8 {{ upvoteCount | shortNum }}
8 {{ upvoteCount | shortNum }}

Need help with a login form.

by man5
7 replies
I am starting a simple login and registration with php and mysql. I am stuck on this php code. Functions.php and connect.php pages are setup as well and they do connect to the database.

Login.php
HTML Code:
<html>
<head>
<title>Basic CMS - Admin Area Login</title>
</head>
<body>
<?php
session_start();
if(isset($_SESSION['user'])) {
    header('Location: index.php');
} else {    
?>
<form action="dologin.php" method="POST" >
<input type="text" name="username" >
<input type="password" name="password">
<input type="submit" value="Login">
<?php } ?>
</body>
</html>
dologin.php
PHP Code:
<?php
include ('../includes/functions.php');

if(isset($_POST['login'])) {
    if(isset($_POST['username'])) {
        if(isset($_POST['password'])) {
            $username $_POST['username'];
            $query mysql_query("SELECT * FROM users WHERE Username = '$username'") or die(mysql_error());
            $user mysql_fetch_array($query);
            if ($_POST['password'] == $user['Password']) {
                echo "Login successful";
                $_SESSION['user'] = $user['Username'];
                header("Location: index.php");
            } else {
                echo "Please check your login details";
                include('login.php');
            }
        } else {
                echo "Please check your password";
                include('login.php');
        }
    } else {
        echo "Please check your username";
        include('login.php');
    }
} else {
    echo "Please check that you have filled out the login form";
    include('login.php');
}        
?>
Can anyone identify what might be wrong in the php code above?
#form #login
  • Profile picture of the author Andrew H
    What is the error showing?

    Perhaps it works and you are being transferred to a non-existant index.php?
    Signature
    "You shouldn't come here and set yourself up as the resident wizard of oz."
    {{ DiscussionBoard.errors[8585198].message }}
  • Profile picture of the author man5
    The error is basically the last else statement with the login form underneath. "Please check that you have filled out the login form".

    After I login, I should be redirected back to index.php but that does not happen. It stays on dologin.php page. So I am assuming the php code isn't connecting to the database to find the user.
    Signature
    www.imdabest.ca
    {{ DiscussionBoard.errors[8585251].message }}
  • Profile picture of the author Andrew H
    add

    Code:
    include ('../includes/connect.php');
    to your dologin.php page? or is that already taken care of in your functions.php file?
    Signature
    "You shouldn't come here and set yourself up as the resident wizard of oz."
    {{ DiscussionBoard.errors[8585429].message }}
  • Profile picture of the author Andrew H
    Well actually, if your saying the error you are seeing is "Please check that you have filled out the login form", that means that you are not posting the 'login' variable correctly.

    Code:
    if(isset($_POST['login'])) {
   //some code here
} else {
   // this is being executed here - so the 'login' post variable is not set
}
    Signature
    "You shouldn't come here and set yourself up as the resident wizard of oz."
    {{ DiscussionBoard.errors[8585439].message }}
  • Profile picture of the author man5
    Connect.php is already included in Functions.php.

    Yes there is something wrong with the login post variable. I am just not seeing what it exactly.

    Also if you guys have a different code for the login, I can try that.
    Signature
    www.imdabest.ca
    {{ DiscussionBoard.errors[8585465].message }}
  • Profile picture of the author Andrew H
    Ah, I see the problem. This needs to be added to your login form (Login.php)

    Code:
    <input type="hidden" name="login" value="login">
    Also, there is no closing tag for your Form

    Code:
    </form>
    However, your login script is wide open to SQL injection because it is using user supplied variables directly in the sql query without escaping.

    Your homework:

    https://www.google.ca/search?q=what+...sm=93&ie=UTF-8
    Signature
    "You shouldn't come here and set yourself up as the resident wizard of oz."
    {{ DiscussionBoard.errors[8585521].message }}
    • Profile picture of the author man5
      Originally Posted by Andrew H View Post

      Ah, I see the problem. This needs to be added to your login form (Login.php)

      Code:
      <input type="hidden" name="login" value="login">
      Also, there is no closing tag for your Form

      Code:
      </form>
      However, your login script is wide open to SQL injection because it is using user supplied variables directly in the sql query with escaping.

      Your homework:

      https://www.google.ca/search?q=what+...sm=93&ie=UTF-8

      You are awesome bro! It works now.

      I understand it is open to SQL injection. This is my first crack at creating a CMS, so I would like to keep it simple as I am learning the process. Later on, I can add security protections that are up to date.


      Update: I forgot to mention one other thing that I was missing. I had to add "session_start();" in the dologin.php. So everything is good now.
      Signature
      www.imdabest.ca
      {{ DiscussionBoard.errors[8585563].message }}

Trending Topics