-3

I'm working on a php login based on mysql table. It's all working fine w/in Chrome, however in both Firefox and Edge, when I type a username and password I am just brought back to the login page. (with correct OR incorrect credentials)

Here is my php code..

<?php session_start();
if(isset($_POST['login'])) {

$uname = $_POST['uname'];
$pass = $_POST['pass'];
$sel_user = $con->prepare("SELECT id, username, pass, gid FROM employees WHERE gid!=4 AND username=?");
$sel_user->execute([$uname]);
$check_user = $sel_user->fetch();
if(count($check_user)>0 && password_verify($pass, $check_user['pass'])) {
    $_SESSION['username']=$check_user['username'];

    header("Location: xadmin.php" );
    exit;
}

else {

    echo "<script>alert('Email or password is not correct')</script>";
}};?>

Here is the html form..

<form action="login.php" method="post">
    <table width="100%" border="0">
        <tbody>
            <tr>
                <td bgcolor="#3B3B3B" height ="35" class="BodyTxtB" align="center">Administrator Login</td></tr>
            <tr height="20"><td></td></tr>
            <tr>
              <td class="BodyTxtB" align="center">Username</td>
            </tr>
            <tr>
              <td class="BodyTxtB" align="center"><input type="text" class="BodyTxtBC" name="uname" required="required"/></td>
            </tr>
            <tr height="20"><td></td></tr>
            <tr>
              <td class="BodyTxtB" align="center">Password</td>
            </tr>
            <tr>
              <td class="BodyTxtB" align="center"><input type="password" class="BodyTxtBC" name="pass" required="required"/></td>
            </tr>
            <tr height="20"><td></td></tr>
            <tr height="35"><td align="center"><input type="image" src="images/btn_login.jpg" name="login" value="Login"/></td></tr>
            <tr height="20"><td></td></tr>
         </tbody>
     </table>
   </form>

Here is the validation from xadmin.php

<?php session_start();

if (!isset($_SESSION['username']))
{
header("Location: login.php?e=access_denied");
exit();
}
?>

Does anyone know what could be causing the issue?

UPDATE: Although not relevant to the original issue or provided answers, I have updated this post to fix the issue's of mysql injection and password encryption

craisondigital
  • 69
  • 1
  • 9
  • 5
    Stop sorting passwords in plain text! – John Conde Sep 30 '16 at 15:12
  • I am still in testing and not worried about plain text password. Please stay on topic in regards to the question – craisondigital Sep 30 '16 at 15:14
  • 3
    `session_start()` missing `;` for it. Voted to close as a typo. – Funk Forty Niner Sep 30 '16 at 15:15
  • 3
    @craisondigital Let's be honest, you were never going to go back and add it. You just didn't consider security enough when building this. Security is baked in from the beginning. It isn't here and probably was never going to be. – John Conde Sep 30 '16 at 15:16
  • @Fred -ii- the typo has been fixed. that is not what is causing the problem – craisondigital Sep 30 '16 at 15:19
  • @JohnConde you are 100% wrong. I am not here to argue with you. – craisondigital Sep 30 '16 at 15:19
  • Could you please add the authentication validation code in xadmin.php? – Melanef Sep 30 '16 at 15:19
  • 2
    Holy mother of ignorance. – Phiter Sep 30 '16 at 15:20
  • check for errors then, you're not doing that. you also need to `exit;` on header. Plus, `` does not count as a POST array; use an `` and submit type. Edit: @CD001 which is what he/she wrote below. – Funk Forty Niner Sep 30 '16 at 15:20
  • Do FF/Edge pass through the `name` with `` - I'm pretty sure it just passes through some x/y co-ordinates... – CD001 Sep 30 '16 at 15:20
  • @Melanef I added the validation from xadmin.php – craisondigital Sep 30 '16 at 15:22
  • If you'd do any proper code indentation, you would have noticed a parse error. http://php.net/manual/en/function.error-reporting.php in turn, choking your script entirely. You've a misplaced brace. – Funk Forty Niner Sep 30 '16 at 15:24
  • start it step by step , type a simple input and a simple validation page then add anything else – Mo Shal Sep 30 '16 at 15:24
  • @CD001 you are correct!! and also Changing type to "submit" has solved the issue. So is their a way to make the submit button an image? In any case, if you put this as an answer, i will mark it complete. Thank you so much!! – craisondigital Sep 30 '16 at 15:25
  • [which is what I wrote before that...](http://stackoverflow.com/questions/39794742/why-does-my-php-login-script-work-in-chrome-but-not-in-firefox-or-edge?noredirect=1#comment66882601_39794742) not retracting my vote to close. – Funk Forty Niner Sep 30 '16 at 15:26
  • @craisondigital change an input submit 's appearance using CSS – Melanef Sep 30 '16 at 15:26
  • Sorry, @Fred -ii- I am bad at copying the code to stack overflow. It is indented correctly in my page. Changing the input type to "submit" has solved the issue. – craisondigital Sep 30 '16 at 15:27
  • which is what I first said. Anyway... he said, she said doesn't matter to me for an answer, it's just to set the record straight ;-) – Funk Forty Niner Sep 30 '16 at 15:28
  • @Fred-ii- what did you mean "you also need to exit; on header." Should it look like this? "header("Location: xadmin.php" ) exit;"? – craisondigital Sep 30 '16 at 15:34
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Sep 30 '16 at 15:40
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Sep 30 '16 at 15:40
  • 1
    Thank you @Jay Blanchard I look forward to reading the docs you provided. – craisondigital Sep 30 '16 at 16:05

1 Answers1

3

Firefox/Edge don't pass through the name of <input type="image" ... />

If you do a print_r($_POST) and submit the form with Firefox you'll get:

Array
(
    [login_x] => 0
    [login_y] => 0
)

Do the same thing with Chrome, however:

Array
(
    [login_x] => 8
    [login_y] => 8
    [login] => Login
)

... and there you have it.

You could pass through login as a hidden form field:

<input type="image" src="images/btn_login.jpg" />
<input type="hidden" name="login" value="Login" />
CD001
  • 8,332
  • 3
  • 24
  • 28