0

It is Login Page Code which is accepting Username and Password. But other pages are also opening with URL. Used Session Start Also. Please help me with modifications in code. 

<?php
if(isset($_POST["submit"])){

if(!empty($_POST['user']) && !empty($_POST['pass'])) {
    $user=$_POST['user'];
    $pass=$_POST['pass'];

    $con=mysqli_connect('localhost','root','') or die(mysql_error());
    mysqli_select_db($con, 'user_registration') or die("cannot select DB");

    $query=mysqli_query($con, "SELECT * FROM login WHERE username='".$user."' AND password='".$pass."'");
    $numrows=mysqli_num_rows($query);
    if($numrows!=0)
    {
    while($row=mysqli_fetch_assoc($query))
    {
    $dbusername=$row['username'];
    $dbpassword=$row['password'];
    }

    if($user == $dbusername && $pass == $dbpassword)
    {
    session_start();
    $_SESSION['sess_user']=$user;

    /* Redirect browser */
    header("Location: index.php");
    }
    } else {
    echo "Invalid username or password!";
    }

} else {
    echo "All fields are required!";
}
}
?>
Yuva Kishore
  • 11
  • 1
  • 2
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Jun 05 '17 at 12:51
  • 2
    **Danger**: You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) (i.e. none at all) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Jun 05 '17 at 12:52
  • in a nutshell, any page that requires a user to be logged in to view, then you need to include the require session statement in every page that you want only logged in users to view. – jimmy8ball Jun 05 '17 at 12:53
  • Thanks for your reply. Can you suggest some better tutorial to make login code perfect ? – Yuva Kishore Jun 05 '17 at 13:09

0 Answers0