1

I'm trying to create a simple log in page. I have a register page and when the user signs up and then attempts to log in it will navigate them to the homepage. However When the user attempt to log in and there user name and password is not in the database i would like the script to navigate them to the sign up page.

I'm having troubles with the else statement, can anyone help me with this issue?

This is the script... 

function SignIn()
{
session_start();   //starting the session for user profile page
if(!empty($_POST['userName']))   
{
  $query = mysql_query("SELECT *  FROM users where userName = '$_POST[userName]' AND createPassword = '$_POST[createPassword]'") or die(mysql_error());
  $row = mysql_fetch_array($query) or die(mysql_error());
  if(!empty($row['userName']) AND !empty($row['createPassword']))
  {
    $_SESSION['userName'] = $row['createPassword'];
    echo "<script>window.location = 'index.php'</script>";

  }
  else
  {

    echo "<script>window.location = 'signUp.php'</script>";
  }
}
}
if(isset($_POST['submit']))
{
  SignIn();
}

?>

EDIT: Hi thanks for your feedback, I have changed the query and edited the echo. Thanks for the security tips but in this script security isnt an issue. I only need it to direct you to the index if you have signed up and to the register if you haven't. I still cant get the page to redirect to the sign up page if the log in and pass word is incorrect.

If its correct it takes you to the index however if wrong it presents the php page this script is on.

This is my current attempt 

function SignIn()
{
session_start();
if(!empty($_POST['userName']))
{
  $query = mysql_query("SELECT *  FROM users where userName = '{$_POST['userName']}' AND createPassword = '{$_POST['createPassword']}'") or die(mysql_error());
  $row = mysql_fetch_array($query) or die(mysql_error());

  if(!empty($row['userName']) AND !empty($row['createPassword']))
  {
    $_SESSION['userName'] = $row['createPassword'];
    header("Location:http://localhost/waves/index.php");
  }
  else if (!empty($row['userName']) AND !empty($row['createPassword']))
  {
    $_SESSION['userName'] != $row['createPassword'];
    header("Location:http://localhost/waves/signUp.php");

  }
}

}
if(isset($_POST['submit']))
{
  SignIn();
}

?>
alan smith
  • 127
  • 1
  • 11
  • 2
    What exactly goes wrong? Does it never reach the else statement, or does it simply not redirect? – Max Feb 16 '16 at 13:38
  • This is very vulnerable to SQL injections you must not use security this way, use prepared statements to start with – Firewizz Feb 16 '16 at 13:42
  • @alan smith. You are using two same `if` condition. You only required one `if` condition and other will be `else` not `else if`. – Mr. Engineer Feb 16 '16 at 16:11

3 Answers3

3

1) Correct your query : 

"SELECT *  FROM users where userName = '{$_POST['userName']}' AND createPassword = '{$_POST['createPassword']}'"

2) Why you need JS for redirection? You can use header for it.

header("Location:http://localhost/signUp.php");

3) Dont use mysql_*. It is deprecated and removed from PHP 7. Use mysqli_* or PDO.

4) Your query is unsafe. Read this How can I prevent SQL injection in PHP?.

Community
  • 1
  • 1
Mr. Engineer
  • 3,522
  • 4
  • 17
  • 34
2

Don't try to redirect that with Javascript output. Instead, you need to use a PHP header() redirect. With this function, you have to ensure that no "output" has been sent to the screen; this is very important. The header redirect will not work if you echo something to the browser before it is executed.

header('Location: http://www.yoursite.com/signUp.php');
exit;
jjwdesign
  • 3,272
  • 8
  • 41
  • 66
2

mysql_query is deprecated and will be removed soon. it's also not safe. so use PDO instead.

That said, this is how you use array keys in a string.

$sql = "SELECT *  FROM users where userName = '{$_POST['userName']}' AND createPassword = '{$_POST['createPassword]'}'";

This is still not safe though and you should use prepared statements or at the very least use mysql_real_escape_string (also deprecated).

I wrestled a bear once.
  • 22,983
  • 19
  • 69
  • 116