0

I created a login system where after login, the user will be redirected to profile.php. In the profile.php page, the heading will say Welcome [username]

Session.php:

$connection = mysqli_connect("localhost", "root", "");
$db = mysqli_select_db($connection, "id2290767_wp");

session_start();
$user_check = isset($_SESSION['login_user']);

$ses_sql = mysqli_query($connection, "select name from login where name='$user_check'");
$row = mysqli_fetch_assoc($ses_sql);
$login_session = $row['name'];
if(!empty($login_session)) {
    mysqli_close($connection);
    header('Location: members.php');
}

profile.php (the one with the greetings)

<?php
include('session.php');

if(!isset($_SESSION['login_user'])){
     header("location: profile.php");
}
?>

<h1>Welcome <i><?php echo $login_session; ?></h1>

The signin.php linked with the login form in members.php: 

session_start(); // Starting Session
$error = ''; // Variable To Store Error Message
if(isset($_POST['submit'])) {
    if(empty($_POST['username']) || empty($_POST['password'])) {
        $error = "Username or Password is invalid";
    } else {
        // Define $username and $password
        $username = $_POST['username'];
        $password = $_POST['password'];
        // Establishing Connection with Server by passing server_name, user_id and password as a parameter
        $connection = mysqli_connect("localhost", "root", "");
        // To protect MySQL injection for Security purpose
        $username = stripslashes($username);
        $password = stripslashes($password);
        $username = mysqli_real_escape_string($connection, $username);
        $password = mysqli_real_escape_string($connection, $password);
        // Selecting Database
        $db = mysqli_select_db($connection, "id2290767_wp");
        // SQL query to fetch information of registerd users and finds user match.
        $query = mysqli_query($connection, "select * from login where password='$password' AND name='$username'");
        $rows = mysqli_num_rows($query);
        if($rows == 1) {
            $_SESSION['login_user'] = $username; // Initializing Session
            header("location: profile.php"); // Redirecting To Other Page
        } else {
            $error = "Username or Password is invalid";
        }
        mysqli_close($connection); // Closing Connection
    }
}

members.php:

<?php
include('signin.php'); // Includes Login Script

if(isset($_SESSION['login_user'])){
     header("location: profile.php");
}

But I get no text in the PHP page. It just says "Welcome".

What did I do wrong?

EDIT: Getting infinite loop after changing 

$user_check = isset($_SESSION['login_user']);

to

$user_check=isset($_SESSION['login_user']) ? $_SESSION['login_user'] : "";
TheRealDarkCoder
  • 39
  • 9
  • [Little Bobby](http://bobby-tables.com/) says **[your script is at risk for SQL Injection Attacks](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)**. Learn about [Prepared Statements](http://en.wikipedia.org/wiki/Prepared_statement) for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even **[escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string)** is not safe! – GrumpyCrouton Aug 01 '17 at 14:41
  • your welcome page is `members.php` ? am i right? – Alive to die - Anant Aug 01 '17 at 14:43
  • no, the welcome page is at profile.php, the memebrs.php has the signin form and redirects to profile.php if theres a session – TheRealDarkCoder Aug 01 '17 at 14:48
  • then you have some `$_POST` or `$_GET` value on `members.php` page? isn't it (if you are coming through a login form)? – Alive to die - Anant Aug 01 '17 at 14:49
  • added whole code – TheRealDarkCoder Aug 01 '17 at 14:55
  • **Never store plain text passwords!** Please use **PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)** (`password_hash()` and `password_verify()`) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). **It is not necessary** to [escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so _changes_ the password and causes unnecessary additional coding. – GrumpyCrouton Aug 01 '17 at 15:01
  • Not only are you vulnerable to SQL Injection, but you are _also_ storing passwords with plain-text. I would under **no circumstance** want to use your application for any reason as you aren't even attempting to make it secure ;) – GrumpyCrouton Aug 01 '17 at 15:03
  • @GrumpyCrouton thanks, im just in the process of learning now, Thanks for reminding me about security, ill get in that later – TheRealDarkCoder Aug 01 '17 at 15:06
  • @TheZZGamerz It's incredibly easy to use both of these functions, I don't recommend putting it off at all. Learn the correct way first, instead of learning the wrong way and going back later. I recommend using PDO for prepared statements as it is also incredibly easy. – GrumpyCrouton Aug 01 '17 at 15:08
  • @TheZZGamerz : Your Problem Solved? – Nana Partykar Aug 02 '17 at 09:26
  • @NanaPartykar no.. still getting redirect loops – TheRealDarkCoder Aug 02 '17 at 09:34
  • In profile.php, If session is not set. Then, why are you redirecting it to profile.php? It should go to signin.php page @TheZZGamerz – Nana Partykar Aug 02 '17 at 09:42
  • @NanaPartykar im a newbie in sql and php. didnt get the answer. also why didnt the redirect loop occur before your code was applied? – TheRealDarkCoder Aug 02 '17 at 09:55
  • See. Redirect loop is not because of my answer. I corrected your mistake. Now, it all depends upon your logic how you implemented it. Untill and unless I see your full code. I can't understand the logic fully. What I found in **profile.php** is: If session is not set, either it should go to signin page or logout the user. @TheZZGamerz – Nana Partykar Aug 02 '17 at 09:57
  • thats the full code here. the first part is the session.php. its called on the profile.php and the signin.php is included in the members.php (the page with the login form? – TheRealDarkCoder Aug 02 '17 at 09:59
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/150803/discussion-between-nana-partykar-and-the-zz-gamerz). – Nana Partykar Aug 02 '17 at 10:00

1 Answers1

2

The isset () function is used to check whether a variable is set or not.

Change

$user_check=isset($_SESSION['login_user']);

To

$user_check=isset($_SESSION['login_user']) ? $_SESSION['login_user'] : "";
Nana Partykar
  • 10,556
  • 10
  • 48
  • 77
  • I would mention that the problem is that OP is setting `$user_check` to true/false as that is not very clear from your answer (to a newbie developer). – GrumpyCrouton Aug 01 '17 at 14:43
  • i think it should work, but im stuck in an infinite redirect loop now, – TheRealDarkCoder Aug 01 '17 at 14:45
  • It will work. Infinite redirect loop is because of too many 'check session condition'. According to your given code, this was the problem. But, you need to provide more details. So that, we can understand the functionality and can suggest few suggestions @TheZZGamerz – Nana Partykar Aug 01 '17 at 14:47