0

I need a login script in PHP and wrote this (see script below) but the form is not sending the variables from the inputfiedls to the same file through the URL (with GET or POST)

<?php
session_start();
$admin=true;

function controle($uname, $pword, $admin){

$datatable = "my_table";
$servername = 'localhost';
$username = 'admin';
$password = '1234';
$database = 'myDB';

//Create connection
$con = mysqli_connect($servername, $username, 
$password, $database);

if ($con == false){
die("STATUS: Error: ".mysqli_error_connect());
}

if ($admin == true){
    $sql = "SELECT * FROM ".$datatable; 
}
$result = mysqli_query($con,$sql);
$rows=mysqli_fetch_assoc($result);

$sql2 = "SELECT COUNT(*) AS total FROM ".$datatable;
$result = mysqli_query($con,$sql2);

$row2 = $result->fetch_row();
$total_records = $row2[0];

if ($total_records > 0){

    $gebruikersnaam = $rows['username'];
    $wachtwoord = $rows['password'];
    if ($pword != $wachtwoord){
        return false;
    } else {
        return $gebruikersnaam;
    }
} else {
    return false;
}
}

// Check name and password
if (isset($_POST['verzonden'])){
$username = $_POST['username'];
$password = md5($_POST['wachtwoord']);
$login_ok = controle($username, $password, $admin);
if (login_ok != false){
    //correct
    $_SESSION['username'] = $username;
    $_SESSION['password'] = $password;
}
}
if (controle($_SESSION['username'], 
$_SESSION['wachtwoord'], $admin) == false) {
echo "<form method='post' 
action='".$_SERVER['PHP_SELF']."?";
reset($_GET); // put the array pointer to 0 when 
starting
// Send the variables again
while($getvar = each($_GET)){
    $varName = $getvar['key'];
    $varValue = $getvar['value'];
    echo "$varName=$varValue&";
}

echo "'><br><br>";
echo "Name: ";
echo "<input type='text' name='username'>";
echo "<br>";
echo "Password: ";
echo "<input type='text' name='wachtwoord'>";
echo "<br>";
echo "<input type='submit' value='log in' 
name='verzonden'>";
echo "</form>";
if ($admin == "true"){
    echo "<p>-- ADMIN status is vereist!";
}
exit;
}
?>

But it seems that the form does not sending anything.. I was expecting something like : 

authentication.php?username=MYNAME&wachtwoord=4321

The connection with my database is ok, I can read the variables from there. I have no id why my form is not sending the variables I got just "authentication.php?"

Werbrouck Bram
  • 21
  • 1
  • 4

1 Answers1

2

You are mixing up $_GET and $_POST. Your form is using $_POST but you are looking for $_GET variables.

I have changed your code so that it works properly. I have left some var_dump lines in if you would like to debug and see what is going on throughout the process

I have set your database connection to be global so that you only connect once and you can access it again whenever you need to. I have changed your GET to POST. I have made it show when you are logged in or when you need to log in. I have built a log out section for you as well.

<?php
session_start();
$admin=true;

$datatable = "my_table";
$servername = 'localhost';
$username = 'nick';
$password = 'nickd18';
$database = 'test';

// show session variables for debuggin;
var_dump($_SESSION);

// you may want to destroy session variables at some point when debugging (should be a log out but we can use this line for now)
// 
if (isset($_GET) && $_GET['logout'] == '1') {
    session_destroy();
    $login = "http://".$_SERVER[HTTP_HOST].$_SERVER['PHP_SELF'];
    die(header('Location: '.$login));
}


//Create connection
global $con;
$con = mysqli_connect($servername, $username, $password, $database);

if ($con == false){
    die("STATUS: Error: ".mysqli_error_connect());
}


function check_login($uname, $pword, $admin){
    global $con;
    $sql = "SELECT * FROM `my_table` WHERE `username` = '$uname' AND `password` = '$pword' LIMIT 1";
    //var_dump($sql);
    $result = mysqli_query($con,$sql);
    //var_dump($result);
    $rows=mysqli_fetch_assoc($result);
    if ($rows) {
        /* successful login */
        return true;
    }  else {
        /* failed login */
        return false;
    }


}

// Check name and password
if (isset($_POST['verzonden'])){
    //var_dump($_POST);
    $username = $_POST['username'];
    $password = md5($_POST['wachtwoord']);
    $login_ok = check_login($username, $password, $admin);
    if ($login_ok != false){
        //correct
        $_SESSION['username'] = $username;
        $_SESSION['password'] = $password;
    }
}
if (!$_SESSION['username']) {
    echo "<h2>You are not logged in</h2>";
    echo "<form method='post' action='".$_SERVER['PHP_SELF']."?";

    echo "'><br><br>";
    echo "Name: ";
    echo "<input type='text' name='username'>";
    echo "<br>";
    echo "Password: ";
    echo "<input type='text' name='wachtwoord'>";
    echo "<br>";
    echo "<input type='submit' value='log in' 
    name='verzonden'>";
    echo "</form>";
    if ($admin == "true"){
        echo "<p>-- ADMIN status is vereist!";
    }
    exit;
} else {
    echo "<h1>You are logged in as ".$_SESSION['username']."</h1>";
    echo "<p><a href='?logout=1'>Log out</a>";
}
?>
Nick Duncan
  • 829
  • 6
  • 17
  • There's still a lot that needs to be done with this (sanitization, better db handling, etc) before it is ready to go live on a site but this is a good start. – Nick Duncan Aug 26 '18 at 08:09
  • Can you help me with that (sanitization, db handling,..)? No id what you mean or what I have to do – Werbrouck Bram Aug 26 '18 at 09:01
  • See https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php for one. Avoid the use of `global` variables (pass them as an argument to the function instead). Usage of `$_SERVER['PHP_SELF']` is not recommended to send the form's action. – Qirel Aug 26 '18 at 09:32
  • I was planned to use a global variable on another page to see if you are logged in (something like if $admin == true), but if you say that’s not a great id, how should I chech on another page if you are logged in? – Werbrouck Bram Aug 26 '18 at 10:27
  • Qirel, I gave him a base to work off. The code works and he can move forward now. – Nick Duncan Aug 26 '18 at 11:05