1

I hate to be confusing, but I'm not sure at this point if the problem lies within the PHP Login not working, or if the redirecting isn't working. I'll post what I have so far in both the Login.php and the target page I'm trying to redirect to.

Login.php:

<?php if(isset($_POST["Login"])){ 
if(!empty($_POST['user']) && !empty($_POST['pass'])) {
$user=$_POST['user'];
$pass=$_POST['pass'];

$con=mysql_connect('localhost','root','') or die(mysql_error());
mysql_select_db('users') or die("cannot select DB");

$query=mysql_query("SELECT * FROM userdata WHERE user='".$user."' AND pass='".$pass."'");
$numrows=mysql_num_rows($query);
if($numrows!=0)
{
while($row=mysql_fetch_assoc($query))
{
$dbusername=$row['user'];
$dbpassword=$row['pass'];
}

if($user == $dbusername && $pass == $dbpassword)
{
session_start();
$_SESSION['sess_user']=$user;

/* Redirect browser */
header("Location: ./Programs/Content/Home.php");
}
} else {
echo "Invalid username or password!";
} } else {
echo "All fields are required!"; }}?> }

Then there's just some CSS and basic HTML stuff, but here's the form itself:

<div class="login">
 <form action="" method=POST>
    <center>
    <p><input id="user" name="user" type="text" placeholder="Username"></p>
    <p><input id="pass" name="pass" type="password" placeholder="Password"></p>
    <input type="submit" value="Login">
    </center>
</form> </div>

And here's the header code for Home.php:

<?php 
session_start();
if(!isset($_SESSION["sess_user"])){
header("location:../../Login.php");
} else {
?>

then there's the page contents, and at the end there's: 

<?php } ?>
MissSylvia
  • 19
  • 2
  • is **($user == $dbusername && $pass == $dbpassword)** really true? – B001ᛦ Oct 20 '16 at 11:27
  • _Stop_ using `mysql*` right now. – Hatted Rooster Oct 20 '16 at 11:29
  • How would I check to see if it is? Sorry, I'm kind of new to PHP and MYSQL.. – MissSylvia Oct 20 '16 at 11:29
  • 1
    Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly Oct 20 '16 at 11:30
  • @MissSylvia By adding some output, like .. `echo`. – Hatted Rooster Oct 20 '16 at 11:31
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Oct 20 '16 at 11:31
  • 1
    You are also using PLAIN TEXT passwords. ___Bad Girl___ – RiggsFolly Oct 20 '16 at 11:32
  • forgot to add name to submit button. I have mentioned it in the answer. – Danyal Sandeelo Oct 20 '16 at 11:32
  • @RiggsFolly easy, everyone learns in time. Perhaps some pointers to a secure account system would be the best thing to do here. – Hatted Rooster Oct 20 '16 at 11:33
  • @GillBates cool, I am just pointing out all the things I can see that OP needs to look at – RiggsFolly Oct 20 '16 at 11:34
  • @RiggsFolly Plus, girl might be inappropriate here. OP could be an [an apache](https://nl.wikipedia.org/wiki/AH-64_Apache) :) – Hatted Rooster Oct 20 '16 at 11:35

2 Answers2

2

You forgot to add a name attribute to the submit button so if(isset($_POST["Login"])) will be false all the time.

change 

<input type="submit" value="Login">

to 

<input  name="Login" type="submit" value="Login">
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Danyal Sandeelo
  • 12,196
  • 10
  • 47
  • 78
1

Your issue is that your input element doesn't have a name associated with it. as Danyal already said. But there's much more you should worry about with this code.

This is not Code Review so I'll only point out the obvious problems/errors you have. (although posting on code review certainly wouldn't hurt)

First off, get a decent IDE to code your PHP in, this will give you auto indentation, this increases readability by a ton as you'll be able to see where scope begins and ends much more easily:

<?php
if (isset($_POST["Login"])) {
    if (!empty($_POST['user']) && !empty($_POST['pass'])) {
        $user = $_POST['user'];
        $pass = $_POST['pass'];

        $con = mysql_connect('localhost', 'root', '') or die(mysql_error());
        mysql_select_db('users') or die("cannot select DB");

        $query   = mysql_query("SELECT * FROM userdata WHERE user='" . $user . "' AND pass='" . $pass . "'");
        $numrows = mysql_num_rows($query);
        if ($numrows != 0) {
            while ($row = mysql_fetch_assoc($query)) {
                $dbusername = $row['user'];
                $dbpassword = $row['pass'];
            }

            if ($user == $dbusername && $pass == $dbpassword) {
                session_start();
                $_SESSION['sess_user'] = $user;

                /* Redirect browser */
                header("Location: ./Programs/Content/Home.php");
            }
        } else {
            echo "Invalid username or password!";
        }
    } else {
        echo "All fields are required!";
    }
}
?>

Now for the problems:

  • Don't ever use mysql_* again, these functions have been deprecated for a long time and were even removed in PHP 7, instead, use MySQLi or PDO.
  • Don't blindly insert user-entered data into your query : "SELECT * FROM userdata WHERE user='".$user."' AND pass='".$pass."'". This leaves you vulnerable to SQL injection, use Prepared statements instead.

  • Don't ever save your passwords in plain-text but rather use something like password_hash and save the result of that in the database. Then when you need to check if a user correctly entered their password just use the function again on the $_POST value and check it against the value in the database.

  • You're probably also vulnerable to Session Hijacking but that's a later concern.

Community
  • 1
  • 1
Hatted Rooster
  • 35,759
  • 6
  • 62
  • 122