Jump to content

Login problem

nemanja28

By nemanja28
in PHP Coding Help

 Share

Recommended Posts

nemanja28 Newbie

nemanja28

Posted
Posted

I have a probrem with a login, and there are no one error in my log

I'a tired looking for a mistake.

Look at my code and tell me if see anything bad

 

there is login.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>

<?php


		error_reporting(E_ALL | E_STRICT);
		ini_set("display_errors", 0);
		ini_set("log_errors", 1);
		ini_set("error_log", "logovi.log");


		session_start();
		if (isset($_POST['ime'])&&isset($_POST['pas']))
		{
				// without sql injection
			//$ime = $_POST['ime'];
			//$pasvord = $_POST['pas'];



			// for sql injection
			 $ime = mysql_real_escape_string($_POST['ime']);

			define('skrembl', '48762497&*%$#(%$1');
			$pasvord = md5(skrembl . $_POST['pas']);	




			include "konekcija.php";
			$sql="SELECT k.*, u.* FROM korisnik k JOIN uloga u ON k.UlogaID = u.UlogaID WHERE KorisnickoIme = '".$ime."' AND Lozinka = '".$pasvord."'";
			$q = mysql_query($sql);
			if (mysql_num_rows($q)==1)
			{
				$_SESSION['ime'] = $_POST['ime'];
				$red=mysql_fetch_array($q);			
					$_SESSION['korisnickoIme'] =$red["Ime"];  	
					$_SESSION['prezime'] =$red["Prezime"];  
					$_SESSION['telefon'] =$red["Telefon"];  
					$_SESSION['email'] =$red["Mail"];  


					if($red["NazivUloge"] == "Administrator")
						header('Location: admin.php');
					else
						header('Location: prva.php');

			} 
			else 
			{
				header('Location: MojNalog.php');
			}
		} 
		else 
		{
			//Ako POST parametri nisu prosledeni
			echo "Nisu prosledeni parametri!";
		}
		mysql_close($db);

	?>

</body>
</html>

 

 

And there is my connection on database - konekcija.php (this database I use fore many other function, and i think that the file work properly )

 

<?php
$mysql_server = "localhost";
$mysql_user = "root";
$mysql_password = "";
$mysql_db = "nekretnine";
if (!$db=mysql_connect($mysql_server, $mysql_user, $mysql_password)) {
die ("<p>Spajanje na mysql server je bilo neuspešno</p>");
}
if (!mysql_select_db($mysql_db, $db))
{
die ("<p>Greška pri odabiru baze</p>");
} else {
mysql_query("SET NAMES utf8");
mysql_query("SET CHARACTER SET utf8");
mysql_query("SET COLLATION_CONNECTION='utf8_unicode_ci'");
}
?>

 

and code where is input of username and password is in file MojNalog.php

<form method="post" action="login.php">
					              	<div class="contact_form">

				 <?php
                                                //[b]View if user succeed to login[/b]
					if (isset($_SESSION['korisnickoIme']))
							{
								print "<div class=\"form_row\">

										<label class=\"contact\"><strong>Vasi Podaci</strong></label><p></p>
										<label class=\"contact\"><strong>Ime: </strong></label>
										<label class=\"contact\"><strong>".$_SESSION['korisnickoIme']."</strong></label>
										</div>

										<div class=\"form_row\">
										<label class=\"contact\"><strong>Prezime: </strong></label>
										<label class=\"contact\"><strong>".$_SESSION['prezime']."</strong></label>
										</div>

										<div class=\"form_row\">
										<label class=\"contact\"><strong>Korisnicko ime: </strong></label>
										<label class=\"contact\"><strong>".$_SESSION['ime']."</strong></label>
										</div>

										<div class=\"form_row\">
										<label class=\"contact\"><strong>Telefon: </strong></label>
										<label class=\"contact\"><strong>".$_SESSION['telefon']."</strong></label>
										</div>

										<div class=\"form_row\">
										<label class=\"contact\"><strong>Email: </strong></label>
										<label class=\"contact\"><strong>".$_SESSION['email']."</strong></label>
										</div>

										";



							}

					else
							{
                                                                             //[b]LOGIN FORM[/b]
								print "<div class=\"form_row\">
									<label class=\"contact\"><strong>Unesite korisni&#269;ko ime:</strong></label>
									<input type=\"text\" class=\"contact_input\" name = \"ime\"/>
									</div>  

									<div class=\"form_row\">
									<label class=\"contact\"><strong>Unesite šifru:</strong></label>
									<input type=\"password\" class=\"contact_input\" name=\"pas\"/>
									</div>
									<div class=\"form_row\">
									<input type=\"submit\" class=\"contact\" value= \"Log In\"/>
									</div>   ";

							}
				?>      
                       
									</div>
									</form>

 

please help i don't see any mistake

Link to comment
Share on other sites
DarkMantis Newbie

DarkMantis

Posted
Posted

Try limiting the Query to 1

 

ie: $sql="SELECT k.*, u.* FROM korisnik k JOIN uloga u ON k.UlogaID = u.UlogaID WHERE KorisnickoIme = '".$ime."' AND Lozinka = '".$pasvord."' LIMIT 1";

 

this is from your login.php

 

I don't think this will be a solution but it should prevent any unforseen errors

Link to comment
Share on other sites
Bryce910 Member

Bryce910

Posted
Posted

What exactly is not working? I noticed how you have your code which includes a header() in the body tags which will cause header problems lots of the time.

Also I would put name="submit" for the submit button and then put at top of file. 

if(isset($_POST['submit']))
{
do the log in code...
}

Link to comment
Share on other sites
litebearer Member

litebearer

Posted
Posted

there are several errors in the login.php code

1. Sessions MUST start before you output and HTML code - your first several lines are outputting

2. You MUST connect to your db BEFORE you use mysql_real_escape_string

3. You cannot output ANYTHING before header redirect (see 1. above)

 

Link to comment
Share on other sites
nemanja28 Newbie

nemanja28

Posted
  • Author
Posted

OK, I agree with yours statments, but:

1. Session start before my output. What are you meaning that is my output before session start??

2. I put on comment mysql_real_escape_string and try without sql injection and doesn't work login form.

 

Therefore, I try every your suggestion and same problem again exist...  :-\

 

Link to comment
Share on other sites
nemanja28 Newbie

nemanja28

Posted
  • Author
Posted

What exactly is not working? I noticed how you have your code which includes a header() in the body tags which will cause header problems lots of the time.

Also I would put name="submit" for the submit button and then put at top of file. 

if(isset($_POST['submit']))
{
do the log in code...
}

 

I try to login but they didn't do that

i already have submit name and i dont need that code because I have ACTION on form to do login.php

 

 

is login.php as shown above, the ENTIRE file?

 

I dont understand what are you meaning

 

 

Show us the new code

 

there is a code


<?php
session_start();
?>



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>

<?php


		error_reporting(E_ALL | E_STRICT);
		ini_set("display_errors", 0);
		ini_set("log_errors", 1);
		ini_set("error_log", "logovi.log");



		if (isset($_POST['ime'])&&isset($_POST['pas']))
		{
				// without sql injection
			$ime = $_POST['ime'];
			$pasvord = $_POST['pas'];



			// for sql injection
			// $ime = mysql_real_escape_string($_POST['ime']);

			// define('skrembl', '48762497&*%$#(%$1');
			// $pasvord = md5(skrembl . $_POST['pas']);	




			include "konekcija.php";
			$sql="SELECT k.*, u.* FROM korisnik k JOIN uloga u ON k.UlogaID = u.UlogaID WHERE KorisnickoIme = '".$ime."' AND Lozinka = '".$pasvord."'";
			$q = mysql_query($sql);
			if (mysql_num_rows($q)==1)
			{
				$_SESSION['ime'] = $_POST['ime'];
				$red=mysql_fetch_array($q);			
					$_SESSION['korisnickoIme'] =$red["Ime"];  	
					$_SESSION['prezime'] =$red["Prezime"];  
					$_SESSION['telefon'] =$red["Telefon"];  
					$_SESSION['email'] =$red["Mail"];  


					if($red["NazivUloge"] == "Administrator")
						header('Location: admin.php');
					else
						header('Location: prva.php');

			} 
			else 
			{
				header('Location: MojNalog.php');
			}
		} 
		else 
		{
			//Ako POST parametri nisu prosledeni
			echo "Nisu prosledeni parametri!";
		}
		mysql_close($db);

	?>

</body>
</html>

 

 

 

 

Link to comment
Share on other sites
litebearer Member

litebearer

Posted
Posted

Compare this to your login.php - 

<?php
session_start();
/* make sure form values have been submitted */
if (isset($_POST['username']) && isset($_POST['password'])){
/* validate and sanitize the form values */
/* if bad send back to form */
/* connect to database */
/* prepare query to see if username and password are in the table and if it is user or admin */
/* execute the query */
        query = select NaxivUloge, id from tablename where username = '$username' AND password = '$password'
/* if number rows !=1 redirect to form */
/* get the NazivUloge from your db result set */
/* store the approrpriate values in their session variables */
/* redirect to appropriate page */
}else{
/* send back to form page */
}
?>

Clear?

Link to comment
Share on other sites
nemanja28 Newbie

nemanja28

Posted
  • Author
Posted

and change little bit for my site

If that is the case then look VERY closely at the differences

 

Side note: Did you rewrite your script to follow EXACTLY how my psuedo code showed?

 

I looking 2 day for a mistake in a code or difference in regard to code of my friend and nothing can find :-/

Link to comment
Share on other sites
litebearer Member

litebearer

Posted
Posted

Maybe this will help...

<?php
session_start();
$error_message = "You must enter a valid username and password!";
/* make sure form values have been submitted */
if (isset($_POST['username']) && isset($_POST['password'])){
/* validate and sanitize the form values */
$username = trim($_POST['username']);
$password = trim($_POST['password']);
/* check that both username and password have some content */
if(strlen($usename<1) OR strlen($password<1)) { /* you can change lengths to you choice */
	$_SESSION['message'] = $error_message;
	header('Location: form.php');
}
/* check that both username and password only contain letters and numbers */
if($username != preg_replace("/[^a-zA-Z0-9]/", "", $username) OR $password != preg_replace("/[^a-zA-Z0-9]/", "", $password)) {
	$_SESSION['message'] = $error_message;
	header('Location: form.php');
}
/* connect to database */
include('db.php');
/* prepare query to see if username and password are in the table and if it is user or admin */
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
/* note you really should be hashing the password */
$query = "SELECT id, user_level FROM usertable WHERE username = '$username' AND password = '$password";
/* execute the query */
$result = mysql_query($query)  or die(mysql_error());
/* if number rows !=1 redirect to form */
if(mysql_num_rows($result) !=1) {
	$_SESSION['message'] = $error_message;
	header('Location: form.php');
}
$row = mysql_fetch_array($result);
/*	get the NazivUloge from your db result set */
$row = mysql_fetch_array($result);
/* store the approrpriate values in their session variables */
$_SESSION['user'] = $row['id'];
$_SESSION['level'] = $row['user_level'];
/* redirect to appropriate page */
if($row['user_level'] == 1) {
	header('Location: admin.php');
}else{
	header('Location: non_admin.php');
}
}else{
/* send back to form page */
	header('Location: form.php');
}
?>

Link to comment
Share on other sites
Drummin Member

Drummin

Posted
Posted

You may have got things fixed with all the help you've had but just based on your first post, login.php should be like this with all session updates and headers made before ANYTHING is sent to browser (as already pointed out).

<?php
session_start();	
include "konekcija.php";
error_reporting(E_ALL | E_STRICT);
ini_set("display_errors", 0);
ini_set("log_errors", 1);
ini_set("error_log", "logovi.log");
	if (isset($_POST['ime'])&&isset($_POST['pas']))
		{
		$ime = mysql_real_escape_string($_POST['ime']);
		define('skrembl', '48762497&*%$#(%$1');
		$pasvord = md5(skrembl . $_POST['pas']);
		$sql="SELECT k.*, u.* FROM korisnik k JOIN uloga u ON k.UlogaID = u.UlogaID WHERE KorisnickoIme = '".$ime."' AND Lozinka = '".$pasvord."'";
		$q = mysql_query($sql);
	if (mysql_num_rows($q)==1)
	{
		$_SESSION['ime'] = $_POST['ime'];
		$red=mysql_fetch_array($q);			
		$_SESSION['korisnickoIme'] =$red["Ime"];  	
		$_SESSION['prezime'] =$red["Prezime"];  
		$_SESSION['telefon'] =$red["Telefon"];  
		$_SESSION['email'] =$red["Mail"];  

	if($red["NazivUloge"] == "Administrator")
	header('Location: admin.php');
	else
	header('Location: prva.php');
} 
else 
{
header('Location: MojNalog.php');
}
} 
else 
{
//Ako POST parametri nisu prosledeni
echo "Nisu prosledeni parametri!";
}
?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.