Log-in script is not working - please help

Question

Joshua Kidd 0 Junior Poster

13 Years Ago

Hello,
I have created a login page for my users. And it seems to not be working properly.

<?php
include "inc/header.php";
?>
<div class="ContentHold">
<?php
include "inc/globals.php";

if (isset($_POST['login']))
{
	$username = addslashes(strip_tags($_POST['username']));
	$password = addslashes(strip_tags($_POST['password']));
	
	if (!$username||!$password)
	{
	?>
    <div id="NotifyUI"> Please Enter a Username and Password. </div>
    <?
	}
	else
	{
		$login_1 = mysql_query("SELECT * FROM users WHERE username='$username'");
		while ($ban_row = mysql_fetch_assoc($login_1))
		$ban = $ban_row['ban'];
		if ($ban==1)
		{
		?>
        <div id="NotifyUI"> Sorry, you have been abusing functions on our server. You have been banned. </div>
        <?
		}
		else
		{
			$login = mysql_query("SELECT * FROM users WHERE username='$username'");
			if (mysql_num_rows($login)===0)
			{
			?>
			<div id="NotifyUI"> There is no Such user. </div>
			<?
			}
			else
			{
				
				while($login_row = mysql_fetch_assoc($login))
				{
					$password_db = $login_row['password'];
					$password = md5($password);
					
					if (!$password==$password_db)
					{
					?>
                    <div id="NotifyUI"> You have entered the incorrect password for this user. </div>
					<?	
					}
					else
					{
						$active = $login_row['active'];
						$email = $login_row['email'];
						
						if ($active==0)
						{
						?>
                        <div id="NotifyUI">You have not activated your account. Please do so by checking your email [<? echo $email; ?>]</div>
                        <?
						}
						else
						{
							session_register("username");
							$_SESSION['username']=$username;

							header("location: welcome.php");

						}
					}
				}
			}
		}
	}
}
else
{
	$username = $_SESSION['username'];
	
	if (isset($_SESSION['username']))
	{
	?>
    <div id='NotifyUI'><p>You are already logged in. You may now go to your profile page. <a href='index.php'</p></div>
    <?
	}
	else
	{
	?>
  <div id="logincontain">
    <p>
    <h1 style="margin-bottom:15px">Log into the site</h1>
    </p>
    <div id="loginspec">
    <form action='login.php' method='POST'>
      <div class="logincap">
        <p>
        <lable>Username</lable>
        </p>
        <p>&nbsp;</p>
        <input type="text" name="username" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'':this.value;" />
        <lablee>
        <p>&nbsp;</p>
        <p>Password (<a href="http://synthscope.com/">Forgot?</a>)</p>
        <p>&nbsp;</p>
        <p>
        </lable>
        <input type="password" name="password" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'':this.value;" />
        </p>
      </div>
      </p>
      <input type='submit' name='login' id='rightf' class='loginbtn' align='center' value='Log In' />
      </form>
    </div>
  </div>
   	<?
	}
}
?>
</div>
<?php
include "inc/footer.php";
?>

It will log you in. But then it just does nothing after the login. It's supposed to go to welcome.php, but it does not do that. Any Ideas?

Thanks in advance :)

php

4 Contributors
11 Replies
181 Views
5 Days Discussion Span
Latest Post 13 Years Ago Latest Post by Joshua Kidd

Matthew N. 0 Junior Poster in Training

13 Years Ago

Line 85 is missing closing a tag.
Are you getting any errors from PHP?

xuqi 0 Newbie Poster

13 Years Ago

Try javascript redirection.
echo 'window.location = "http://www.google.com/"';

And just a suggestion never disclose the message saying that either username wrong or password. Just say "Username/password wrong". This is good for security.

Thanks

diafol

13 Years Ago

I agree with above - you need to simplify the error/exception handling. Keep it simple. Do not give an user any info on the nature of the error - just tell them that the login with those details is incorrect.

A malicious user will not be able to 'fix' data and use a brute force attack on a single field (e.g. password).

If an user is banned, do they need to be reminded? I suspect that they should receive an email notifying them of their ban. That's it. If they have messed with your system, sod 'em. The details incorrect should suffice.

Use a better php validation - mysql_real_escape_string() is the current standard as I understand it.

I don't quite get the inline js. I'd advise against js redirect as users without js (admittedly few), will get lost in the process. A php header() is safer.

However, this is tricky if you mix up php and html, since header() will not work once there is any output (html).

I suggest doing all your validation and verification, redirecting etc in a php script held above the doctype declaration (DTD).

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Joshua Kidd 0 Junior Poster · Answer 1 · 2011-10-05T03:01:19+00:00

Matthew N.
I fixed that. But still no change. Good catch.

xuqi
I tried that, but not worked.
So I used instead:

echo "<META HTTP-EQUIV='refresh' CONTENT='1'>";

It works for me, but not anyone else. Just refreshes back to the Form.

ardav
Thanks for all the useful tips.

"However, this is tricky if you mix up php and html, since header() will not work once there is any output (html)."
Whenever you say this, would it make sense that my Header file is not updating when the user logs in?

Because when the user logs in the header file should show a different menu, then when logged out.

Thanks Guys :)

Joshua Kidd 0 Junior Poster · Answer 2 · 2011-10-05T03:53:11+00:00

Nvermind that last question about the Header file :D I'm a bit tired. Did not understand it quite at first.

Sorry.

Matthew N. 0 Junior Poster in Training · Answer 3 · 2011-10-05T08:32:10+00:00

on the meta tag, in the content bit you haven't given it anywhere to redirect to.
use meta like this :

echo '<meta http-equiv="refresh" content="1;URL=mypage.php" />';

Matthew N. 0 Junior Poster in Training · Answer 4 · 2011-10-05T08:32:25+00:00

on the meta tag, in the content bit you haven't given it anywhere to redirect to.
use meta like this :

echo '<meta http-equiv="refresh" content="1;URL=mypage.php" />';

Joshua Kidd 0 Junior Poster · Answer 5 · 2011-10-05T10:20:47+00:00

I did that, but the session is not starting. I have this:

session_register("username");						$_SESSION['username']=$username;

But I am thinking I need something else like:

session_start();

Correct?

xuqi 0 Newbie Poster · Answer 6 · 2011-10-05T10:30:10+00:00

yes you have to start session in this case.

Matthew N. 0 Junior Poster in Training · Answer 7 · 2011-10-05T13:03:36+00:00

As xuqi said, you would need that, an also ontop of every page that checks if user logged in.
BTW: that is

session_start();

Joshua Kidd 0 Junior Poster · Answer 8 · 2011-10-09T01:52:01+00:00

Finally got it working after trial and error. thanks :)