0

I am trying to create a simple login script in php. This is a learning exercise so I am trying to keep it as simple as possible. After playing around with it for an hour or two, I got it working - I was able to log in and I was greeted - but then it stopped. Now, every time I try to login, I don't get past my login page.

My admin page did not originally include a logout function, I added that later and tried logging out several times thinking that was the issue. However, I also cannot access my admin page directly so that suggest to me that I am not logged in.

login_page.php

 <p> Please login to access admin: </p

<form action="verify.php" method="post">
    User Name:<br>
    <input type="text" name="username"><br><br>
    Password:<br>
    <input type="password" name="password"><br><br>
    <input type="submit" name="submit" value="Login">
</form>

verify.php

<?php 
$host = 'localhost';
$username = 'user';
$pswd = 'pass';

$con = mysql_connect($host, $username, $pswd);
if (!$con){
    die('Could not connect: ' . mysql_error());
    }
mysql_select_db("db", $con);

    $usr = $_POST['username']; 
    $pas = $_POST['password']; 
    $sql = mysql_query("SELECT * FROM users_table  
        WHERE username='$usr' AND 
        password='$pas' 
        LIMIT 1"); 
    if(mysql_num_rows($sql) == 1){ 

        $row = mysql_fetch_array($sql); 
        session_start(); 
        $_SESSION['username'] = $row['username']; 
        $_SESSION['fname'] = $row['first_name']; 
        $_SESSION['lname'] = $row['last_name'];
        $_SESSION['logged'] = TRUE; 
        header("Location: viewRecords.php"); 
    }else{ 
        header("Location: index.php"); 
        exit; 
} 
mysql_close($con);
?>

I added a link on my admin page which goes to logout.php - here I just kept adding commands hoping something would end the session and let me log in again.

<?php
session_start();
$_SESSION = array();
unset($_SESSION["logged"]); 
session_destroy();
header("Location: index.php");
?>

Here's the top of my admin page:

<?php 
session_start(); 
if(!$_SESSION['logged']){ 
    header("Location: login_page.php"); 
    exit; 
} 
echo 'Welcome, '.$_SESSION['username']; 
?>

I am wondering if there is an error in my code (maybe something I introduced while editing) or if the issue has to do with sessions or any other suggestions. Any feedback would be appreciated. Thanks.

  • post the url here so we can all steal your database and drop tables after you upload this vulnerable code. www.bobby-tables.com – skrilled Dec 06 '13 at 19:15
  • Hey, give him a break. He said it was a learning exercise. We all have to start somewhere. – mseifert Dec 06 '13 at 19:23
  • Actually, it would help if you told me how it was vulnerable so I can avoid doing it again. I changed the username and password. Is it an issue of how I am constructing this? Or that it is not a robust enough defense? Like I said, this isn't designed to protect anything important. Just to see if I can figure out how to do a login. –  Dec 06 '13 at 19:36
  • Username and password (and any user input) should be sanitized before using in an sql statement. Take a look here: [here](http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php/130323#130323) – mseifert Dec 06 '13 at 20:41

2 Answers2

2

session_start(); needs to be at the very top of your page. Where you currently have it in verify.php is incorrect.

<?php
    session_start();
John Conde
  • 217,595
  • 99
  • 455
  • 496
0

Do you have error_reporting() set? Try error_reporting(E_ALL ^ E_STRICT) to make sure all errors are being displayed;

Since you are unsetting the variable, try checking if it is set:

if(!isset($_SESSION['logged']) || !$_SESSION['logged']){ ...
mseifert
  • 5,390
  • 9
  • 38
  • 100
  • Before you check for `$_SESSION['logged']` add `var_dump($_SESSION)` to see what you've got. It will show you all the values in `$_SESSION` – mseifert Dec 06 '13 at 19:50
  • Will do. I think I am going to start from scratch and see if a fresh approach will work. Thanks for your help. –  Dec 06 '13 at 20:15