1

here is the thing: i've created a loging form that check if the user is admin or a member and then it redirect them to the correct page. it is working well.

the problem starts when the user enter incorrect user and pass the login page entering to some sort of loop.

what did i do wrong?

thank you for the help login.php:

<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "חלק מהנתונים שסופקו, שגויים.";
}
else
{
// Define $username and $password
$username=$_POST['username'];
$password=$_POST['password'];
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
include "config.php";
// To protect MySQL injection for Security purpose
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
// Selecting Database
$tbl_name="users";
//$db = mysql_select_db($tbl_name, $conn);
// SQL query to fetch information of registerd users and finds user match.
$query = mysql_query("select * from $tbl_name where userpassword='$password' AND username='$username'", $conn);
$rows = mysql_num_rows($query);
$dbdata = mysql_fetch_array($query) or die(mysql_error());

if ($rows == 1) {
$flag = $dbdata['admin'];
if ($flag == 1) {
$_SESSION['login_user']=$username; // Initializing Session
header("location: index.php"); // Redirecting To Other Page
} elseif($flag == 0){
$_SESSION['login_user']=$username; // Initializing Session
header("location: user.php"); // Redirecting To Other Page
} else{
session_destroy();
header("location: errorlog.php");
}}
mysql_close($conn); // Closing Connection
}}
?>
<!DOCTYPE html>
<html dir="rtl" lang="he">
<head>
<title>המסלקה| כניסת סוכנים</title>
<link href="../css/adminstyle.css" rel="stylesheet" type="text/css">
<link href="login.css" rel="stylesheet" type="text/css">
</head>
<body>
<div id="main">
<h1>ברוכים הבאים</h1>
<div id="login">
<h2>מלא טופס זה על מנת להיכנס</h2>
<form action="" method="post">
<label>שם משתמש :</label>
<input id="name" name="username" placeholder="באותיות ומספרים" type="text">
<label>סיסמה :</label>
<input id="password" name="password" placeholder="**********" type="password">
<input name="submit" type="submit" value=" התחבר ">
<span><?php echo $error; ?></span>
</form>
</div>
</div>
</body>
</html>
Improve this question
2
  • What problem starts? We need a better description of your issue. Commented Feb 24, 2015 at 14:17
  • Run it in browser developer view (Firefox else Chrome) look at the network panel and what does the browser see/do? Commented Feb 24, 2015 at 14:20

3 Answers 3

Reset to default
1

Try using exit after header functions because after redirect without exit, script will continue with execution:

<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "חלק מהנתונים שסופקו, שגויים.";
}
else
{
// Define $username and $password
$username=$_POST['username'];
$password=$_POST['password'];
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
include "config.php";
// To protect MySQL injection for Security purpose
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
// Selecting Database
$tbl_name="users";
//$db = mysql_select_db($tbl_name, $conn);
// SQL query to fetch information of registerd users and finds user match.
$query = mysql_query("select * from $tbl_name where userpassword='$password' AND username='$username'", $conn);
$rows = mysql_num_rows($query);
$dbdata = mysql_fetch_array($query) or die(mysql_error());

if ($rows == 1) {
$flag = $dbdata['admin'];
if ($flag == 1) {
$_SESSION['login_user']=$username; // Initializing Session
header("location: index.php");exit; // Redirecting To Other Page
} elseif($flag == 0){
$_SESSION['login_user']=$username; // Initializing Session
header("location: user.php");exit; // Redirecting To Other Page
} else{
session_destroy();
header("location: errorlog.php");exit;
}}
mysql_close($conn); // Closing Connection
}}
?>

Also make sure you have error reporting enabled in your script:

<?php
// Turn off error reporting
error_reporting(0);

// Report runtime errors
error_reporting(E_ERROR | E_WARNING | E_PARSE);

// Report all errors
error_reporting(E_ALL);

// Same as error_reporting(E_ALL);
ini_set("error_reporting", E_ALL);

// Report all errors except E_NOTICE
error_reporting(E_ALL & ~E_NOTICE);
?>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

where you have an incorrect username/password

if ($rows == 1) {

will be false. You have caught an incorrect flag but there is no else on this if statement.

if you are expecting it to destroy the session and head to the error page add

session_destroy();
header("location: errorlog.php");

into an else for that group. Otherwise writing to the $error variable such as:

$error='username or password not recognised';
Improve this answer

Comments

0

Your error check for checking if the user does not exist is wrong. the mysql_num_rows($query) returns FALSE if a user does not exist. Either an extra else statement after your if (row == 1). OR check if $rows === false and redirect accordingly.

So adding this before your if should suffice. (insert before the if(row==1))

if($rows === false){
    session_destroy();
    header("location: errorlog.php");
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.