-2

This is the code that I currently have. This is redirecting to a page that tells the user that the login information is incorrect. Upn submission of the UN/PW would it be better for it to stay on the login page with error script, and if so how would I do that?

<?php
session_start();
    include 'dbConnection.php';

    $uid = $_POST['uid'];
    $pwd = $_POST['pwd'];

    $sql = "SELECT * FROM userdb WHERE uid='$uid' and pwd='$pwd'";  
    $result = mysqli_query($conn, $sql);
    if (!$row = mysqli_fetch_assoc($result)) {
        echo "Your username or password is incorrect!";
        echo "Please try again!"."<br><br>";
        echo "<button type='reset'>RESET";
            if (isset($_POST['reset'])) {
            header("Location: login.php");
        echo "</button>";   }
    }else {
        $_SESSION['id'] = $row['id'];
    }
Don Collier
  • 9
  • 5
  • probably because; you're outputting before header. and/or `if (isset($_POST['reset'])) {...}` is never satisfied. – Funk Forty Niner Jan 17 '17 at 19:51
  • what do you mean? – Don Collier Jan 17 '17 at 19:52
  • what does http://php.net/manual/en/function.error-reporting.php throw back? – Funk Forty Niner Jan 17 '17 at 19:52
  • http://php.net/manual/en/function.header.php - Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. – deefour Jan 17 '17 at 19:53
  • I'm new to this. Not even sure what that is or how to use it – Don Collier Jan 17 '17 at 19:54
  • ` – Funk Forty Niner Jan 17 '17 at 19:54
  • so, in the echo's the reset button needs to come before the other echo's? – Don Collier Jan 17 '17 at 19:55
  • no, it's either echo "or" header; can't use both. You can redirect with JS or meta tag though just not with the header. – Funk Forty Niner Jan 17 '17 at 19:55
  • ok, would the button need to be in the source code to redirect after echoing that the information is incorrect? – Don Collier Jan 17 '17 at 19:56
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 17 '17 at 19:57
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Jan 17 '17 at 19:57
  • Why is it that when I'm not understanding what someone is saying and trying to get confirmation everyone starts on sql injection? it's on a test server and I'm not worried about that yet. I'm still trying to learn FUNCTIONAL coding in PHP. – Don Collier Jan 17 '17 at 20:00
  • What are you trying to achieve here Don? It's hard to follow. You're going to have to edit your question to explain exactly what you want to do here. That button reset... in its place; I just don't know what the question's about. Reset buttons belong in a form with a POST method. – Funk Forty Niner Jan 17 '17 at 20:01
  • I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. If you don't have time to do it right the first time, when will you find the time to add it later? – Jay Blanchard Jan 17 '17 at 20:05
  • I understand that, I am simply trying to get the code to do what I want it to do. If I knew all about how PHP worked and how to secury – Don Collier Jan 17 '17 at 20:06
  • secure it from day one I would code it accordingly. I don't and have not gotten past just trying to get it to work – Don Collier Jan 17 '17 at 20:07

1 Answers1

0

Here is a bump in the right direction. $db below replaces your $conn included from dbConnect.php and returns an instance of the mysqli class.

<?php

session_start();

$db = new mysqli('db_host', 'db_user', 'db_password', 'db_name');

$stmt = $db->prepare('SELECT * FROM userdb WHERE uid = ? and pwd = ?');

$stmt->bind_param('ss', $_POST['uid'], $_POST['pwd']);

$stmt->execute();

if ($row = $stmt->fetch_assoc()) {
    header('Location: login.php?error=1');
    exit;
}

$_SESSION['id'] = $row['id'];

header('Location: account.php');

This assumes you ahve 3 pages:

  • login.php - displays your form and errors. Use the error=1 querystring on login.php to conditionally display an invalid credentials error.
  • doLogin.php - the login.php page posts here. This handles the login attempt.
  • account.php - the page you redirect to with a successful login.

Let doLogin.php be responsible for one thing; performing the login.

Let login.phpbe responseible for one thing; presenting the user with the state of their login attempt.

deefour
  • 34,974
  • 7
  • 97
  • 90