MySQL Php Login System

Question

I've been following this guide (http://www.tutorialspoint.com/php/php_mysql_login.htm) to build a custom Php & MySQL Login System, but I can't get mine to work.

The login can fail, it checks against the database, it authenticates the user is true or false, but it doesn't redirect the user once it is completed. It just takes them back to the login page, and displays no HTML, Php or CSS elements.

I've attached both the core Login.php & Session.php

Login.php:

  include("databaseconfig.php");
  session_start();

  if($_SERVER["REQUEST_METHOD"] == "POST") {
  // username and password sent from form

  $myusername = mysqli_real_escape_string($db,$_POST['username']);
  $mypassword = mysqli_real_escape_string($db,$_POST['password']);

  $sql = "SELECT * FROM pacientes WHERE nombre = '$myusername' and apellidos = '$mypassword'";
  $result = mysqli_query($db,$sql);
  $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
  $active = $row['active'];

  $count = mysqli_num_rows($result);

  // If result matched $myusername and $mypassword, table row must be 1 row

  if($count == 1)
  {
    session_register("myusername");
    $_SESSION['login_user'] = $myusername;

    header("location: http://www.google.com/");
  }
      else {
         $error = "Your Login Name or Password didn't work!";
      }
  }

Session.php

   include('databaseconfig.php');
   session_start();

   $user_check = $_SESSION['login_user'];

   $ses_sql = mysqli_query($db,"SELECT nombre FROM pacientes WHERE nombre = '$user_check' ");

   $row = mysqli_fetch_array($ses_sql,MYSQLI_ASSOC);

   $login_session = $row['nombre'];

   if(!isset($_SESSION['login_user'])){
   header('location: www.google.co.uk');
   }

I'm not sure why it's not redirecting to a new page. It won't even redirect to Google. As I said;

The connection to the database works, The code does check against the database, The code does not send the user to the next page.

The purpose of this system is that users will log in, and be able to see their own profile. But I can't get the system to redirect to any page at the moment.

I appreciate your support, and hope you can help.

Check logs, probably you have alreay output information before the `header` call. Also, this is a bad tutorial, you should use prepared statements. — Bart Friederichs, Jul 06 '16 at 08:36
It doesn't matter from what part of the world you are: using non-english variable names in php or mysql is just wrong. — Peon, Jul 06 '16 at 08:36
**Find another tutorial** `session_register()` is not longer a valid command ___Warning This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.___ Also upgrade your version of PHP to something released ___this century___! — RiggsFolly, Jul 06 '16 at 08:37
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared statement and parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Jul 06 '16 at 08:40
Also dont store __plain text__ password on your database! PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them, I might want to use your site one day And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) — RiggsFolly, Jul 06 '16 at 08:42
Some sensible code indentation would be a good idea. It help us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. — RiggsFolly, Jul 06 '16 at 08:44
Thanks for the feedback. I'll find another tutorial with some examples which are more up-to-date and secure. — Alec Weekes, Jul 06 '16 at 10:00
Do you have any recommendations on tutorials which showcase the best practices? Lots of sites still seem to use session_register(); — Alec Weekes, Jul 06 '16 at 10:06

score 0 · Answer 1 · answered Jul 06 '16 at 10:26

You should write this in your login.php

include("databaseconfig.php");
  session_start();

  if($_SERVER["REQUEST_METHOD"] == "POST") {
  // username and password sent from form

  $myusername = mysqli_real_escape_string($db,$_POST['username']);
  $mypassword = mysqli_real_escape_string($db,$_POST['password']);

  $sql = "SELECT * FROM pacientes WHERE nombre = '$myusername' and apellidos = '$mypassword'";
  $result = mysqli_query($db,$sql);
  $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
  $active = $row['active'];

  $count = mysqli_num_rows($result);

  // If result matched $myusername and $mypassword, table row must be 1 row

  if($count > 0)
  {
    session_register("myusername");
    header('location: http://www.google.com/');
    $_SESSION['login_user']=$row['nombre'];
  }
      else {
         echo "Your Login Name or Password didn't work!";
      }
  }

Hopefully this will solve your problem

MySQL Php Login System

1 Answers1