;

      mysqli_query($connection, "UPDATE users SET last_login=now() WHERE userid='$userid'");    
      header("Location: index.php");
   }   
}
//error 
else 
{
  include 'login_error.htm';
  echo "You could not be logged in! Either the email_address and password do not match or you have not validated your membership!<br />
  Please try again!<br />";
}
Michael Berkowski
  • 267,341
  • 46
  • 444
  • 390
rhill45
  • 559
  • 10
  • 35
  • mixing mysql and mysqli? – Rakesh Sharma Oct 07 '14 at 13:37
  • 3
    You have an invalid mix of `mysqli_*()` and deprecated `mysql_*()` function calls. Review [How can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) and start converting all of this to MySQLi. Using the examples in the linked question, and the MySQLi [`prepare()/execute()`](http://php.net/manual/en/mysqli.prepare.php) documentation, now is the time to begin learning to use prepared statements which will correct your SQL injection vulnerability. – Michael Berkowski Oct 07 '14 at 13:42
  • Im not one to SQL inject so Im not sure but someone might just post something where email_address is something like ' OR userid=1;-- – OIS Oct 07 '14 at 13:47
  • thank you for that link @michael berkowski! made those changes to mysqli, script still fails unfortunately – rhill45 Oct 07 '14 at 13:47
  • 1
    I tidied up your indentation to make this readable. Enable PHP's error reporting, always when developing code. At the top: `error_reporting(E_ALL); ini_set('display_errors', 1);` You'll need to debug what values are coming back from the first `mysqli_query()`. `echo mysqli_num_rows($sql);` I note also that you have a variable `$userid` in your UPDATE statement, but that variable is not present anywhere else here. – Michael Berkowski Oct 07 '14 at 13:59

1 Answers1

1

Mixing mysql and mysqli First change your query to mysql (has been deprecated ) cause you are using remain all mysql_* 

$sql = mysql_query("SELECT * FROM users WHERE email_address='$email_address' AND password='$password' AND activated='1'");

session_register() and mysql_* has been deprecated so use $_SESSION rather session_register and use mysqli_* rather mysql_*

Rakesh Sharma
  • 13,680
  • 5
  • 37
  • 44
  • 1
    No, change all the other ones to `mysqli_*()`. The old `mysql_*()` API is deprecated, and MySQLi supports prepared statements (which should be used here) – Michael Berkowski Oct 07 '14 at 13:39