0

So I have this piece of code that I just followed some guide to create, 

<?php

session_start();

if (isset($_POST['submit'])) {

include 'db.conf.php';

$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['pwd']);
$_SESSION['uid'] = $uid;

//Error handleri
//Check jesu inputi empty

if (empty($uid) || empty($pwd))
{
    header("Location: ../index.php?login=empty");
    exit();
}
else
{
    $sql = "SELECT * FROM users WHERE user_uid = '$uid' OR user_email = '$uid'";
    $result = mysqli_query($conn, $sql);
    $resultCheck = mysqli_num_rows($result);

    if ($resultCheck < 1)
    {
        header("Location: ../index.php?login=usernamenepostoji");
        exit();
    }
    else
    {
        if ($row = mysqli_fetch_assoc($result)) {
            //Dehashiranje
            $hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
            if ($hashedPwdCheck == false) {
                header("Location: ../index.php?login=invalidpass");
                exit();
            }
            elseif ($hashedPwdCheck == true)
            {
                //Logiranje
                $_SESSION['u_id'] = $row['user_id'];
                $_SESSION['u_first'] = $row['user_first'];
                $_SESSION['u_last'] = $row['user_last'];
                $_SESSION['u_email'] = $row['user_email'];
                $_SESSION['u_uid'] = $row['user_uid'];
                header("Location: ../index.php?login=success");
                exit();
            }

        }
    }
}

}

else
{
    header("Location: ../index.php?login=error");
    exit();
}

?>

It's just simple error handling and logging in that works. I understand it and wanted to recreate it with a bit more oop. 

<?php 
session_start();

include 'db.conf.php';

class Login
{

public $username;
public $password;


function __construct()
{
    $this->username = $_POST['uid'];
    $this->password = $_POST['pwd'];
    $this->checkinputs();
}


function checkinputs()
{       
        if (empty($this->username) || empty($this->password)) 
        {
            header("Location: ../index.php?login=empty");
            exit();
        }
        else
        {   
            $username = $this->username;
            $sql = "SELECT * FROM users WHERE user_uid =".$username;
            $result = mysqli_query($conn, $sql);
            $resultCheck = mysqli_num_rows($result);

            if ($resultCheck < 1) 
            {
                header("Location: ../index.php?login=usernamenepostoji");
                exit();
            }
            else 
            {
            if ($row = mysqli_fetch_assoc($result)) {
                //Dehashiranje
                $hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
                if ($hashedPwdCheck == false) {
                    header("Location: ../index.php?login=invalidpass");
                    exit();
                }
                elseif ($hashedPwdCheck == true) 
                {
                    //Logiranje
                    $_SESSION['u_id'] = $row['user_id'];
                    $_SESSION['u_first'] = $row['user_first'];
                    $_SESSION['u_last'] = $row['user_last'];
                    $_SESSION['u_email'] = $row['user_email'];
                    $_SESSION['u_uid'] = $row['user_uid'];
                    header("Location: ../index.php?login=success");
                    exit();
                }
            }
        }
    }
}
}


?>

This is what I got, it's literally the same code just using functions and other things to 'seperate' it into chunks. It doesn't work. I keep getting stuck on the if $resultCheck < 1 header which means that the username doesn't exist. Though I'm sure it does since nothing changed in the db. So it lead me to thinking its the $conn, it just doesn't connect to the database. I've dumped the $username variable in a file to check if it works, it does. I just have no idea how to proceed.

Domica
  • 25
  • 3

1 Answers1

1

$conn doesn't exist in method checkinputs().

Either make it global: 

function checkinputs()
{ 
    global $conn;
    ...
}

which I would not recommend (because using globals is disencouraged).

or pass it into Login::_construct() and set it to $this->conn (then use it as $this->conn: $result = mysqli_query($this->conn, $sql);):

function __construct($conn)
{
    $this->conn = $conn; // maybe also check if you have a valid connection!
    $this->username = $_POST['uid'];
    $this->password = $_POST['pwd'];
    $this->checkinputs();
}

function checkinputs()
{       
// no global now!
        ....    
        $result = mysqli_query($this->conn, $sql);
        ....
}

BUT: please switch to prepared stements. This code is vulnerable to sql injection!

related: Reference: What is variable scope, which variables are accessible from where and what are "undefined variable" errors?

Jeff
  • 6,895
  • 1
  • 15
  • 33
  • I thought it was global if you include it before the class. Though, after adding your code i stopped getting the header changed. After I click on submit it just takes me to ../login.conf.php which is the name of the file. It should write out a header like the code states. – Domica Sep 09 '18 at 19:16
  • To clarify, the form
    should run the backend file that logs you in. And as seen in the code, in every instance it should stay in index.php and just add the ?extension based on the error/success. After using the button it just takes me to login.conf.php and the site is empty.
     – Domica Sep 09 '18 at 19:22
  • to debug this I'd need to know all the other files. A few things you could check: 1st: make sure none of your files have output before the header gets set -> remove all `?>`. Do you you ever call `$something = new Login($conn);`? – Jeff Sep 09 '18 at 21:59