-2

Sorry about the title. Didn't really know how to put it. But I'm open for suggestions so people who have a similar issue can find this topic easy.

I've made a simple login/registration script in php. The issue that I'm having is that "user messages" don't get displayed and I can't figure out what I'm doing wrong.

When I user registers he/she needs to confirm his/her email address. Once this is done and the user login he/she should be redirected to the profile page...profile.php But for some reason this doesn't work. Anyone knows why?

index.php

<?php 
/* Main page with two forms: sign up and log in */
require 'db.php';
session_start();
?>
<!DOCTYPE html>
<html>
<head>
  <title>Sign-Up/Login Form</title>
  <?php include 'css/css.html'; ?>
</head>

<?php 
if ($_SERVER['REQUEST_METHOD'] == 'POST') 
{
    if (isset($_POST['login'])) { //user logging in

        require 'login.php';

    }

    elseif (isset($_POST['register'])) { //user registering

        require 'register.php';

    }
}
?>
<body>
  <div class="form">

      <ul class="tab-group">
        <li class="tab"><a href="#signup">Sign Up</a></li>
        <li class="tab active"><a href="#login">Log In</a></li>
      </ul>

      <div class="tab-content">

         <div id="login">   
          <h1>Welcome Back!</h1>

          <form action="index.php" method="post" autocomplete="off">

            <div class="field-wrap">
            <label>
              Email Address<span class="req">*</span>
            </label>
            <input type="email" required autocomplete="off" name="email"/>
          </div>

          <div class="field-wrap">
            <label>
              Password<span class="req">*</span>
            </label>
            <input type="password" required autocomplete="off" name="password"/>
          </div>

          <p class="forgot"><a href="forgot.php">Forgot Password?</a></p>

          <button class="button button-block" name="login" />Log In</button>

          </form>

        </div>

        <div id="signup">   
          <h1>Sign Up for Free</h1>

          <form action="index.php" method="post" autocomplete="off">

          <div class="top-row">
            <div class="field-wrap">
              <label>
                First Name<span class="req">*</span>
              </label>
              <input type="text" required autocomplete="off" name='firstname' />
            </div>

            <div class="field-wrap">
              <label>
                Last Name<span class="req">*</span>
              </label>
              <input type="text"required autocomplete="off" name='lastname' />
            </div>
          </div>

          <div class="field-wrap">
            <label>
              Email Address<span class="req">*</span>
            </label>
            <input type="email"required autocomplete="off" name='email' />
          </div>

          <div class="field-wrap">
            <label>
              Set A Password<span class="req">*</span>
            </label>
            <input type="password"required autocomplete="off" name='password'/>
          </div>

          <button type="submit" class="button button-block" name="register" />Register</button>

          </form>

        </div>  

      </div><!-- tab-content -->

</div> <!-- /form -->
  <script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>

    <script src="js/index.js"></script>

</body>
</html>

Login.php

<?php
/* User login process, checks if user exists and password is correct */

// Escape email to protect against SQL injections
$email = $mysqli->escape_string($_POST['email']);
$result = $mysqli->query("SELECT * FROM users WHERE email='$email'");

if ( $result->num_rows == 0 ){ // User doesn't exist
    $_SESSION['message'] = "User with that email doesn't exist!";
    header("location: error.php");
}
else { // User exists
    $user = $result->fetch_assoc();

    if ( password_verify($_POST['password'], $user['password']) ) {

        $_SESSION['email'] = $user['email'];
        $_SESSION['first_name'] = $user['first_name'];
        $_SESSION['last_name'] = $user['last_name'];
        $_SESSION['active'] = $user['active'];

        // This is how we'll know the user is logged in
        $_SESSION['logged_in'] = true;

        header("location: profile.php");
    }
    else {
        $_SESSION['message'] = "You have entered wrong password, try again!";
        header("location: error.php");
    }
}

profile.php

<?php
/* Displays user information and some useful messages */
session_start();

// Check if user is logged in using the session variable
if ( $_SESSION['logged_in'] != 1 ) {
  $_SESSION['message'] = "You must log in before viewing your profile page!";
  header("location: error.php");    
}
else {
    // Makes it easier to read
    $first_name = $_SESSION['first_name'];
    $last_name = $_SESSION['last_name'];
    $email = $_SESSION['email'];
    $active = $_SESSION['active'];
}
?>
<!DOCTYPE html>
<html >
<head>
  <meta charset="UTF-8">
  <title>Welcome <?= $first_name.' '.$last_name ?></title>
  <?php include 'css/css.html'; ?>
</head>

<body>
  <div class="form">

          <h1>Welcome</h1>

          <p>
          <?php 

          // Display message about account verification link only once
          if ( isset($_SESSION['message']) )
          {
              echo $_SESSION['message'];

              // Don't annoy the user with more messages upon page refresh
              unset( $_SESSION['message'] );
          }

          ?>
          </p>

          <?php

          // Keep reminding the user this account is not active, until they activate
          if ( !$active ){
              echo
              '<div class="info">
              Account is unverified, please confirm your email by clicking
              on the email link!
              </div>';
          }

          ?>

          <h2><?php echo $first_name.' '.$last_name; ?></h2>
          <p><?= $email ?></p>

          <a href="logout.php"><button class="button button-block" name="logout"/>Log Out</button></a>

    </div>

<script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src="js/index.js"></script>

</body>
</html>

error.php

<?php
/* Displays all error messages */
session_start();
?>
<!DOCTYPE html>
<html>
<head>
  <title>Error</title>
  <?php include 'css/css.html'; ?>
</head>
<body>
<div class="form">
    <h1>Error</h1>
    <p>
    <?php 
    if( isset($_SESSION['message']) AND !empty($_SESSION['message']) ): 
        echo $_SESSION['message'];    
    else:
        header( "location: index.php" );
    endif;
    ?>
    </p>     
    <a href="index.php"><button class="button button-block"/>Home</button></a>
</div>
</body>
</html>
WouterS
  • 139
  • 3
  • 16
  • For future questions, please only post the parts of the code that are necessary for the problem to occur. – StuntHacks Jun 13 '17 at 09:31
  • Also: Do you get any error messages? Without any output it's hard to help you. – StuntHacks Jun 13 '17 at 09:33
  • please edit your post so we can see the code that is relevant to your question. So we don't have to find it ourselvses – Scorpion Code Jun 13 '17 at 09:34
  • @StuntHacks: I didn't get any error message. Al that happens is that when I fill in the user email and password and press "login" I get a blank "login" form again. – WouterS Jun 13 '17 at 09:35
  • Do you call `session_start();` anywhere? – Adder Jun 13 '17 at 09:36
  • @ScorpionCode: Sorry, but I wanted to put everything on here as maybe I forgot a simple ? ; or . somewhere down the line – WouterS Jun 13 '17 at 09:37
  • @Adder, yes I do. At the start of the profile.php – WouterS Jun 13 '17 at 09:38
  • It's okay i understand. But for next time if you forgot a `;` or `.` you would get a error message. In your login.php I see you set the session message but i dont see you echo it. Did I miss it somewhere? – Scorpion Code Jun 13 '17 at 09:38
  • @ScorpionCode I didn't echo it. I wasn't aware I needed to do this. And where do I echo the session message? – WouterS Jun 13 '17 at 09:40
  • And how does `error.php` look? It should call session_start and display the error message. – Adder Jun 13 '17 at 09:41
  • If you want to show something on the page you need to echo it (http://php.net/manual/en/function.echo.php). the line: `$_SESSION['message'] = "You have entered wrong password, try again!";` add underneath: `echo $_SESSION['message'];` – Scorpion Code Jun 13 '17 at 09:43
  • @ScorpionCode; done, now it displays the message but only when I go directly to the error.php. This doesn't fix my issue that it should come when I actually submitted a wrong password. In this case I should get automatically diverted to the error.php – WouterS Jun 13 '17 at 09:48
  • in your index.php I see the login in form. I assume we are talking about that one. Remove the `action='index.php'` in the `
    ` tag and test if that gives you any results
     – Scorpion Code Jun 13 '17 at 09:52
  • @ScorpionCode: this doesn't do anything. Still the same results. It seems when I login the the next scripts don't get called and displayed. But I can't figure out why – WouterS Jun 13 '17 at 09:55
  • also I recommend using `` instead of `` – Scorpion Code Jun 13 '17 at 09:55
  • Use ob_start(); at top of your login.php and try – Saad Suri Jun 13 '17 at 09:59
  • Make sure you use ob_start(); at top of the page before any output buffers. – Saad Suri Jun 13 '17 at 10:02
  • 1
    add to your button in your login form `type='submit'` because at this moment it doesn't submit anything so you can't check or you can use a input submit button – Scorpion Code Jun 13 '17 at 10:04
  • @SaadSuri doesn't do anything when I add ob_start(); add the top of my login.php – WouterS Jun 13 '17 at 10:04
  • 1
    @WouterS do it on every page. but make sure you put it on start of page before anything like – Saad Suri Jun 13 '17 at 10:05
  • @SaadSuri....Thats it!!! it works!!! Thanks a million!!! – WouterS Jun 13 '17 at 10:10
  • As mentioned by @ScorpionCode you login button has not any type defined. so How could it suppose to give a post back to server. – Saad Suri Jun 13 '17 at 10:11
  • @WouterS Glad it works. and please define a type of login button like type="submit" and last thing escape_string() won't save you from sql injection. Either use PDO or Prepared statement. happy coding – Saad Suri Jun 13 '17 at 10:14
  • @SaadSuri please answer the question so he can accept it as an awnser. Then other people can find it easier ;) – Scorpion Code Jun 13 '17 at 10:18
  • @ScorpionCode I was afraid of downvotes. – Saad Suri Jun 13 '17 at 10:23

1 Answers1

2

Use ob_start(); before outputting anything on your script. It looks like you become a victim of filled up output jars.

<?php 
ob_start();
 //Make sure you use ob_start() before any outputting anything.
//Rest of your code
?>

Suggestions: As mentioned in the comment too Please define a type of login button like type="submit" and last thing escape_string() won't save you from sql injection. Either use PDO or Prepared statement.

Saad Suri
  • 1,352
  • 1
  • 14
  • 26
  • Thank you very much...just a quick question about you remark concerning use of PDO. Never used. Is it only the escape_string() part that I need to change to PDO? – WouterS Jun 13 '17 at 10:26
  • @WouterS Please refer to this link. It has all the answers of your concerns https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Saad Suri Jun 13 '17 at 10:27