0

i keep getting this error in my code every time i visit the index page and when i try to login it does go to the home page but everything is empty as if the session has not registered the email address. here is my code:

index.php

<?php
session_start();
include("includes/config.php");

if(isset($_POST['login'])){
    $email = mysqli_real_escape_string($connection,$_POST['email']);
    $pass = mysqli_real_escape_string($connection,$_POST['pass']);
    $pass = md5($pass);

    $get_user = "SELECT * FROM members WHERE user_email='$email' AND    user_pass='$pass'";
    $run_user = mysqli_query($connection,$get_user);
    $check = mysqli_num_rows($run_user);

    if($check==1){
        $_SESSION['user_email']=$email;
        $rows_check = mysqli_fetch_array($run_user);
        $activate = $rows_check['activate'];

        if($activate == 0){
            echo "<script>window.open('lock_out.php','_self')</script>";
        }
        if($activate == 1){
            echo "<script>window.open('home.php','_self')</script>";
            $stat = 1;
            $update = "UPDATE members SET online='$stat' WHERE user_email='$email'";
            $run_update = mysqli_query($connection,$update);            
        }
    } else {
        echo "<script>alert('Password or email is not correct!')</script>";
        echo "<script>window.open('index.php','_self')</script>";
    }
}
?>

home.php

<?php
session_start();
include("includes/config.php");
include("includes/functions.php");
if(!isset($_SESSION['user_email'])){
    header("Location: index.php");
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1.0" />
<meta name="keywords" content="date, dating, chat, friends, meet friends, online chat, meet people, frum, chatroom, articles" />
<meta name="description" content="meet new people from arount the world and         engage in exciting chat. chat in forums and chatrooms and play free games" />
<title>My home page</title>
<link type="text/css" rel="stylesheet" href="css/home_styles.css" media="all"/>
</head>

<body>
<h3>WELCOME USER</h3>
</body
</html>
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
styles41
  • 9
  • 1
  • ive tried everyway i can. please look at the code and tell me if i have something incorrect – styles41 Sep 22 '16 at 18:39
  • what is there in `config.php`? – Alive to die - Anant Sep 22 '16 at 18:40
  • Is // index.php part of your code? Note you cannot have anything before – Dave Chen Sep 22 '16 at 18:41
  • in my config.php file i have this code: – styles41 Sep 22 '16 at 18:43
  • Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly Sep 22 '16 at 18:43
  • What's the encoding? If it's UTF BOM, remove the BOM. – noahnu Sep 22 '16 at 18:43
  • no the slashes are just for you to tell which page is which – styles41 Sep 22 '16 at 18:45
  • the encoding is UTF-8 – styles41 Sep 22 '16 at 18:45
  • 1
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Sep 22 '16 at 18:47
  • What code have you got in `config.php` – RiggsFolly Sep 22 '16 at 18:48
  • 2
    Please dont __roll your own__ password hashing. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Sep 22 '16 at 18:49
  • ok thank you for telling me about the sql injection attacks. ill adjust the code accordingly – styles41 Sep 22 '16 at 18:56
  • Thanks alot for your help. it actually was the BOM characters that made it not work. its fixed now – styles41 Sep 28 '16 at 18:22

0 Answers0