1

I'm struggling with the project I want to make. I need to do a multi level login by address, so if new user registers with its unique address, the mysql database would update. Also, few users (1-8 people) could register to the same address and could see the same information. I have set up the login and register forms successfully, it sends the information to the database.

The thing is, the information (the html pages) which user will see after they register can't be static, they needs to be created with every new address registered.

I hope I stated my problem as clearly as possible.

My codes:

Register.php

<?php
session_start();

if(isset($_SESSION['usr_id'])) {
    header("Location: index.php");
}

include_once 'Dbconnect.php';

//set validation error flag as false
$error = false;

//check if form is submitted
if (isset($_POST['signup'])) {
    $username = mysqli_real_escape_string($con, $_POST['username']);
    $password = mysqli_real_escape_string($con, $_POST['password']);
    $cpassword = mysqli_real_escape_string($con, $_POST['cpassword']);
    $city = mysqli_real_escape_string($con, $_POST['city']);
    $street = mysqli_real_escape_string($con, $_POST['street']);
    $number = mysqli_real_escape_string($con, $_POST['number']);

    //name can contain only alpha characters and space
    if (!preg_match("/^[a-zA-Z ]+$/",$username)) {
        $error = true;
        $username_error = "Name must contain only alphabets and space";
    }
    if(strlen($password) < 6) {
        $error = true;
        $password_error = "Password must be minimum of 6 characters";
    }
    if($password != $cpassword) {
        $error = true;
        $cpassword_error = "Password and Confirm Password doesn't match";
    }
    if (!$error) {
        if(mysqli_query($con, "INSERT INTO login(username,password,city,street,number) VALUES('" . $username . "', '" . md5($password) . "', '" .$city . "', '" .$street . "', '" .$number . "')")) {
            $successmsg = "Successfully Registered! <a href='login.php'>Click here to Login</a>";
        } else {
            $errormsg = "Error in registering...Please try again later!";
        }
    }
}
?>

Login.php

<?php
session_start();

if(isset($_SESSION['usr_id'])!="") {
    header("Location: ../index.php");
}
include_once 'Dbconnect.php';

//check if form is submitted
if (isset($_POST['login'])) {

    $email = mysqli_real_escape_string($con, $_POST['email']);
    $password = mysqli_real_escape_string($con, $_POST['password']);
    $result = mysqli_query($con, "SELECT * FROM login WHERE username = '" . $username. "' and password = '" . md5($password) . "'");

    if ($row = mysqli_fetch_array($result)) {
        $_SESSION['usr_id'] = $row['id'];
        $_SESSION['usr_name'] = $row['name'];
        header("Location: ../index1.php");
    } else {
        $errormsg = "Incorrect Email or Password!!!";
    }
}
?>

EDITED:

<?php

                        include "config.php";
                        if(isset($_POST['username']) && isset($_POST['password'])){



                          $username = $_POST['username'];
                          $password = md5($_POST['password']);
                          $stmt = $db->prepare("SELECT * FROM login WHERE username=? AND password=? ");
                          $stmt->bindParam(1, $username);
                          $stmt->bindParam(2, $password);
                          $stmt->execute();
                            $row = $stmt->fetch();
                            $user = $row['username'];
                            $pass = $row['password'];
                            $id = $row['id'];
                            $type = $row['type'];

                            if($username==$user && $pass==$password){
                            session_start();
                                $_SESSION['username'] = $user;
                                $_SESSION['password'] = $pass;
                                $_SESSION['id'] = $id;
                                $_SESSION['type'] = $type;
                                ?>
                        <script>window.location='index.php'</script>
                        <?php
                            } else {
                            ?>

                        <div class="alert alert-danger alert-dismissible" role="alert">
                            <button type="button" class="close" data-dismiss="alert" aria-label="Close">
                                <span aria-hidden="true">&times;</span></button>
                            <strong>Woops! </strong>Password is incorrect
                        </div>
                        <?php
                                  }
                            }

                        ?>
Vygandas Lepšys
  • 11
  • 4
  • ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Mar 14 '17 at 17:20
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Mar 14 '17 at 17:20
  • There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue which can be answered in a few paragraphs. I would suggest you find a development forum (perhaps [Quora](http://www.quora.com/Computer-Programming)?) to work out generalities. Then, when/if you have specific coding issues, come back to Stack Overflow and we'll be glad to help. – Jay Blanchard Mar 14 '17 at 17:21
  • Alright, I'll check that in a bit. This project just takes too long and I want it to work, after that I will upgrade the code:) – Vygandas Lepšys Mar 14 '17 at 17:22
  • I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. If you don't have time to do it right the first time, when will you find the time to add it later? – Jay Blanchard Mar 14 '17 at 17:23
  • Allow users to use the [passwords / phrases](https://xkcd.com/936/) they desire. [Don't limit passwords.](http://jayblanchard.net/security_fail_passwords.html) – Jay Blanchard Mar 14 '17 at 17:23

0 Answers0