0

I am new to PHP and I am trying to develop a simple login system where it echoes a success message and redirects to a secure page and when details are wrong, it echoes an error message and reloads the login form.

I have been trying to for a while now and cannot figure it out, even though I have some functionality in terms of it directing to the correct page.

My database on PhpMyAdmin is correctly configured. Also, any help on sessions would be greatly appreciated.

PHP CODE:

<?php 

$servername = "localhost";
$username = "root";
$password = "cornwall";

$con=mysqli_connect('localhost','root','cornwall','ibill');
// This code creates a connection to the MySQL database in PHPMyAdmin named 'ibill':

$username =  $_POST['username'];
$password =  $_POST['password'];
//These are the different PHP variables that store my posted data.

$login="SELECT * FROM users WHERE username='$username' AND password='$password'";
$result=mysqli_query($con, $login);
$count=mysqli_num_rows($result);
//This is the query that will be sent to the MySQL server.

if($count==1)
{
  header('Location: http://localhost/projects/ibill_v3/html/main.html#home');
  exit();
}
//This checks the 'user_details' database for correct user registration details and if successful, directs to home page.
else {
   header('Location: http://localhost/projects/ibill_v3/html/loginform.html');
   echo "Wrong details";
  exit();
}
//If login details are incorrect

/** Error reporting */
error_reporting(E_ALL);
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
?>

HMTL CODE

<!DOCTYPE html>
<html lang="en">

<head>
  <meta name="viewport" content="width=device-width, initial-scale=1; minimum-scale=1;">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <link rel="stylesheet" href="http://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.css">
  <link href="/projects/ibill_v3/css/mainstyles.css" rel="StyleSheet"/>
  <link href="/projects/ibill_v3/css/loginform.css" rel="StyleSheet"/>
  <script src="http://code.jquery.com/jquery-1.11.3.min.js"></script>
  <script src="http://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.js"></script>
  <script src="script.js"></script>
  <script type='text/javascript' src="http://ajax.aspnetcdn.com/ajax/jquery.validate/1.11.1/jquery.validate.min.js"></script>
  <script type='text/javascript'>
            $(document).on('pageinit', function(){
                $('.loginform').validate({ // initialize the plugin
                    // rules & options
                });
            });  
  </script>
</head>

<body>
<!--********************************LOGIN FORM PAGE**********************************************-->
<!--****************************************************************************************-->

<!--********************************HEADER**********************************************-->
<div data-role="page" id="loginform">
  <div data-role="header" data-id="foo1" data-position="fixed">
    <h1>Register</h1>
  </div>
<!--********************************HEADER**********************************************-->

<!--********************************MAIN**********************************************-->
  <div data-role="main" class="ui-content">
    <img class="mainlogo" src="/projects/ibill_v3/img/ibill logo.png" alt="iBill Logo" width="250" height="190">
    <h2>Sign in</h2>
    <section class="loginform">
      <form data-ajax="false" method="POST" action="loginform.php" > 
        <ul>
          <li>
            <label for="username">Username</label>
            <input type="text" name="username" id="username" class="required" minlength="5" placeholder="enter username (min-5 characters)">
          </li>
          <li>
            <label for="password">Password</label>
            <input type="password" name="password" placeholder="enter password"  minlength="6">
          </li>

          <div id="loginformbutton">
            <button class='active' type='submit' value='submit'>Sign in</button>
          </div>
            <p>Don't have an account? Sign up!</p>
          <div id="registerbutton">
            <a href="/projects/ibill_v3/html/register.html" data-role="button">Register</a>
          </div>
        </ul>
      </form>
    </section>

  </div>
<!--********************************MAIN**********************************************-->

<!--********************************FOOTER**********************************************-->
  <div data-role="footer">
    <footer class="footer">
        <p>awilliams&copy;</p>
    </footer>
  </div>
</div>
<!--********************************END OF LOGIN FORM PAGE**********************************************-->
<!--****************************************************************************************-->
</body>
Improve this question
4
  • 1
    WARNING: When using mysqli you should be using parameterized queries and bind_param to add user data to your query. DO NOT use string interpolation or concatenation to accomplish this because you have created a severe SQL injection bug. NEVER put $_POST or $_GET data directly into a query. Commented Apr 21, 2016 at 0:50
  • WARNING: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern development framework like Laravel comes with a robust authentication system built-in. At the absolute least follow recommended security best practices and never store passwords as plain-text. Commented Apr 21, 2016 at 0:50
  • @PedroLobito That tutorial has plain-text passwords and doesn't use prepared statements. It's a stellar example of what not to do. This is a solved problem in any framework. Just use whatever they provide. No need to re-invent the wheel and do it badly. Commented Apr 21, 2016 at 1:41
  • Please consider the case where: $_POST['username'] = "administrator", $_POST['password'] = "0' OR 1=1 -- " Commented Apr 21, 2016 at 11:39

3 Answers 3

Reset to default
1 
...
else 
{
    header('Location:    http://localhost/projects/ibill_v3/html/loginform.html');
   echo "Wrong details";
   exit();
}

The above is going to redirect before your echo statement is reached, so nothing will be displayed.

Secondly, the following line:
<form data-ajax="false" method="POST" action="loginform.php" > will not send any data back to your file containing the form if you're using echo statements. It is going to redirect to the loginform.php and will stay there if you do not explicitly redirect back the page with your form.

Instead, use:
<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?> as your form's action. And then include your loginform.php somewhere before the form in your HTML.
This is going to send data back to the form's file and replaces special characters to HTML entities (for security), it also allows you to use echo's or variables to return messages to the user.

loginform.php will need to check if specific inputs are posted:

if($_SERVER['REQUEST_METHOD'] == 'POST')
{
    if($_POST['username'] && $_POST['password'])
    {
        //do work
    }
}

Here is a basic php form tutorial to start you off: php tutorial

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I think it's because your redirecting to the same page with no post. I didn't look through all the code, that is just my first stab at it

Improve this answer

Comments

0

This will not appear on loginform.html:

echo "Wrong details";

Use something like:

$_SESSION['errorMessage'] = "Wrong details";
header('Location: http://localhost/projects/ibill_v3/html/loginform.html');
exit();

And then on loginform.html, add this code to display the error message:

if(isset( $_SESSION['errorMessage'])) echo $_SESSION['errorMessage'];
Improve this answer

8 Comments

Thanks, just tried it but to no avail. I put the last snippet of code inside the form tag in the html file and enclosed it in php tags? Is this wrong?
The last snippet should be enclosed in php tags.
Are you using PHP sessions? Be sure to include session_start(); inside PHP tags at the very beginning of both pages: the one where the session variable is being set, and the one where the session variable is being displayed.
still no joy...:( :(
Are you getting an error message or seeing anything strange? Could be that php isn't working with the loginform.html page.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.