0

I'm creating a system that the header will show 'login' if the user is not logged in, and if they are, it'll display logout. I've simplified it for now, just showing if the user is logged in or not. With "Login!" meaning they need to login, and "Welcome!" if they are logged in. I used the PHP Code Checker website (https://phpcodechecker.com/) and it couldn't find any errors. I also searched stackoverflow, and everyone else's seems to work.

  <?php
  ob_start();
  session_start();
  require_once 'dbconnect.php';
  if( !isset($_SESSION['user']) ) {
  echo "Login!";
  } else {
  echo "Welcome!";
  }
  ?>

is the code that checks if the user is logged in or not.

My login page works for EVERYTHING else, for my homepage is shows that the user is logged in, but here is the code anyway. (This is only the PHP code, there is HTML for the submit button, ect.)

  <?php
  ob_start();
  session_start();
  require_once 'dbconnect.php';

  // it will never let you open index(login) page if session is set
  if ( isset($_SESSION['user'])!="" ) {
  header("Location: index.php");
  exit;
  }

  $error = false;

  if( isset($_POST['btn-login']) ) { 

  // prevent sql injections/ clear user invalid inputs
  $email = trim($_POST['email']);
  $email = strip_tags($email);
  $email = htmlspecialchars($email);

  $name = trim($_POST['name']);
  $name = strip_tags($name);
  $name = htmlspecialchars($name);


  $pass = trim($_POST['pass']);
  $pass = strip_tags($pass);
  $pass = htmlspecialchars($pass);
  // prevent sql injections / clear user invalid inputs

  if(empty($name)){
  $error = true;
  $nameError = "Please enter your username.";
  }

  if(empty($pass)){
  $error = true;
  $passError = "Please enter your password.";
  }

  // if there's no error, continue to login
  if (!$error) {

  $password = hash('sha256', $pass); // password hashing using SHA256

  $res=mysql_query("SELECT userId, userEmail, userPass FROM users WHERE 
  userName='$name'");
  $row=mysql_fetch_array($res);
  $count = mysql_num_rows($res); // if email/pass correct it returns must be 
  1 row

  if( $count == 1 && $row['userPass']==$password ) {
  $_SESSION['user'] = $row['userId'];
  header("Location: dashboard.php");
  } else {
  $errMSG = "Incorrect Credentials, Try again...";
  }

  }

  }
  ?>

It connects to the database fine, and i'm certain there is no problems with the database, since it works on my other pages.

I've spent a long-while trying to figure this out, and can't.

Thanks!

Glacierious
  • 25
  • 4
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jul 03 '17 at 21:15
  • Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 03 '17 at 21:15
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 03 '17 at 21:15
  • @JayBlanchard I'll fix this, thank you. – Glacierious Jul 03 '17 at 21:24

1 Answers1

0

In your code

if ( isset($_SESSION['user'])!="" ) {

you are comparing true|false != ""

change it to if (isset($_SESSION['user'])) {
or if (isset($_SESSION['user']) && ($_SESSION['user']!="")) {

lkdhruw
  • 572
  • 1
  • 7
  • 22