-2

Quick Note : This thread was closed for being a duplicate question however the links I found were to do with 'Preventing MySQL Injection Attacks', which was not the answer I was looking for. If reposting this question goes against any guidelines, I don't mind taking this post down.

I've been working on an online booking website and the projects works when I run it on WAMP. I decided to get 1 month hosting on ecowebhosting.com and I've uploaded my project/files as well as change my 'db.php' file to match the settings of phpMyAdmin ( host, username, password, etc. ) however I am not able to sign in.

This is the login page for my website : https://gyazo.com/07f6bb065971b20ba07628d2a68cf1b0 And you are able to register, and the user has been registered when I checked the database on phpMyAdmin however I am not able to login as this occurs when I login in any account : https://gyazo.com/312725f461d4790a99b1b47e97a97066

I thought it was something to do with the 'dashboard.php' file, so I removed the 'include("auth_session.php")' to see if anything was wrong with the file, but it worked as normal. Here is a copy of the code for 'login.php':

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <title>Modern Haircut Designs</title>

    <!-- Bootstrap css style sheet -->
    <link href="bootstrap/css/bootstrap.min.css" rel="stylesheet">
    <!-- For the seperate stuff -->
    <link href="coursework_style.css" rel="stylesheet">
    <!-- Make sure to add this to the coursework style sheet so less files -->
    <link href="login_style.css" rel="stylesheet">
    <!-- To enable the javascript shenanigans -->
    <script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
    <script src="bootstrap/js/bootstrap.min.js"></script>

</head>

<body>

    <?php
        require('db.php');
        session_start();
        if (isset($_POST['username'])) {
            $username = stripslashes($_REQUEST['username']);
            $username = mysqli_real_escape_string($con, $username);
            $password = stripslashes($_REQUEST['password']);
            $password = mysqli_real_escape_string($con, $password);
            $query    = "SELECT * FROM `users` WHERE username='$username'
                        AND password='$password'";
            $result = mysqli_query($con, $query) or die(mysql_error());
            $rows = mysqli_num_rows($result);
            if ($rows == 1) {
                $_SESSION['username'] = $username;
                header("Location: dashboard.php");
            } else {
                //Might be necessary to create an error page so the user knows?
                header("Location: login.php");
            }
        } else{
    ?>

    <nav class="navbar navbar-fixed-top navbar-inverse">
        <div class="container">
            <div class="navbar-header">
                <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar-collapse">
                    <span class="sr-only">Toggle navigation</span>
                    <span class="icon-bar"></span>
                    <span class="icon-bar"></span>
                    <span class="icon-bar"></span>
                </button>
                <a class="navbar-brand" href="/index.php">Modern Haircut Designs</a>
            </div>

            <div class="collapse navbar-collapse" id="navbar-collapse">
                <ul class="nav navbar-nav navbar-right">
                    <li class="actif"><a href="/index.php">Home</a></li>
                    <li><a href="/index.php#services">Services</a></li>
                    <li><a href="/index.php#team">Our Team</a></li>
                    <li><a href="/index.php#reviews">Reviews</a></li>
                    <li><a href="/index.php#contact-us">Contact</a></li>
                    <li><a href="/login.php">Login</a></li>
                </ul>
            </div>
        </div>
    </nav>

    <section class="login-cover">
        <div class="wrapper fadeInDown">
            <div id="formContent">
                <div class="fadeIn first">
                    <img src="img/login_icon.jpg" id="icon" alt="MHC Logo" />
                </div>
                <form method="post" name="login">
                    <input type="text" id="login" class="fadeIn second" name="username" placeholder="Username" required>
                    <input type="password" id="password" class="fadeIn third" name="password" placeholder="Password" style="background-color: #f6f6f6;border: none;color: #0d0d0d;padding: 15px 32px;text-align: center;text-decoration: none;display: inline-block;font-size: 16px;margin: 5px;width: 85%;border: 2px solid #f6f6f6;transition: all;0.5s ease-in-out;border-radius: 5px 5px 5px 5px;" required>
                    <input type="submit" class="fadeIn fourth" value="Login" name="submit">
                </form>
                <div class="formFooter">
                    <a class="underlineHover" href="register.php" id="register">Register Here</a>
                    <a class="underlineHover" href="#" id="forgot_password">Forgot Password?</a>
                </div>
            </div>
        </div>
    </section>

    <?php
    }
    ?>

    <footer style="bottom: 0; width: 100%;">
        crafted with &hearts; in Bangladesh by ###
    </footer>

    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
    <script src="bootstrap/js/bootstrap.min.js"></script>
</body>

</html>

As requested, here's a markup for the 'dashboard.php' file: 

<?php
    //Reminder to include this for the booking part
    include("auth_session.php");
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <title>Modern Haircut Designs</title>

    <!-- Bootstrap Stuff -->
    <link href="bootstrap/css/bootstrap.min.css" rel="stylesheet">
    <!-- Coursework Style that's seperate -->
    <link href="coursework_style.css" rel="stylesheet">

</head>
<body>

    <nav class="#">
        <div class="container">
            <div class="#">
                <button type="button" class="#">
                    <span class="sr-only">Toggle navigation</span>
                    <span class="icon-bar"></span>
                    <span class="icon-bar"></span>
                    <span class="icon-bar"></span>
                </button>
                <a class="#" href="#top">Modern Haircut Designs</a>
            </div>

            <div class="#" id="#">
                <ul class="#">
                    <li class="actif"><a href="#top">Home</a></li>
                    <li><a href="#services">Services</a></li>
                    <li><a href="#team">Our Team</a></li>
                    <?php 
                    if($_SESSION['username'] == 'admin'){
                        ?><li><a href="/bookings.php">Manage Appointments</a></li><?php
                    }else{
                        ?><li><a href="/user-bookings.php">View Appointments</a></li>
                        <li><a href="/calendar.php">Book Appointment</a></li>
                    <?php
                    }
                    ?>
                    <li><a href="/logout.php">Logout</a></li>
                </ul>
            </div>
        </div>
    </nav>

    <div class="cover" id="top">
        <div class="cover-text">
            <h1>Hey, <?php echo $_SESSION['username']; ?>!</h1>
            <p class="lead">Book an appointment now by clicking the button below</p>
            <a href="calendar.php" role="button" class="btn btn-danger btn-lg">Get started!</a>
        </div>
    </div>

    <section id="services">
        <h2>Here is a list of the services we provide</h2>
        <div class="container">
            <div class="row">
                #Text about the different types of haircuts
    </section>

    <section id="team">
        <div class="container">
           #Pictures and quotes of the different team members
        </div>
    </section>

    <section id="contact-us">
        <div class="container">
           #ContactInformation here
        </div>
    </section>

    <footer>
        crafted with &hearts; in Bangladesh by ###
    </footer>

    <!-- jQuery for javascript stuff-->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
    <!-- Bootstrap javascript code / might remove tho -->
    <script src="bootstrap/js/bootstrap.min.js"></script>
</body>
</html>
Ryan
  • 60
  • 7
  • use **prepared statements with parameters** see https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php and never store passwords as clear text use hashed values https://www.php.net/manual/de/book.password.php – nbk Apr 08 '20 at 20:37
  • Please do not apply escape string on passwords – Rotimi Apr 08 '20 at 20:42
  • I'm only saving password as clear texts for testing purposes. I use password_hash($password, PASSWORD_DEFAULT) and the password_verify(###) feature however I'm keeping it as cleat text for testing purposes when I write up my coursework. @Akintunde-Rotimi I'll remove the escape string from the code, thank you. Dharman I'll take note of that and I'll make sure to read up about it and hopefully implement in my code within a couple of days! – Ryan Apr 08 '20 at 20:49
  • Are you guys also able to know why the webpage leads to the following page when I try login in with any user details? – Ryan Apr 08 '20 at 20:50
  • Might not be related, but you're mixing MySQL APIs in the line `$result = mysqli_query($con, $query) or die(mysql_error());`. Use `mysqli_error($con)` instead. – rickdenhaan Apr 08 '20 at 21:03
  • @rickdenhaan Thanks, I'll update my code for the following! – Ryan Apr 08 '20 at 21:05
  • `header()` won't work as you expect if you've already output HTML (or anything else, for that matter, even a random space somewhere). If `$_POST['username']` is set you will (try to) redirect the user no matter what, so you might as well move that entire block of code to the top of your file. – rickdenhaan Apr 08 '20 at 21:06
  • That's fixed the problem, Thank you! – Ryan Apr 08 '20 at 22:39

1 Answers1

0

The solution, as pointed out by @rickdenhaan, was to move the block of php code containing the 'header(###)' section to the start of the file. Another solution I found was to use javascript to open the file.

Ryan
  • 60
  • 7