How to make log in page PHP work with Session.

Question

Okay, So I have this log in page here all I want it to do is log me in and send me too "index.php". I know my email is correct and the password and everything is good. it all works it just stays on the same page though instead of actually sending me to "index.php". Im new to php and it is probably something stupid but any help would be greatly appreciated. Please and Thank you! :)

<link rel="stylesheet" href="styles.css" />
<?php
session_start();

if(isset($_SESSION['usr_id'])!="") {
    header("Location: index.php");
}

include_once 'dbconnect.php';

//check if form is submitted
if (isset($_POST['login'])) {

    $email = mysqli_real_escape_string($conn, $_POST['email']);
    $password = mysqli_real_escape_string($conn, $_POST['password']);
    $result = mysqli_query($conn, "SELECT * FROM users WHERE email = '" . $email. "' and password = '" . md5($password) . "'");

    if ($row = mysqli_fetch_array($result)) {
        $_SESSION['usr_id'] = $row['id'];
        $_SESSION['usr_name'] = $row['name'];
        header("Location: index.php");
        $successmsg = "SWEET YOU'RE IN!";
        //echo "success";
    } else {
        $errormsg = "Incorrect Email or Password!!!";
    }
}
?>

<!DOCTYPE html>
<html>
<head>
    <title>PHP Login Script</title>
    <meta content="width=device-width, initial-scale=1.0" name="viewport" >
    <link rel="stylesheet" href="css/bootstrap.min.css" type="text/css" />
</head>
<body>


    <div class="container-fluid">
        <!-- add header -->
        <div class="navbar-header">
        </div>
        <!-- menu items -->
        <div class="collapse navbar-collapse" id="navbar1">
            <ul class="navbar">
                <li class="active"><a href="login.php">Login</a></li>
                <li><a href="register.php">Sign Up</a></li>
            </ul>
        </div>
    </div>


<div class="container">
    <div class="row">
        <div class="col-md-4 col-md-offset-4 well">
            <form role="form" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="loginform">
                <fieldset>
                    <legend>Login</legend>
                    
                    <div class="form-group">
                        <label for="name">Email</label>
                        <input type="text" name="email" placeholder="Your Email" required class="form-control" />
                    </div>

                    <div class="form-group">
                        <label for="name">Password</label>
                        <input type="password" name="password" placeholder="Your Password" required class="form-control" />
                    </div>

                    <div class="form-group">
                        <input type="submit" name="login" value="Login" class="btn btn-primary" />
                    </div>
                </fieldset>
            </form>
            <span class="text-danger"><?php if (isset($errormsg)) { echo $errormsg; } ?></span>
            <span class="text-success"><?php if (isset($successmsg)) { echo $successmsg; } ?></span>
        </div>
    </div>

</div>

</body>
</html>

***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Aug 04 '16 at 17:26
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Aug 04 '16 at 17:27

VoteyDisciple · Answer 1 · 2016-08-04T14:49:02.477

1

Where you have this:

if(isset($_SESSION['usr_id'])!="") {

You want this:

if(isset($_SESSION['usr_id']) && $_SESSION['usr_id'] != "") {

Note that what's in $_SESSION['usr_id'] will be the id column from your database. It's not clear from context if such a column exists, so perhaps double check that there really is a value there before the initial redirect (i.e., just after checking the credentials).

Side note: don't use MD5() to hash passwords. MD5 isn't as secure as you'd want a password hash to be.

edited Aug 04 '16 at 14:49

answered Aug 04 '16 at 14:47

VoteyDisciple

37,319
5
97
97

The code at the top there hasn't changed. The explanation and side note are additional detail, context, and a severe warning about the insecurity of the current system, so they ought to stay in addition to the immediate fix at the top. – VoteyDisciple Aug 04 '16 at 14:53
I do not understand – Aug 04 '16 at 14:55
What is the value you found in `$_SESSION['usr_id'] after loading it? – VoteyDisciple Aug 04 '16 at 14:59
how would I figure that out – Aug 04 '16 at 15:03
`echo` it and then don't redirect to index.php. – VoteyDisciple Aug 04 '16 at 15:04
do you mind telling me exactly how to do that.. haha – Aug 04 '16 at 15:08

How to make log in page PHP work with Session.

1 Answers1