0

I have a little problem with my php-function. I've spend pretty much time finding the mistake, unsuccessfully. Due to the fact that im pretty new at more "complex" php-programming, i might just miss the mistake.

Short explanation.

I've created a function (which is written in the header.php), to insert user activitys into my database. The code is as follows

function userLog($type, $information){

    include_once 'inc/dbconnect.inc.php';

    $types = array("signup" => "",
                   "login" => "", 
                   "logout_manual" => "", 
                   "password_change" => "",
                   "password_reset_sendMail" => "Sent to: '".isset($information['mail']) ? $information['mail'] : "" ."'",
                   "password_reset_setNew" => "",
                   "mail_change_sendMail" => "Sent to: '".isset($information['mail']) ? $information['mail'] : ""."'",
                   "mail_change_verify" => "Changed from ".isset($information['old_mail']) ? $information['old_mail'] : ""." to ".isset($information['mail']) ? $information['mail'] : "");


    $user_uid = $_SESSION['u_uid'];
    $action = $type;
    $description = $types[$type];
    $date = date("Y-m-d H:i:s");
    $browser  = $_SERVER[HTTP_USER_AGENT]; 

    $sql = "INSERT INTO userlogs (userlog_user_uid, userlog_action, userlog_action_description, userlog_date, userlog_browser) VALUES ('$user_uid', '$action', '$description', '$date', '$browser')";
    mysqli_query($conn, $sql);

}

Now I want to call the function in my login script, if the user is sucessfully logged in. It looks like this:

if (isset($_POST['login_submit'])) {

include_once 'inc/dbconnect.inc.php';

$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['pwd']);

$_SESSION['inputs'] = array("uid" => $_POST['uid']);

//Check if inputs are empty
if (empty($uid) || empty($pwd)) {
    $_SESSION['error'] = array("Bitte alle Felder ausfüllen!");
    header("Location: ".$_SERVER['HTTP_REFERER']);
    exit();
} else {
    $sql = "SELECT * FROM users WHERE user_uid='$uid' OR user_mail='$uid'";
    $result = mysqli_query($conn, $sql);
    $resultCheck = mysqli_num_rows($result);        

    if ($resultCheck < 1) {
        $_SESSION['error'] = array("Benutzername/E-Mail und/oder Passwort sind falsch!");
        header("Location: ".$_SERVER['HTTP_REFERER']);
        exit();
    } else {
        while ($row = mysqli_fetch_assoc($result)) {
            //De-hashing the password
            $hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
            if ($hashedPwdCheck == false) {
                $_SESSION['error'] = array("Benutzername/E-Mail und/oder Passwort sind falsch!");
                header("Location: ".$_SERVER['HTTP_REFERER']);
                exit();
            } elseif ($hashedPwdCheck == true) {
                //Log in the user here
                $_SESSION['u_id'] = $row['user_id'];
                $_SESSION['u_uid'] = $row['user_uid'];
                $_SESSION['u_email'] = $row['user_email'];

                $information = array();
                userLog("login", $information);

                header("Location: ".$root."index/index");
                exit();
            } else {
                $_SESSION['error'] = array("Benutzername/E-Mail und/oder Passwort sind falsch!");
                header("Location: ".$_SERVER['HTTP_REFERER']);
                exit();
            }
        }
    }
}
} else {
header("Location: ".$root."account/login");
exit();
}

Here comes the "weird" thing. My function is working, if i call it in the logout form-action script.

if (isset($_POST['logout_submit'])) {

   $information = array();
   userLog("logout_manual", $information);

   session_unset();
   session_destroy();
   header("Location: ".$root);
   exit();
}

So my function actually works fine. But it just works from the logout script. If I want to call it in my login script and also my signup script, it doesn't work. I also tryed to declare the function in the login script itself, instead of the header.php, but it didnt work either. So i think according to these information, the mistake is somewhere in my login/signup scripts, but i can't find it.

Maybe some of u guys have an idea.

Seba M
  • 99
  • 1
  • 8
  • check if `$information` exists or not, the best way for debugging in php is `var_dump($variable)` for example: `var_dump($information)` – Amir Fo Aug 21 '17 at 19:03
  • I've tried to leave out `$information` completely. It didn't work either. – Seba M Aug 21 '17 at 19:07
  • every time you call `userLog()` the variable `$information` is reset right before, so it's always going to be empty. Also your script is **vulnerable to SQL injection attacks**: consider using [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and read on [how to prevent SQL injection](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – William Perron Aug 21 '17 at 19:13
  • In this scripts its's intentional, that `$information` is empty, because i don't need to store information in this case. I already thought about doing prepared statements, but isn't mysqli_real_espace_string enough to avoid sql-injection? – Seba M Aug 21 '17 at 19:19
  • @SebaM [unfortunately no](https://stackoverflow.com/questions/4171115/is-mysql-real-escape-string-enough-to-anti-sql-injection?lq=1), using prepared statements is really the way to go (or maybe even using a full-fledged ORM but that's on a whole other level and probably overkill for the scope of this question) – William Perron Aug 21 '17 at 19:44

0 Answers0