1

I'm creating a back-end website for our school thesis and my main concern/problem is that I want the users to be able to log-in first on the login.php before they can go to the index page.

The problem is, people can just go to "sitename/index.php" and open the page even without logging-in first.

Here's the code: [logincheck.php]

<?php
session_start();
try {
    $db = new PDO('mysql:host=localhost;dbname=login', "root", "");
} catch (PDOException $e) {
    echo $e->getMessage();
}

$uid = $_POST['uid'];
$pwd = $_POST['pwd'];

$sql = "SELECT * FROM `user` WHERE `uid` = :uid AND `pwd` = :pwd";
$statement = $db->prepare($sql);
$userData = [
    'uid'=>$uid,
    'pwd'=>$pwd
];

$statement->execute($userData);

if($statement->rowCount() > 0){
    $SESSION['uid'] = $_POST['uid'];
    header('Location: indextemplate.php');
}
else {
    header('Location: login.php');
}
?>

and for my [login.php]:

<?php
try {
    $db = new PDO('mysql:host=localhost;dbname=login', "root", "");
} catch (PDOException $e) {
    echo $e->getMessage();
}

$uid = $_POST['uid'];
$pwd = $_POST['pwd'];

$sql = "SELECT * FROM `user` WHERE `uid` = :uid AND `pwd` = :pwd";
$statement = $db->prepare($sql);
$userData = [
    'uid'=>$uid,
    'pwd'=>$pwd
];

$statement->execute($userData);

if($statement->rowCount() > 0){
    header('Location: index.php');
    exit();
}

elseif(empty($uid&$pwd)){
    header('Location: login.php?error=empty1');
    exit();
}
elseif ($uid!=$idvariable&$pwd!=$idvarible){
    header('Location: login.php?error=empty2');
    exit();
}
?>

If I include the logincheck.php on my index.php it's just stuck on the log-in page even if I type in the correct username and password.

EhsanT
  • 2,077
  • 3
  • 27
  • 31
Ellis Cristoph
  • 39
  • 7
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 25 '17 at 15:54
  • You need something you can check against, such as a session token. When the user goes to the wrong page, check for the token. If they don't have the token, redirect them to the login page. – Jay Blanchard Jan 25 '17 at 15:56
  • I'm going to implement the "hashing function" once I debug the log-in problems. I'm still currently using xampp localhost for this. Edit: thanks, I'll try out the session tokens. – Ellis Cristoph Jan 25 '17 at 15:58
  • Jay is as always correct, you need to follow php programming best practices(yeah, I know that in school they don't teach that stuff, my bad)...you need a way to check that the user is ok(with your session vars) in every page, it's tedious but based on your old school php programming pattern, you need to do it that way...why do not just take the pain out and learn to use a modern php framework like `codeigniter` and build something with added value(it's a very easy to learn framework).... – Hackerman Jan 25 '17 at 15:59
  • @Hackerman currently using Netbeans but I'll try out codeigniter. Thank you for the suggestions. – Ellis Cristoph Jan 25 '17 at 16:00
  • @EllisCristoph, you can use codeigniter with Netbeans as you IDE, no problem...also you can check this guide: https://phpbestpractices.org/ – Hackerman Jan 25 '17 at 16:03
  • @Hackerman is there actually a way for me to hash a password that I added manually in the database because the back-end system doesn't have a sign-up option? or do I have to find a way around it? – Ellis Cristoph Jan 25 '17 at 16:18
  • You can generate something like that witht for example `SELECT SHA1(CONCAT(REVERSE("THEUSER"),"THEPASS"))AS HASH` but you need to remember the rule you are using to create the hash in order to apply the same rule when you login into your application....you should also include a `salt`, but using that simple logic should be enough for a school project :) – Hackerman Jan 25 '17 at 16:42
  • Use the PHP functions shown in the first comment because it includes random salts and you do not have to do any manipulation. – Jay Blanchard Jan 25 '17 at 16:54

1 Answers1

0

You should add an if statement in your loginCheck before attempting to logging in. The $_POST information is not kept between pages unlike $_SESSION 

if(!isset($_SESSION['uid'])){
    //Go to login.php
    header("Location: login.php");
    die();
}

Note the _ in $_SESSION, which needs to be updated in your code.

Antony
  • 1,253
  • 11
  • 19