0

I have a login page which works fine with my database, however it fails to direct to the homepage. I cannot access my homepage either from the URL as it directs me straight back to the login page.

Here is my login PHP:

    //Start session
    session_start();

    //Include database connection details
    require_once('index.php');

    //Array to store validation errors
    $errmsg_arr = array();

    //Validation error flag
    $errflag = false;

    //Function to sanitize values received from the form. Prevents SQL injection
    function clean($str) {
        $str = @trim($str);
        if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
        }
        return mysql_real_escape_string($str);
    }

    //Sanitize the POST values
    $username = clean($_POST['username']);
    $password = clean($_POST['password']);

    //Input Validations
    if($username == '') {
        $errmsg_arr[] = 'Username missing';
        $errflag = true;
    }
    if($password == '') {
        $errmsg_arr[] = 'Password missing';
        $errflag = true;
    }

    //If there are input validations, redirect back to the login form
    if($errflag) {
        $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
        session_write_close();
        header("location: index.php");
        exit();
    }

    //Create query
    $qry="SELECT * FROM USER WHERE Username='$username' AND Password='$password'";
    $result=mysql_query($qry);

    //Check whether the query was successful or not
    if($result) {
        if(mysql_num_rows($result) > 0) {
            //Login Successful
            session_regenerate_id();
            $member = mysql_fetch_assoc($result);
            $_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
            $_SESSION['SESS_FIRST_NAME'] = $member['username'];
            $_SESSION['SESS_LAST_NAME'] = $member['password'];
            session_write_close();
            header("location: welcome.php");
            exit();
        }else {
            //Login failed
            $errmsg_arr[] = 'user name and password not found';
            $errflag = true;
            if($errflag) {
                $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
                session_write_close();
                header("location: index.php");
                exit();
            }
        }
    }else {
        die("Query failed");
    }
?>

Here is my homepage:

session_start();
//welcome.php
$user = $_SESSION['username'];
if(!isset($_SESSION['username']))
{
    header("Location: index.php");
    exit();
}
else
{
    echo "hi $username you are loged in //Welcome to our website <a href=\"logout.php\">Logout</a>";
}
James
  • 63
  • 6
  • Consult these following links http://php.net/manual/en/function.mysql-error.php and http://php.net/manual/en/function.error-reporting.php and apply that to your code, then tell us what you get back. – Funk Forty Niner Feb 04 '16 at 14:32
  • 5
    You never bother setting `$_SESSION['username']`. You set three **OTHER** session vars, but not `username` - so it's never defined, and you just keep redirecting. – Marc B Feb 04 '16 at 14:34
  • Please dont use the `mysql_` database extension, it is deprecated (gone for ever in PHP7) Especially if you are just learning PHP, spend your energies learning the `PDO` or `mysqli_` database extensions, [and here is some help to decide which to use](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) – RiggsFolly Feb 04 '16 at 14:35
  • Never ever used `session_write_close();` and I am pretty sure you dont need to either – RiggsFolly Feb 04 '16 at 14:36
  • And I am pretty sure you dont need this `session_regenerate_id` either – RiggsFolly Feb 04 '16 at 14:38
  • Anyone would say a committee designed this and another committee wrote it. Nothing is quite joined up anywhere – RiggsFolly Feb 04 '16 at 14:40

1 Answers1

1

You're checking if the session contains a key named username, but you're not setting that key anywhere in your login file, so this bit:

if(!isset($_SESSION['username']))

always evaluates to true and sends you to index.php

PS: Try to not squelch errors (the @ operator) - in most cases it's considered bad practice. There are a few exceptions but you'll figure them out later :)

kalatabe
  • 2,909
  • 2
  • 15
  • 24