-2

I have a code and there is a problem. It's a login form that checks the user and pass and if it was ok it will create a session. In another page, it will check if the session login is the opposite of true or not. If it was true it will login. The problem is when the user wants to login, s/he needs to submit the login form 2 times so s/he can enter to site. What is the problem?

<form method="post" attribute="post" action="test.php">
<p>Username<br/>
<input type="text" id="user" name="user" class="form-control" required></p>
<p>Password<br/>
<input type="text" id="pass" name="pass" class="form-control" required></p>
<p></p>
<button type="submit" name="sub2" id="sub" value="sub" class="btn btn-default btn-block">Login</button>
</form>
<?PHP
    include 'config.php';
    $user = $_POST["user"];
    $pass=$_POST["pass"];

    if (isset($_POST['user']) and isset($_POST['pass']))
    {
        $conn = new mysqli($servername, $username, $password, $dbname);
        $result = $link->query("SELECT user FROM users2 WHERE user = '$user'");
        $userpass = $link->query("SELECT pass FROM users2 WHERE user = '$user'");
        $row = $userpass->fetch_assoc();
        $userpasss = $row["pass"];
        if($result->num_rows == 1 and $pass == $userpasss)
        {
            session_start();
            $_SESSION["login"] = true;
            $_SESSION["username"] = "$user";
            echo "hello";
        }
    }
?>

<?PHP
    session_start();
    echo $_SESSION["login"];
    echo $_SESSION["username"];
?>

Any help appreciated. Thank you warm regards

IncredibleHat
  • 4,000
  • 4
  • 15
  • 27
Mahdi 1
  • 33
  • 7
  • 2
    you have output before `session_start()` now turn on errors ,so you can debug properly. then fix the SQL injection issue –  Dec 17 '17 at 21:12
  • Please be aware that your code is **vulnerable** to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**prepared statements**](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) to prevent this. Also ensure that your database user only has the [**required privileges**](https://en.wikipedia.org/wiki/Principle_of_least_privilege). You can refer to [**this post**](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for further information on how to prevent SQL injection in PHP :) – Obsidian Age Dec 17 '17 at 21:14
  • Also, your variable `$userpasss` is not the same as your variable `$userpass`. And I really hope you're not storing your passwords in plaintext, which would seem to be the case based on your conditional. – Obsidian Age Dec 17 '17 at 21:16
  • Thanks for all your comments. $userpasss = $row["pass"];. $userpasss is the variable that has user password. This is a simple version I use. I just wanted to find the error – Mahdi 1 Dec 17 '17 at 21:20
  • why are you running this with 2 queries? you can do this in one. – Funk Forty Niner Dec 17 '17 at 21:25

1 Answers1

-1

Try this code:

$_SESSION["username"] = $user;

It should work

A.Hakan
  • 18
  • 4