0

My page was working properly when it had a single page . Once I added the redirect to another page it seems the remember me checkbox no longer works. I am not sure if the exit command is affecting it once I remove the else and exit on both then it remembers. I am trying to make an admin user profile. Admin = 1 user = 0

I tried removing the exit; and the redirects.

But I really want to keep them 

<!DOCTYPE html>

  <head>
<!-- Bootstrap core CSS -->
    <link href="bootstrap.min.css" rel="stylesheet">
  </head>

<style>
.alert {
    text-align: center;
    padding: 12px;
    background-color: #f44336; /* Red */
    color: white;
    margin-bottom: 10px;  
}
</style>


<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message

if (isset($_POST['submit'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "Username or Password is invalid";
}
else
{

// Define $username and $password
$username=$_POST['username'];
$password=$_POST['password'];

// Establishing Connection with Server by passing server_name, user_id and password as a parameter

$connection = mysql_connect("localhost", "root", "password");

// To protect MySQL injection for Security purpose

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

// Selecting Database
$db = mysql_select_db("kike", $connection);
// SQL query to fetch information of registerd users and finds user match.

$query = mysql_query("select * from login where password='$password' AND username='$username'", $connection);
$rows = mysql_num_rows($query);

if ($rows == 1) {


$query = mysql_query("select * from login where password='$password' AND username='$username' AND admin = 1", $connection);
$master = mysql_num_rows($query);


     $_SESSION['login_user']=$username; // Initializing Session

        if($master == 1) { // some way of identifying an admin
            // admin

            header("location: wood/profile.php"); // Redirecting To Other Page
            exit;
        } else {
            // user
            header("location: user/profile.php");
            exit;
        }

$_SESSION["id"]= $user["id"];

            if(!empty($_POST["remember"])) {
                setcookie ("username",$_POST["username"],time()+ (10 * 365 * 24 * 60 * 60));
                setcookie ("password",$_POST["password"],time()+ (10 * 365 * 24 * 60 * 60));
            } else {
                if(isset($_COOKIE["username"])) {
                    setcookie ("username","");
                }
                if(isset($_COOKIE["password"])) {
                    setcookie ("password","");
                }
            }
                  } 

else {
$error = "Username or Password is invalid";

echo ' <div class="fixed-top">

<div class="alert alert-primary"  role="alert">
  Invalid username or password
</div> </div>' ;

}

mysql_close($connection); // Closing Connection
}
}
?>

</html>
Alfred Albizures
  • 1
  • 1
  • 2
    Please note that the `mysql_*` functions have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use [**mysqli**](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php). – Alex Howansky Feb 15 '19 at 19:56
  • 2
    Don't rely on the `real_escape_string()` functions to prevent SQL injection, [they alone are not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Feb 15 '19 at 19:56
  • 2
    **Never** store plain text passwords. Instead use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php). – Alex Howansky Feb 15 '19 at 19:56
  • `session_start();` will not work unless you declare it at the very top of your code. It must happen before any whitespace or DOM rendering. – tshimkus Feb 15 '19 at 19:57

1 Answers1

-1

I made a login page earlier ... hope it helps you ... here it is:

<?php
session_start();
$username = strtolower(htmlspecialchars($_POST['username']));
$usernameUW = ucfirst(htmlspecialchars($_POST['username']));
$password = $_POST['password'];
$path = $_SERVER['DOCUMENT_ROOT'] . "//regs/" . $username . ".txt";
$_SESSION['signInErrors'] = array();
if(!file_exists($path)){
    $fileOpen = fopen($path, "r");
    $file = fread($fileOpen, filesize($path));
    fclose($fileOpen);
    $hash = "$" . explode("$", $file)[1] . "$" . explode("$", $file)[2] . "$" . explode("$", $file)[3];
}
$_SESSION["signInErrors"] = array();
$errors = 0;
$testErrors = 0;
if (file_exists($path)) {
    $_SESSION["signInErrors"][$testErrors] = "";
    $testErrors += 1;
} else if(password_verify($password, $hash)) {
    $_SESSION["signInErrors"][$testErrors] = "";
    $testErrors += 1;
} else {
    $_SESSION["signInErrors"][$testErrors] = "Incorrect username or password!";
    $errors += 1;
    $testErrors += 1;
}
if($errors === 0) {
    if(isset($_SESSION["previousSite"])) {
        $_location = "Location: https://" . $_SERVER["HTTP_HOST"] . "/" . $_SESSION["previousSite"];
    } else {
        $_location = "Location: https://" . $_SERVER["HTTP_HOST"];
    }
    $_SESSION['username'] = $usernameUW;
    unset($_SESSION['signInErrors']);
    header($_location);
    exit();
} else {
    header("Location: https://" . $_SERVER["HTTP_HOST"] . "/signin");
    exit();
}
?>

I would use $_SESSION[] instead.

Jaime Argila
  • 408
  • 3
  • 13