-3

signin.php:

<?php
include("config.php");

if (mysqli_connect_errno())
{
   echo "MySQLi Connection was not established: " . mysqli_connect_error();
}

if(isset($_POST['login']))
{
   $username = mysqli_real_escape_string($con,$_POST['username']);
   $password = mysqli_real_escape_string($con,$_POST['password']);

   $sel_user = "SELECT * FROM user WHERE username='$username' AND password='$password'";
   $run_user = mysqli_query($con, $sel_user);

   $check_user = mysqli_num_rows($run_user);

   if($check_user = 2)
   {
      $_SESSION['username']=$username;
      echo "<script>window.open('index.php','_self')</script>";
   }
   else 
   {
      echo "<script>alert('Email or password is not correct, try again')</script>";
   }
}

?>

index.php:

<ul class="nav navbar-nav navbar-right">
     <li><a href="mypage.html">My Page</a></li>
     <li><a href="signup.php">Sign up</a></li>
     <li><a href="signin.php">Sign in</a></li>
</ul>

So, there are three options in my index.php, My Page, Sign up, and Sign in. I want to change Sign in to Sign out when user logs in and display my name on the left side of My Page option. How can I modify my codes? please don't just say "You need ~~~". please indicate where exactly add it as well. Thank you

Eric
  • 47
  • 1
  • 7
  • 4
    `if($check_user = 2)` guess what that does. Edit: It "assigns", so it will always be true and equaling two. – Funk Forty Niner Apr 29 '16 at 16:16
  • 1
    You shouldnt expext people to actually fix your code. People will only tell you what you should try to get closer to your goal. – Celoain Apr 29 '16 at 16:20
  • possible duplicate of [The 3 different equals](http://stackoverflow.com/questions/2063480/the-3-different-equals) – Funk Forty Niner Apr 29 '16 at 16:21
  • yes I should change that to if($check_user > 0) – Eric Apr 29 '16 at 16:23
  • @Fred-ii- Hardly. It's not a good question, but the point of this question is dynamic HTML rather than a bug in the sign in script. – ArtOfCode Apr 29 '16 at 16:23
  • @ArtOfCode It's one of those days again today. *sigh* – Funk Forty Niner Apr 29 '16 at 16:24
  • 1
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 29 '16 at 16:42
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 29 '16 at 16:43
  • Oh Thank you. should I use sha1? – Eric Apr 29 '16 at 16:49
  • 1
    No - you should use PHP's built-in password hashing functions. BCRYPT is the current default. – Jay Blanchard Apr 29 '16 at 17:06

1 Answers1

1

In place of 

<li><a href="signin.php">Sign in</a></li>

you need

<li>
    <?php
        if(isset($_SESSION['username'])) { ?>
            <a href="signout.php">Sign out</a>
    <?php 
        } else { ?>
            <a href="signin.php">Sign in</a>
    <?php
        } ?>
</li>

BUT

You have massive security issues there. You're storing passwords in plain text in your database, by the looks of it. You need to fix this. Now.

ArtOfCode
  • 5,702
  • 5
  • 37
  • 56