-1

So I try to do a php logIN system, but I have problem with the $_SESSION, when i put the condition to open the account.php page with user and Password, i don t know why don t let me to login if the user and pass is in the database and is corect

login.php page 

<?php   if(isset($_POST['login'])){

    $user = $_POST['username'];
    $PW = $_POST['password'];   

    $result = $con->query("SELECT * FROM user WHERE Username='$user' AND Password='$PW'");
    $row = $result->fetch_array(MYSQLI_BOTH);

    session_start();    
    $_SESSION["userID"] = $row['userdID'];
    header('Location: account.php');
    }

?>

account.php page

<?php require 'conx.php'; ?>

<?php session_start(); 
if(isset($_SESSION["userID"])){
    } else{
        header('Location: login.php');
        }
?>

<p>MY ACCOUNT<?php echo $_SESSION["userID"]; ?> </p>

and the DB structure

`userID`, `Name`, `Email`, `Username`, `Password`, `Timestamp`, `Userlevel`, `ProfileImage`, `Bio`
Stefan J.
  • 93
  • 9
  • 1
    What happens exactly when you enter the correct username and password? – BeetleJuice Jul 17 '16 at 13:21
  • You are vulnerable to [SQL-Injections](http://bobby-tables.com/). Use [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [bind](http://php.net/manual/en/mysqli-stmt.bind-param.php) the values to the query. Take a look at [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – FirstOne Jul 17 '16 at 13:32
  • ok i understand i m vulnerable to sql injection, how i can fix that, the problem mention i fixed, but how i can fix the sql injection can you write me please a exemple?? – Stefan J. Jul 18 '16 at 10:48
  • @StefanJ. you said that you fixed your initial problem. if one of the answers helped you, please select it (and upvote if you wish). If you figured it out on your own that's fine. – BeetleJuice Jul 23 '16 at 02:19
  • If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. *Welcome to Stack!* – Jay Blanchard Jul 28 '16 at 16:16

4 Answers4

2

The problem is that you have a blank line before the session stuff. This forces an output to start, preventing any session related stuff to be properly handled. If you remove the first closing tag and second opening tag in the account.php file, you should be golden.

Frank de Jonge
  • 1,607
  • 1
  • 15
  • 23
2

Hi session_start should be at the top without any blank space and echo statement

 <?php 
session_start(); 
  if(isset($_POST['login'])){

        $user = $_POST['username'];
        $PW = $_POST['password'];   

        $result = $con->query("SELECT * FROM user WHERE Username='$user' AND Password='$PW'");
        $row = $result->fetch_array(MYSQLI_BOTH);    
           if($row){
        $_SESSION["userID"] = $row['userdID'];
        header('Location: account.php');
        }
    }
    ?>
Passionate Coder
  • 7,154
  • 2
  • 19
  • 44
1

I see a couple of problems right away:

  1. In login.php you never bother to check whether a record with the correct username and password was found. After the query, you just call fetch_array without checking whether a row was returned.

  2. In account.php, you session_start after having sent output to the browser. Do not exit PHP mode after require 'conx.php'. Remove the closing and opening tags ?> <?php otherwise, the space between the tags is sent to the browser and your sessions break.

  3. You are completely exposed to sql injection attacks as you do not create prepared statements. You passwords are clearly not hashed. See password_hash() and password_verify().

Drew
  • 24,851
  • 10
  • 43
  • 78
BeetleJuice
  • 39,516
  • 19
  • 105
  • 165
1

In you login.php you must change like this:

<?php  session_start();  
if(isset($_POST['login'])){
$user = $_POST['username'];
$PW = $_POST['password'];   

$result = $con->query("SELECT * FROM user WHERE Username='$user' AND Password='$PW'");
$row = $result->fetch_array(MYSQLI_BOTH);

  echo 'ROW =>'.$row['userdID'];
$_SESSION["userID"] = $row['userdID'];
//header('Location: account.php'); // for see if you have something in row
}
?>

And in your account.php page, you have a blank line between require.. and the other

you must put session session_start(); before any html objet ( echo or line,
.. )

you account.php must be like this:

<?php session_start(); 
require 'conx.php';
if(isset($_SESSION["userID"])){
} else{
    header('Location: login.php');
    }
?>

<p>MY ACCOUNT<?php echo $_SESSION["userID"]; ?> </p>
Amazone
  • 426
  • 4
  • 14