0

I have a login page and if error occurs in login such as wrong data inserted, it will says wrong data inserted. However my problem is that I can login but it displays blank page for rows with null value in a row instead of a menu bar.

table structure

I can login for both rows but my homepage appears as blank page for staff_id = 12 which i think it is caused by the null value in stf_superior column.

I want every user can view the content of the homepage even if their stf_superior is null.

I dont know where the main problem is since the error says :

enter image description here

and my home.php got no sql at all. so i assume it must be in my login_process.php because it seems like it couldnt receive the id for row = 12 (which row contains null value in stf_superior column).

Below is my Login_Process.php

<?php 

require_once('include/connection.php');
require_once('include/userGlobal.php');

if($_POST['STAFF_ID']== "" ||$_POST['LOGIN_PASSWORD']=="") { 
echo "<script language=\"javascript\">alert(\"Username & password     required!\");
    document.location.href='index.php';</script>";
}

else{
$sql="SELECT * FROM staff where staff_id='".$_POST['STAFF_ID']."' ";

//$result = mysql_query($sql, $connection) or die(mysql_error());

$result = DB_Query($sql); 

//$staffRow=mysql_fetch_array($result);
$staffRow=DB_FetchRow($result);

$the_id=$staffRow["staff_id"];
$the_pass=$staffRow["staff_pass"];
$the_status=$staffRow["stfs_id"];   

//$passs = base64_encode($_POST["LOGIN_PASSWORD"]);

$passs = ecdPwd($_POST["LOGIN_PASSWORD"]);
$level = $staffRow["staff_lvl"];
if(($the_id == $_POST["STAFF_ID"])&&($the_pass == $passs) ){

    //success

    //update last login
    $sql_stfl="SELECT * FROM staff_login where staff_id='".$the_id."'";
    $rs_stfl = DB_Query($sql_stfl);
    if (DB_RowsReturned($rs_stfl) > 0){
        //update entry
        $row = DB_FetchRow($rs_stfl);
        $prevLogin = $row["stfl_last_login"];
        $sql_update = "UPDATE staff_login SET stfl_prev_login='{$prevLogin}' WHERE staff_id='{$the_id}'";
        DB_Query($sql_update);

    } else {
        //create entry
        $sql_insert = "INSERT INTO staff_login (staff_id) VALUES ('{$the_id}')";
        DB_Query($sql_insert);
    }

    setcookie("id",$_POST["STAFF_ID"]);
    header("Location:Home.php");


}
else{
    //reject
    echo "<script language=\"javascript\">alert(\"WRONG USERNAME/PASSWORD!\");
    document.location.href='index.php';</script>";
    header("Location:index.php");
}


}


?>
<?php ob_flush(); ?>
NFSJ
  • 101
  • 8
  • 4
    Your code is vulnerable to SQL injection, you need to fix this. – Enstage May 17 '17 at 01:47
  • 1
    What would you like to happen instead of the blank page, and what have you tried already to fix it? See [how to ask a good question](https://stackoverflow.com/help/how-to-ask). – Jack Taylor May 17 '17 at 01:49
  • @Enstage what should i fix ? – NFSJ May 17 '17 at 01:49
  • You need to do some research yourself, start here: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Enstage May 17 '17 at 01:50
  • 1
    **WARNING**: This has some severe [SQL injection bugs](http://bobby-tables.com/) because `$_GET` data is used inside the query. Whenever possible use **prepared statements**. These are quite straightforward to do in [`mysqli`](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [PDO](http://php.net/manual/en/pdo.prepared-statements.php) where any user-supplied data is specified with a `?` or `:name` indicator that’s later populated using `bind_param` or `execute` depending on which one you’re using. **NEVER** put `$_POST`, `$_GET` or any user data directly in your query. – tadman May 17 '17 at 01:52
  • Please post code, errors, sample data or textual output here as plain-text, not as images that can be hard to read, can’t be copy-pasted to help test code or use in answers, and are hostile to those who use screen readers. You can edit your question to add the code in the body of your question. Use the `{}` button to format any blocks of code, or indent with four spaces for the same effect. – tadman May 17 '17 at 01:52
  • may be error in your page or some else part is not there – JYoThI May 17 '17 at 02:00
  • @JYoThI I have edited my question. – NFSJ May 17 '17 at 02:04
  • ini_set('display_errors',1); error_reporting(E_ALL); on the debug mode place it on page very top – JYoThI May 17 '17 at 02:10
  • header will not work . if you sending any output to browser before header function . i.e echoing something or html . – JYoThI May 17 '17 at 02:13
  • @JYoThI but it works for other rows where the stf_superior column does not contains null value – NFSJ May 17 '17 at 02:15
  • are using that column anywhere in your code ? – JYoThI May 17 '17 at 02:26
  • @JYoThI Thank you very much for helping me out. it turns out that it was an error from some other page and it is solved by adding an IF condition .. Im so sorry for the taking your time :( – NFSJ May 17 '17 at 02:40
  • @NFSJ, you may have got your code working, but like so many before me have mentioned, you should really look into creating a prepared statement and not have the $_POST variables concatenated as part of the $sql variable. Right now your login page is vulnerable to the most basic 1=1 attack and could potentially allow someone to login with admin rights to your site. I prefer PDO, but here are two links you should read: PDO: [link](http://php.net/manual/en/pdo.prepared-statements.php) MySQLi: [link](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – Cagey215 May 17 '17 at 03:31
  • @Cagey215 I will read up on both links you gave. thank you ! :) – NFSJ May 17 '17 at 03:41
  • glad to help you @NFSJ – JYoThI May 17 '17 at 03:43
  • You're welcome @NFSJ – Cagey215 May 17 '17 at 04:18

0 Answers0