Webpage only accessible when logged in (PHP)

Question

I'm currently having some issues with creating a webpage that's only accessible once a user has logged in.

I've looked through various threads here, but to no avail. Any help with this would be greatly appreciated.

Here's my code:

login.php

<?php
Include('connect.php');
if (isset($_REQUEST['Submit']))
{
  if($_REQUEST['user_id']=="" || $_REQUEST['password']=="")
  {
  echo " Field must be filled";
  }
  else
  {
    $sql1= "select * from student where email= '".$_REQUEST['user_id']."' &&  password ='".$_REQUEST['password']."'";
    $result=mysql_query($sql1)
    or exit("Sql Error".mysql_error());
    $num_rows=mysql_num_rows($result);
    if($num_rows>0)
    {
      session_start($_SESSION['Login']);
      Echo "You have logged in successfully";
      header("Location: statistics.html"); 
      }
    else
    {
      echo "Wrong username or password.";
    }
  }
} 
?>

<!DOCTYPE html>
<html class="no-js">
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  <title>PHP Login Form</title>
  <meta name="description" content="">
  <meta name="viewport" content="width=device-width">
  <link rel="stylesheet" href="css/bootstrap.css">
  <link rel="stylesheet" href="css/main.css">
</head>
<body>
  <div class="container">
    <div class="row" style="margin-top:20px">
      <div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
        <form name="form_login" method="post" action="login.php" role="form">
          <fieldset>
            <h2>Please Sign In</h2>
            <hr class="colorgraph">
            <div class="form-group">
              <input name="user_id" type="text" id="user_id" class="form-control input-lg" placeholder="Email Address">
            </div>
            <div class="form-group">
              <input type="password" name="password" id="password" class="form-control input-lg" placeholder="Password">
            </div>
            <span class="button-checkbox">
            <button type="button" class="btn" data-color="info">Remember Me</button><!-- Additional Option -->
            <input type="checkbox" name="remember_me" id="remember_me" checked="checked" class="hidden">
            <hr class="colorgraph">
            <div class="row">
              <div class="col-xs-6 col-sm-6 col-md-6">
                <input type="submit" name="Submit" value="Login" class="btn btn-lg btn-success btn-block">
              </div>
            </div>
          </fieldset>
        </form>
      </div>
    </div>
  </div>
</body>
</html>

And statistics.html (Page that should only be accessible when logged in)

 <?php
    include ("login.php")
 session_start();
 if(!isset($_SESSION['Login']))
 {
    header("Location:login.php");
    die();
 }
?>

<!DOCTYPE html>
<html lang="en">
  <head>
  <meta charset="UTF-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
 <title>Personal Website</title>
 <link rel="stylesheet" href="../../CSS/stylesheetmain.css">
 <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css">
 <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css">
 </head>
  <body>
   <!--Navigation Bar-->
   <div class="row">
    <div class="darkgrey column col-md-8 col-md-offset-2 col-xs-12 col-s-12">
     <nav class="navbar navbar-background-color">
       <div class="container-fluid">
         <div class="navbar-header">
           <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1"><!--Reference: Bootstrap, 2015. getbootstrap.com. [Online] Available at: http://getbootstrap.com/ [Accessed 01 April 2015]-->
             <span class="sr-only">Toggle navigation</span>
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
             <span class="icon-bar"></span>
           </button>
           <a class="navbar-brand" href="../index.html"></a>
         </div>
         <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
           <ul class="nav navbar-nav navbar-right">
                            <li class="active"><a href="../index.html">Home</a></li><!--Edits made: Removed active button -->
                            <li><a href="AboutMe.html">About Me</a></li>
                            <li><a href="Blog.html">Blog</a></li>
                            <li><a href="ContactMe.html">Contact Me</a></li>
                            <li><a href="Login.html">Login</a></li>
                          </ul>
         </div><!-- /.navbar-collapse -->
       </div><!-- /.container-fluid -->
     </nav>
    </div>
   </div>
   <div class="row">
    <div class="navbarbottom column col-md-8 col-md-offset-2 col-xs-12 col-s-12"></div>
   </div>
   <!--Page Title-->
   <div class="row">
    <div class="title mediumbluetext col-md-8 col-md-offset-2 col-xs-0 col-s-0">
     <center><h1>Statistics</h1></center>
    </div>
   </div>
   <!--Main Body-->
   <div class="row">
    <!--Left Column Spacer-->
    <div class="maintextleftbackground column col-md-2 col-xs-0 col-s-0">
     <script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-52f8f8c0164b330f" async="async"></script>
    </div>
    <!--Middle Column-->
    <div class="maintext80 column col-md-8 col-xs-12 col-s-8 col-s-offset-2"><br>
     <div id="main-chart-container"></div>
     <div id="breakdown-chart-container"></div>
     <div id="embed-api-auth-container"></div>
     <div id="view-selector-container"></div>
    </div>
    <!--Right Column Spacer-->
    <div class="maintextrightbackground column col-md-2 col-xs-0 col-s-0">
    </div>
   </div>
   <!--Footer Bar-->
   <div class="row">
    <div class="darkgrey column col-md-8 col-md-offset-2 col-xs-12 col-s-12">
     <nav class="navbar-background-color">
      <div class="container-fluid">
                 <p class="navbar-text navbar-right"><a href="../SiteMap/SiteMap.html" class="navbar-link">SiteMap</a></p>
      </div>
     </nav>
    </div>
   </div>
     <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js"></script>
  <script>
   (function(w,d,s,g,js,fs){
     g=w.gapi||(w.gapi={});g.analytics={q:[],ready:function(f){this.q.push(f);}};
     js=d.createElement(s);fs=d.getElementsByTagName(s)[0];
     js.src='https://apis.google.com/js/platform.js';
     fs.parentNode.insertBefore(js,fs);js.onload=function(){g.load('analytics');};
   }(window,document,'script'));
  </script>

</body> 
</html>

No matter what I try, I can't seem to get the code to work. The files are in the same directory as well.

Any help with this would be greatly appreciated.

Your code is vulnerable to SQL injection attacks. You should use [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](http://php.net/manual/en/pdo.prepared-statements.php) prepared statements as described in [this post](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — Alex Howansky, Apr 11 '17 at 19:08
The `mysql_*` functions are deprecated as of PHP v5.5 and have been removed as of v7.0. They should not be used for new code and should be swapped out for [mysqli](http://php.net/manual/en/book.mysqli.php) or [PDO](http://php.net/manual/en/book.pdo.php) equivalents as soon as possible. — Alex Howansky, Apr 11 '17 at 19:08

score 0 · Answer 1 · answered Apr 11 '17 at 19:13

A few things wrong here but you're on the right track.

You are VERY susceptible to SQL injection. Please read about it.
Your form uses POST so your PHP should use $_POST and not $_REQUEST
You cannot set a session variable by passing it through to session_start. You need to set the variable like so: $_SESSION['isLoggedIn'] = true.
You are echoing right before you issue a header command. You cannot output anything before redirecting.

Webpage only accessible when logged in (PHP)

1 Answers1