0

I'm trying to make login form that checks from database if username exist, if it is true, then it redirect me to another page that says welcome + username, I want to know if that need session to achieve the condition or not? because my code has no error and it is not showing the welcome message.

Let me explain it, i have variable in login.php called "$welcome" it's suppose to be echoed when the login form is submitted with valid username & password, then it redirect me to admin-panel.php and echo the variable "$welcome". Here's my work

login.php

<?php
session_start();
include "connection.php";
?>
<?php
if(isset($_POST['submit'])){
    $admin_user = isset($_POST['username']) ? $_POST['username'] : '';
    $admin_pass = isset($_POST['password']) ? $_POST['password'] : '';

    $sql = mysqli_stmt_init($conn);
    if ($sql = mysqli_prepare($conn, "SELECT username, password FROM account WHERE username = ? AND password = ?")){
        mysqli_stmt_bind_param($sql, "ss", $admin_user, $admin_pass);
        mysqli_stmt_execute($sql);
        mysqli_stmt_bind_result($sql, $username,$password);
        mysqli_stmt_fetch($sql);
        mysqli_stmt_close($sql);    
    }
    global $username, $password;

    if(empty($admin_user) || empty($admin_pass)){
        $msg = "<span class='text-danger'> Username or Password Can't be empty </span>";
    } elseif($admin_user != $username || $admin_pass != $password){
        $msg = "<span class='text-danger'> Username or Password is not valid </span>";

    } else{
        header("location:admin-panel.php");
        $welcome = "<h2>Welcome ". $admin_user ."!!!</h2>";
        $_SESSION['welcome'] = $welcome;
    }
    mysqli_close($conn);
}
?>

index.php

<?php
include "login.php";
global $msg;
?>
<!DOCTYPE html>
<html>
<head>
<title>Admin Panel</title>
</head>
<body>
<form method="post">
    <?php if(isset($msg)){ ?>
        <div>
            <?php echo $msg; ?>
        </div>
    <?php } ?>
    <div>
        <label for="username">Username:</label>
        <input type="text" name="username"> 
    </div>
    <div>
        <label for="password">Password:</label>
        <input type="password" name="password">
    </div>

    <div>
        <input type="submit" name="submit">
    </div>
</form>

admin-panel.php

<?php
  session_start();
?>
<!DOCTYPE html>
<html>
<head>
<title>Welcome Admin</title>
</head>
<body>
<div>
   <?php
       echo $_SESSION['welcome'];
   ?>
</div>
</body>
</html>
Amr Ashraf
  • 315
  • 4
  • 14
  • 5
    This is exactly what sessions are for – John Conde Jan 04 '17 at 17:56
  • 5
    hope you're planning on hashing passwords also, along with a prepared statement. – Funk Forty Niner Jan 04 '17 at 17:57
  • 2
    ... and use parameterized queries. – chris85 Jan 04 '17 at 17:57
  • 2
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jan 04 '17 at 17:59
  • @RiggsFolly just updated the code with prepared statement..cheers man! – Amr Ashraf Jan 04 '17 at 21:02

1 Answers1

2

When you redirect the user:

header("location:admin-panel.php");

The user's browser makes an entirely new request (specifically a GET request) for the supplied URL. So everything the code just did is now over and a whole new request is starting. That request has no knowledge of anything in previous requests.

So when you include the other script:

include "login.php";

That script executes, but in this case it doesn't do anything because everything is wrapped in a condition:

if(isset($_POST['submit'])){

and in this new request that condition is false. A redirect isn't a form submit.

Instead of trying to include the previous page (remove the include "login.php"; entirely), store the value in the server's session state and read that value on the redirected page. Something as simple as:

// on the login page:
session_start();
$_SESSION['welcome'] = $welcome;

and:

// on the admin page:
session_start();
echo $_SESSION['welcome'];

Be aware that this is very over-simplified just to introduce to you the concept. You'll probably want to factor in some other things like checking for a value before displaying it, sanitizing values as needed, and you'll definitely want to look into prepared statements with query parameters and into password hashing as currently your code is very open to exploits.

Community
  • 1
  • 1
David
  • 208,112
  • 36
  • 198
  • 279
  • 1
    @AmrAshraf: Was the value successfully stored in the session before trying to retrieve it? – David Jan 04 '17 at 18:29