Logging in to different user accounts but directed only to same accoount

Question

Giovanne 0 Newbie Poster

9 Years Ago

Hello Guy,

I have coded a successful log of accounts in localhost but when i uploaded this to webhost. These set of codes dont work anymore. Please help these are the codes.

Student_login_handler.php

include_once 'Connect.php';
    $flag = "";
    $learner_id = mysql_real_escape_string(htmlentities($_POST['learner_id']));
    $student_password =  mysql_real_escape_string(htmlentities($_POST['student_password']));
    $student_id = htmlentities($_GET['id'], ENT_QUOTES);
    $student_id = htmlentities($_GET['id'], ENT_QUOTES);
    $query = "SELECT student_id,last_login_date FROM student_information WHERE learner_id='$learner_id' and student_password='$student_password'";
    $result = mysqli_query($link_id, $query);

    if(mysqli_error() != null){
        die(mysqli_error());
    }
    if($date = mysqli_fetch_array($result))
    {
         $lastdate = $date['last_login_date'];
         $date2 = date("d-m-Y h:i A",strtotime($lastdate));
         $_SESSION['user_id'] = $date['student_id'];
         $_SESSION["lastlogin"] =$date2;
         $_SESSION["type"] = "Student";
        mysqli_query("UPDATE student_information SET last_login_date=now() where student_id='{$_SESSION['user_id']}'",$link_id);
         if(mysqli_error() != null){
            die(mysqli_error());
        }
         header("location:  Student_Home.php?id={$_SESSION['user_id']}");
         die();
    }
    else
    {
        $flag = "invalid";
        header("location:Student_login.php?flag=$flag");
        die();      
    } 
?>

Student_login.php

<form name="form2" method="post" action="Student_login_handler.php" onSubmit="return validate();">  
        <tr>
            <td colspan="4"><table width="30%"  border="1" align="center" cellpadding="3" cellspacing="0" bordercolor="#666666" bgcolor="#CCCCCC">
        <tr align="center" bgcolor="#999999">
            <td colspan="2" bgcolor="#99CC33" class="styleblock">Learner Login Here</td>
        </tr>
        <tr bgcolor="#E1E1E1" class="stylesmall">
            <td width="35%" align="left" class="stylesmall">Learner Id : </td>
            <td width="65%" align="left"><input name="learner_id" type="text" id="learner_id"  method="post"></td>
        </tr>
        <tr bgcolor="#E1E1E1" class="stylesmall">
           <td align="left" class="stylesmall">Password:</td>
           <td align="left"><input name="student_password" type="password" id="student_password" method="post"></td>
        </tr>
        <tr bgcolor="#E1E1E1">   
           <td colspan="2" align="center">&nbsp;
             <?php if(!empty($_GET['flag']) && $_GET['flag'] == "invalid") { ?>
             <span class="stylered">Invalid Learner Id or Password</span>
             <?php }?></td>
        </tr>
        <tr bgcolor="#E1E1E1">
           <td colspan="2" align="center">
                <p><input name="login" class="stylesmall" type="submit" id="login" value="Login"></p>

Note: This perfectly function on localhost but not in webhosts.

function: the user can log in to its user account
problem: different user log in directed to same account

Please anyone spare time for me

php

3 Contributors
4 Replies
199 Views
2 Weeks Discussion Span
Latest Post 9 Years Ago Latest Post by hanspeare_1

diafol

9 Years Ago

Sorry Giovanne, but I started reading this and there are quite a few problems with this outside the one that you're experiencing.

1) Using deprecated code (mysql) use mysqli or PDO
2) Not hashing passwords - you're storing plaintext - very bad.
3) Student_Home.php?id={$_SESSION['user_id']} Why do you need to pass the user_id in the url? It's already in the session - I hope you're not using this ($_GET['id']) to do any DB manipulation without checking the session user_id or you're open to very bad things.

I'm afraid I don't answer questions pertaining to mysql_* any more. Anybody else?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Giovanne 0 Newbie Poster · Answer 1 · 2015-03-06T13:13:44+00:00

Hello Diafol,

Thanks for the careful observation in numbr 1 and 2. That will be my next move to develop this system. I am still researching ideas for better security.
I am much concern on your observation number 3. Can you please give me suggestions to correct those.

diafol · Answer 2 · 2015-03-06T13:21:29+00:00

You don't need to pass any info already stored in a session in the url unless you need it for SEO or are using it as part of an API (e.g. RESTful requests) as far as I can see. So, seeing as you have session_start() in every page (right?), you can just pluck the user_id from $_SESSION['user_id'] every time - no need for $_GET['id']. But perhaps I've got your use case wrong.

hanspeare_1 0 Light Poster · Answer 3 · 2015-03-19T01:17:58+00:00

Whenever i delete the line
header("location: Student_Home.php?id={$_SESSION['user_id']}");
it shows lot of errors. SO your suggestion would modify the particular code to another new codes. BUt i dont really get what to do. :-(