Form fails to proceed on submit

Question

I have a login form(index.php) which allows students to access their portal, the students' registration number and password is then checked if inserted(login.php) and proceeds to a class(StudentLogin.php) which will then allow the students access their portal if at all the credentials match with the ones in the database. On entering the correct credentials, the process doesn't proceed to the stud_page.php.....I would appreciate any help on this cause i don't understand what is happening.

Below is the index.php:

<?php
//Start session
if(!isset($_SESSION)) { session_start(); }

unset($_SESSION['ID']);
unset($_SESSION['REG_NUM']);
?>
<!DOCTYPE HTML>
<html lang="en-US">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Portal System</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js"></script>
    <link rel="stylesheet" href="static/css/bootstrap.min.css">
    <link rel="stylesheet" href="static/css/style.css">
    <!-- <link rel="stylesheet" href="static/css/style.css"/> -->

</head>
<body>

<!-- Header -->
<nav class="navbar navbar-fixed-top" style="background-color: green;" role="navigation">
    <div class="container">
        <!-- Brand and toggle get grouped for better mobile display -->
        <div class="navbar-header">
            <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
                <span class="sr-only">Toggle navigation</span>
                <span class="icon-bar"></span>
                <span class="icon-bar"></span>
                <span class="icon-bar"></span>
            </button>
            <a class="navbar-brand" href="index.php">portal</a>
        </div>

    </div><!-- /.container-fluid -->
</nav>
<!-- End Header -->



<div class="background">
  <div class="container">
    <div class="jumbotron bg-success text-warning">
      <h1 class="text-center">portal</h1>
      <h3 class="text-center"> Welcome to The Portal.</h3>
    </div>
  </div>

<div class="container">
    <div class="row">
        <div class="col-md-4 col-sm-offset-4">
            <div class="login-con">
                <h3>Student Log-in</h3><hr>
                <?php
                if(isset($_SESSION['ERROR_MSG_ARRAY']) && is_array($_SESSION['ERROR_MSG_ARRAY']) && COUNT($_SESSION['ERROR_MSG_ARRAY']) > 0) {
                    foreach($_SESSION['ERROR_MSG_ARRAY'] as $msg) {
                        echo "<div class='alert alert-danger'>";
                        echo $msg;
                        echo "</div>";
                    }
                    unset($_SESSION['ERROR_MSG_ARRAY']);
                }
                ?>
                <form action="process/login.php"  method="POST" role="form">
                    <div class="form-group has-warning has-feedback">
                        <label for="reg_num">Registration Number</label>
                        <input type="text" name="reg_num" id="reg_num" class="form-control" autocomplete="off" placeholder="Registration Number">
                        <span class="glyphicon glyphicon-user form-control-feedback"></span>
                    </div>
                    <div class="form-group has-warning has-feedback">
                        <label>Password</label>
                        <input id="password" type="password" autocomplete="off" class="form-control" placeholder="Password" name="password">
                        <span class="glyphicon glyphicon-lock form-control-feedback"></span>
                    </div>
                        <button type="submit" onclick="showSomeMessage()" name="submit" class="btn btn-info">Submit</button>
                </form>
            </div>
        </div>
    </div>
</div>
</div>

login.php below:

      <?php

    require("../admin/database.php");
    require("../class/StudentLogin.php");

    if(isset($_POST['submit'])){
      $regnum = trim($_POST['regnumber']);
      $password = trim($_POST['password']);

      $loginStud = new StudentLogin($reg_num, $password);
      $rtnlogin = $loginStud->Studlogin();
    }

    $conn->close();

    ?>

Then the StudentLogin class is:

    <?php

class StudentLogin
{
  private $_regnumber;
  private $_password;

  public function __construct($c_reg_num, $c_password){
    $this->_regnumber = $c_reg_num;
    $this->_password = $c_password;
  }

  public function StudLogin(){
    global $conn;
    //  starting session
    session_start();
     // valiidate errors
    $error_msg_array = array();
    // error msg
    $error_msg = FALSE;

    if($this->_reg_num == ""){
      $error_msg_array[] = "Please input your Registration Number";
      $error_msg = TRUE;
    }
    if($this->_password == ""){
      $error_msg_array[] = "Please input your password";
      $error_msg = TRUE;
    }
    if($error_msg){
      $_SESSION['ERROR_MSG_ARR'] = $error_msg_array;
      header("location: http://localhost/project/index.php");
      exit();
    }
    $sql = "SELECT * FROM students WHERE regnumber ='$reg_num' AND password ='$password' LIMIT 1";
    if(!$stmt = $conn->prepare($sql)){
      echo $stmt->error;
    } else {
      $stmt->bind_param("ss", $this->_reg_num, $this->_password);
      $stmt->execute();
      $result = $stmt->get_result();
    }
    if($result->num_rows > 0) {
       // login successful
      $row = $result->fetch_assoc();

      // session creation
      session_regenerate_id();
      $_SESSION['reg_num'] = $row["regnunmber"];
      $_SESSION['name'] = $row["name"];
      session_write_close();
      header("location: http://localhost/project/stud_page.php");

    } else {
       // Login failed
      $error_msg_array[] = "The Registration Number and Password you entered is incorrect.";
      $error_msg = TRUE;
      if($error_msg) {
        $_SESSION['ERROR_MSG_ARR'] = $error_msg_array;
        header("location: http://localhost/project/index.php");
        exit();
      }
      $stmt->free_result();
    }
    $result->free();
    return $result;
  }
}
?>

MySQL database, table students contains the following columns:

$sql="INSERT INTO `students`(`name`, `education`, `regnumber`, `nationality`, `gender`, `phone`, `photo`, `branch`,`password`)
                  VALUES ('$name','$education','$reg_num','$nationality','$gender','$phone','$target_file','$branch','$ency_pass')";

Your query is as secure as a bank made from glass. Please protect yourself and your users by [preparing](http://php.net/manual/en/mysqli.prepare.php) those statements! — IsThisJavascript, May 15 '18 at 14:41
For one thing, your code is wide open to SQL injection. Aside from that, where specifically is this failing? When you debug, where does the code first do something unexpected? What did it do? What were you expecting it to do? Why? — David, May 15 '18 at 14:42
Well, OP is using prepare, but never binding any variables, not to mention they store passwords in plaintext, this project is awful from a security perspective — Zachary Craig, May 15 '18 at 14:43
You must replace your variables with `?` instead of stuff like `$password` that way you have a placeholder. You should re-read the manual page and look at the examples then look at your query code. — IsThisJavascript, May 15 '18 at 14:44
I also feel like now is a suitable time to mention that `global $conn;` is bad practice. You should pass the `$conn` in your class constructor. — IsThisJavascript, May 15 '18 at 14:45
Storing passwords as plain text is never fun. However, PHP made something real simple for us and it's called [password_hash](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) you should definitely check it out — IsThisJavascript, May 15 '18 at 14:46
@David the login(index.php) is supposed to proceed to the stud_page.php when the correct credentials are entered. On entering the correct credentials, it doesn't proceed to the stud_page.php. What should I do? — Denny Waitley, May 15 '18 at 14:46
@DennyWaitley: You should debug. If you have an IDE with debugging tools that allows you to step through the code as it's executing, that's the best approach. Failing that, you could add a variety of statements throughout your `StudLogin` function to output useful information so you can get visibility into what's happening. What the code is doing, what logical paths it takes, where it stops, what the runtime values of your variables are, etc. Also ensure you've turned on all error reporting and are checking your PHP logs for errors and warnings. — David, May 15 '18 at 14:49
@David any debugger you can recommend me to use? or kindly show me the specific areas to change. — Denny Waitley, May 15 '18 at 14:53
@DennyWaitley the correct term is that you've hashed the password with MD5. And this is not secure at all. Please may I direct you too : https://security.stackexchange.com/questions/19906/is-md5-considered-insecure — IsThisJavascript, May 15 '18 at 14:53
Denny, your page doesn't work because you're running a `$stmt->bind_param` on a prepared statment that has no placeholders (place holders in mysqli look like: `?`) please, as stated previously, look at how you're constructing the queries compared too the manual found: http://php.net/manual/en/mysqli.prepare.php — IsThisJavascript, May 15 '18 at 14:55
@IsThisJavascript thank you, right away. I am grateful for your enlightening. — Denny Waitley, May 15 '18 at 14:56
@IsThisJavascript kindly point me the exact point at my code. — Denny Waitley, May 15 '18 at 15:00
This -> `$sql = "SELECT * FROM students WHERE regnumber ='$reg_num' AND password ='$password' LIMIT 1";` — IsThisJavascript, May 15 '18 at 15:02
@IsThisJavascript the query won't still work even after placing the placeholders. — Denny Waitley, May 16 '18 at 10:12

score -2 · Answer 1 · answered May 15 '18 at 14:46

You have validation on login.php, which is not loaded before form is send. And if you can i would recommend you using dibi, because this work with database is not properly right and can cause some problems if u are going to use that in production https://dibiphp.com/en/

Form fails to proceed on submit

1 Answers1