-2

I have a PHP login form but it's not working, what's wrong with my code? It used to work perfectly fine, maybe I changed something but didn't notice it.

<?php
include 'functions.php';

if( !isset( $_SESSION ) )
{
session_start();
}
if( isset( $_SESSION['ingelogd'] ) )
{
redirect('index.php');
}


$msg='';
Database details
$conn = new mysqli( $dbhost, $dbuser, $dbpass, $dbname );
if ( $conn->connect_error ) die("Connection failed");


if( isset( $_POST['submit'] ) ) {

$uname = $_POST['username'];
$wwoord = $_POST['password'];
$query = "SELECT * FROM `Klanten` WHERE `klant_username`='$uname' and `klant_wachtwoord`='$wwoord' limit 1";
$result = $conn->query( $query );

    if( $result->num_rows==1 )
    {
        $_SESSION['ingelogd'] = true;
        $_SESSION['username'] = $result['klant_username'];
        redirect('index.php');
    }
    else
    {
        redirect('/?p=i');        }
 }
 ?>
lucafj2j282j
  • 879
  • 3
  • 13
  • 32
  • 1
    Not working means what? – Mihai May 25 '16 at 19:21
  • The login form doesn't login – lucafj2j282j May 25 '16 at 19:22
  • 2
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 25 '16 at 19:23
  • 3
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 25 '16 at 19:23
  • So where is the code failing? Are the $_POST vars set correctly? Does your database query return what you think it does? Are your $_SESSION vars what you think they are? There are SO many places this could fail.... you need to help us help you – WillardSolutions May 25 '16 at 19:24
  • @JayBlanchard good to see you again, I recognize you from my last post. But I know that I need to hash my passwords. I should and am going to do it. But what is it that causes it to not login? – lucafj2j282j May 25 '16 at 19:25
  • First step, you need to tell us what the login form is returning...and what you're expecting. – frosty May 25 '16 at 19:25
  • It's not returning anything, it doesn't perform any action. – lucafj2j282j May 25 '16 at 19:27
  • `var_dump`, echos - html source, error checking are all your friends today, as would posting your html form too. – Funk Forty Niner May 25 '16 at 19:27
  • Have you checked your error logs? You're making an assumption the query is working. Add error checking, such as `or die(mysqli_error($conn))` to your queries. – Jay Blanchard May 25 '16 at 19:27
  • echo the variable $query. see what's its content – SD433 May 25 '16 at 19:28
  • I feel like `Database details` just hanging out in the middle should be causing a syntax error... right? Do you have `display_errors` on? – HPierce May 25 '16 at 19:43

1 Answers1

0

You need to session_start() always, to start a new one or resume the existing one (http://php.net/manual/en/function.session-start.php):

Replace:

if( !isset( $_SESSION ) ) {
   session_start();
}

With:

session_start();
Felippe Duarte
  • 14,901
  • 2
  • 25
  • 29