0

I have a problem with my login page. In my registration page I ask the user whether he/she is a student or a teacher. This is put into the database 'dbuploaden'. I need to get that information back from the database when a user wants to sign in, because a student gets to see a different home page than a teacher.

The problem here is that when I press the button "login", my page just seems to refresh and doesn't give me an error or anything. This is the PHP-code I use:

<?php
session_start();
include_once 'connection.php';

if(isset($_SESSION['user'])!="")
{
//header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
$email = mysql_real_escape_string($_POST['email']);
$upass = mysql_real_escape_string($_POST['pass']);
$res=mysql_query("SELECT * FROM tblgebruikers WHERE email='$email'");
$row=mysql_fetch_array($res);

if($row['password']==md5($upass))
{
if(mysql_query("SELECT * FROM tblgebruikers WHERE soortgebruiker =       student")=="student")
 {  
 die('Following connection error has occured: '.mysql_error());
 $_SESSION['user'] = $row['gebruiker_id'];
 header("Location: index.php");
 }
if(mysql_query("SELECT * FROM tblgebruikers WHERE soortgebruiker =   docent")=="docent")
 {  
 die('Following connection error has occured: '.mysql_error());   
 $_SESSION['user'] = $row['gebruiker_id'];
 header("Location: index2.php");
 }
 }
 if($row['password']!=md5($upass))
 {
 echo "Foute gegevens. Probeer opnieuw.";
 }
 }

?>

Thanks

ItsFutureHouse
  • 1
  • `if(isset($_SESSION['user'])!="")` that isn't proper syntax. You need 2 separate conditions for it. Plus, I hope this isn't a live site. – Funk Forty Niner May 30 '16 at 18:15
  • There are many things that are wrong in this code. – Phiter May 30 '16 at 18:17
  • no error huh? have you not tried to catch/display them with error reporting? it's probably not even making it to any of the queries. It's just dying on you *silently*. The silent killer at work. (*The dogs of dooms are howling more...*). – Funk Forty Niner May 30 '16 at 18:17
  • I am very new to PHP, I'm only 18 years old. – ItsFutureHouse May 30 '16 at 18:18
  • 1
    lordie; there are 14 year olds who have hacked industry giants. 18 huh? and don't use md5 here. it's way too old and not good for this century. – Funk Forty Niner May 30 '16 at 18:19
  • I was ten when I created Google. Look how it is now – Phiter May 30 '16 at 18:20
  • I'm clearly not one of them, but it's a task for school and my teacher doesn't give me any help... – ItsFutureHouse May 30 '16 at 18:21
  • You should avoid learning or writing new code using PHP's `mysql_*` functions. They have been removed in the latest version and your code won't work in the future. Please read [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) for information on why and what to replace them with. – Matt Raines May 30 '16 at 18:25
  • **"my page just seems to refresh and doesn't give me an error or anything."**. When you ask a question about an error, **ALWAYS** post the error log. To enable error reporting to your php code, append `error_reporting(E_ALL); ini_set('display_errors', '1');` at the top of your script, what does it return ? – Pedro Lobito May 30 '16 at 18:29
  • I would love to help you out with this, as I had to teach myself web programming from scratch and, unlike is sometimes advertised, it can be a bit more difficult to learn good programming practices on your own. Unfortunately, your question doesn't give us all of the information needed to help you adjust your code. Can you give us an idea of what is in the 'connection.php' file and what the structure of your database looks like? – Reid Johnson May 30 '16 at 18:48

1 Answers1

0

I started out in web programming with little to no training, and certainly no teachers to guide me. It can be a little more difficult to learn than a lot of people will let on once they've already gotten the hang of where to look for answers and how to read the documentation.

First of all, please, please, please, use the mysqli functions rather than the mysql ones. This extension was updated for a reason. Or, even better, use PDO or another such adapter so that your code will be both more secure and easier to write and maintain later, if you ever do decide to go beyond this one assignment.

Also, parameterized queries! It will do you a world of good to start using them now and forget about mysql_real_escape_string.

Second, please look up why using md5 hashes for password storage is a bad idea. Even for an assignment like this, you should get in the practice of using secure and standard coding approaches so that you will develop good habits as you move forward.

I have removed the usage of your 'connection.php' file and have made several assumptions about the structure of your database in order to provide you with a working code fragment. There are many areas that you could optimize and improve on with the code below, but it does achieve the desired results.

<?php
session_start();
//make sure you never do this in production
//you should store your connection usernames and passwords outside the web root
//to make unintentional disclosure of them harder
$mysqli = new mysqli( 'localhost', 'username', 'password', 'dpuploaden' );

if( mysqli_connect_errno() ){
    //in real production code, this would be insecure as you shouldn't give away error information
    //that could allow an attacker to gain more knowledge about your systems if at all possible
    exit( printf( "Kan geen verbinding met de database: %s\n", mysqli_connect_error() ) );
}

if( isset( $_POST[ 'btn-login' ] ) ){
    $email = $_POST[ 'email' ];
    $upass = $_POST[ 'pass' ];
    $id = NULL;
    $password = NULL;
    $soortgebruiker = NULL;

    if( $stmt = $mysqli->prepare( 'SELECT `gebruiker_id`, `password`, `soortgebruiker` FROM `tblgebruikers` WHERE `email` = ?' ) ){
        $stmt->bind_param( 's', $email );
        $stmt->execute();
        $stmt->bind_result( $id, $password, $soortgebruiker );
        $stmt->fetch();
        $stmt->close();

        //please do not ever use md5 has a password hashing solution in real code
        //look up the php function password_hash, or if you have PHP < 5.5.0 bcrypt
        //for their proper usage, or better yet, seek out a library that implements
        //this kind of login code and just use it
        //roll your own is always a bad idea when it comes to security and, even with
        //a lot of experience and information under your belt, it is all too easy to make mistakes
        if( $row[ 'password' ] === md5( $upass ) ){
            $_SESSION[ 'user' ] = $id;
            $_SESSION[ 'soortgebruiker' ] = $soortgebruiker;
        }
        else
            exit( "Foute gegevens. Probeer opnieuw." );
    }
    else{
        exit( 'Fout retrieveing ​​informatie.' );
    }
}

if( isset( $_SESSION[ 'user' ] ) && $_SESSION[ 'user' ] != '' ){
    if( $_SESSION[ 'soortgebruiker' ] === 'student' ){
        header( "Location: index.php" );
        exit;
    }
    else if( $_SESSION[ 'soortgebruiker' ] === 'docent' ){
        header( "Location: index2.php" );
        exit;
    }
}

//output login page here
?>
Reid Johnson
  • 1,394
  • 14
  • 20