I've recently started resuming my "hobby" of web development and returned to PHP. I've managed to get ahead pretty far even though I still feel like my (previously non existent) skills are a bit rusty. I've looked at this code for quite a while and cannot figure out why this isn't working. This code used to work so I'm pretty sure I must have deleted something or I am not noticing something important.
Either way this is my current PHP code The result is that when I login, I stay on the same page and it basically seems like nothing happens. Except the page just refreshes:
function login($db){
if(!isset($_SESSION['user']) || !isset($_SESSION['user']['username'])){
echo "
<form method='post' class='logform'>
<input type='text' class='textlog' placeholder='Username' name='formLoginUser' id='formLoginUser' onkeypress='validateboth(event)' REQUIRED><br><br>
<input type='password' class='textlog' placeholder='Password' id='formLoginPassword' name='formLoginPassword' REQUIRED><br><br>
<div class='logcheck'>
<input type='submit' class='login_bot transparent' value='Login' name='formLoginSubmit' style='float:left;'>
<a class='login_bot transparent' href='index.php?page=createuser' style='float:left; margin-left:5px;'>Create account</a>
<a class='login_bot transparent' href='index.php?page=forgotpassword' style='float:left; margin-left:5px;'>Forgotten password</a>
</div>
</form>
";
if(isset($_POST['formLoginSubmit'])){
if(empty($_POST['formLoginUser'])){
$_SESSION['msg']['warning'][] = "Fill in!!";
if(empty($_POST['formLoginPassword'])){
$_SESSION['msg']['warning'][] = "Password missing!!";
}
if(empty($_SESSION['msg']['warning'])){
$username = $db->real_escape_string($_POST['formLoginUser']);
$password = encrypt(md5($_POST['formLoginPassword']));
$sql = "select * from users
where
username = '{$username}'
and
password = '{$password}'
";
$sqlQuery = $db->query($sql) or die($db->error);
$intQuery = $sqlQuery->num_rows;
if($intQuery == true){
$sqlFetch = $sqlQuery->fetch_object();
$_SESSION['user']['username'] = $sqlFetch->username;
$_SESSION['user']['id'] = $sqlFetch->user_id;
$_SESSION['user']['level'] = $sqlFetch->user_level;
header('location: index.php?page=home');
$_SESSION['msg']['warning'][] = "logged in";
}
}else{
header('location: index.php?page=home');
$_SESSION['msg']['warning'][] = "wrong details";
}
}
}
}
}
I know it's not a problem with the DB, I can successfully register an account and have it appear in the DB.
Edit: Yes, I am redirecting to the same page how ever - on that page I'm calling a function to display a message depending on whether the login was successful or not. The point is, I'm not logged in at all.
The function to call the login is:
<div id="login-content">
<?php login($db); ?>
</div>
change if($intQuery == true)
with if($intQuery >0)
because num_rows returns integer as name of the function defines it. also your query is vulnerable to sql injection and real_escape_string is not secure method for escaping injection. there is a good article here for preventing sql injection.
Tip: you can jump in an out of your php code with ?><?php
and type your desired html in between to prevent wired bugs and have a clear code.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.