0

Hello,
I have created a login page for my users. And it seems to not be working properly.

<?php
include "inc/header.php";
?>
<div class="ContentHold">
<?php
include "inc/globals.php";

if (isset($_POST['login']))
{
	$username = addslashes(strip_tags($_POST['username']));
	$password = addslashes(strip_tags($_POST['password']));
	
	if (!$username||!$password)
	{
	?>
    <div id="NotifyUI"> Please Enter a Username and Password. </div>
    <?
	}
	else
	{
		$login_1 = mysql_query("SELECT * FROM users WHERE username='$username'");
		while ($ban_row = mysql_fetch_assoc($login_1))
		$ban = $ban_row['ban'];
		if ($ban==1)
		{
		?>
        <div id="NotifyUI"> Sorry, you have been abusing functions on our server. You have been banned. </div>
        <?
		}
		else
		{
			$login = mysql_query("SELECT * FROM users WHERE username='$username'");
			if (mysql_num_rows($login)===0)
			{
			?>
			<div id="NotifyUI"> There is no Such user. </div>
			<?
			}
			else
			{
				
				while($login_row = mysql_fetch_assoc($login))
				{
					$password_db = $login_row['password'];
					$password = md5($password);
					
					if (!$password==$password_db)
					{
					?>
                    <div id="NotifyUI"> You have entered the incorrect password for this user. </div>
					<?	
					}
					else
					{
						$active = $login_row['active'];
						$email = $login_row['email'];
						
						if ($active==0)
						{
						?>
                        <div id="NotifyUI">You have not activated your account. Please do so by checking your email [<? echo $email; ?>]</div>
                        <?
						}
						else
						{
							session_register("username");
							$_SESSION['username']=$username;

							header("location: welcome.php");

						}
					}
				}
			}
		}
	}
}
else
{
	$username = $_SESSION['username'];
	
	if (isset($_SESSION['username']))
	{
	?>
    <div id='NotifyUI'><p>You are already logged in. You may now go to your profile page. <a href='index.php'</p></div>
    <?
	}
	else
	{
	?>
  <div id="logincontain">
    <p>
    <h1 style="margin-bottom:15px">Log into the site</h1>
    </p>
    <div id="loginspec">
    <form action='login.php' method='POST'>
      <div class="logincap">
        <p>
        <lable>Username</lable>
        </p>
        <p>&nbsp;</p>
        <input type="text" name="username" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'':this.value;" />
        <lablee>
        <p>&nbsp;</p>
        <p>Password (<a href="http://synthscope.com/">Forgot?</a>)</p>
        <p>&nbsp;</p>
        <p>
        </lable>
        <input type="password" name="password" onclick="this.value='';" onfocus="this.select()" onblur="this.value=!this.value?'':this.value;" />
        </p>
      </div>
      </p>
      <input type='submit' name='login' id='rightf' class='loginbtn' align='center' value='Log In' />
      </form>
    </div>
  </div>
   	<?
	}
}
?>
</div>
<?php
include "inc/footer.php";
?>

It will log you in. But then it just does nothing after the login. It's supposed to go to welcome.php, but it does not do that. Any Ideas?

Thanks in advance :)

4
Contributors
11
Replies
12
Views
6 Years
Discussion Span
Last Post by Joshua Kidd
0

Try javascript redirection.
echo 'window.location = "http://www.google.com/"';

And just a suggestion never disclose the message saying that either username wrong or password. Just say "Username/password wrong". This is good for security.

Thanks

0

I agree with above - you need to simplify the error/exception handling. Keep it simple. Do not give an user any info on the nature of the error - just tell them that the login with those details is incorrect.

A malicious user will not be able to 'fix' data and use a brute force attack on a single field (e.g. password).

If an user is banned, do they need to be reminded? I suspect that they should receive an email notifying them of their ban. That's it. If they have messed with your system, sod 'em. The details incorrect should suffice.

Use a better php validation - mysql_real_escape_string() is the current standard as I understand it.

I don't quite get the inline js. I'd advise against js redirect as users without js (admittedly few), will get lost in the process. A php header() is safer.

However, this is tricky if you mix up php and html, since header() will not work once there is any output (html).

I suggest doing all your validation and verification, redirecting etc in a php script held above the doctype declaration (DTD).

0

Matthew N.
I fixed that. But still no change. Good catch.

xuqi
I tried that, but not worked.
So I used instead:

echo "<META HTTP-EQUIV='refresh' CONTENT='1'>";

It works for me, but not anyone else. Just refreshes back to the Form.

ardav
Thanks for all the useful tips.

"However, this is tricky if you mix up php and html, since header() will not work once there is any output (html)."
Whenever you say this, would it make sense that my Header file is not updating when the user logs in?

Because when the user logs in the header file should show a different menu, then when logged out.

Thanks Guys :)

0

Nvermind that last question about the Header file :D I'm a bit tired. Did not understand it quite at first.

Sorry.

0

on the meta tag, in the content bit you haven't given it anywhere to redirect to.
use meta like this :

echo '<meta http-equiv="refresh" content="1;URL=mypage.php" />';
0

on the meta tag, in the content bit you haven't given it anywhere to redirect to.
use meta like this :

echo '<meta http-equiv="refresh" content="1;URL=mypage.php" />';
0

I did that, but the session is not starting. I have this:

session_register("username");						$_SESSION['username']=$username;

But I am thinking I need something else like:

session_start();

Correct?

0

As xuqi said, you would need that, an also ontop of every page that checks if user logged in.
BTW: that is

session_start();

Edited by Matthew N.: It had ñ instead of n

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.