-1

here is the login for login.php:

<?php
     session_start();
     $username = $_POST['username'];
     $password = $_POST['password'];  
     include 'includes/connect.php';

     $username = mysqli_real_escape_string( $con, $username );
     $query = "SELECT password, salt FROM member WHERE username = '$username';";

     $result = mysqli_query( $con, $query );

    if ( mysqli_num_rows( $result ) == 0 ) { // User not found. So, redirect to login_form again.
       header('Location: login.html');
    }

    $userData = mysqli_fetch_array($result, MYSQL_ASSOC);
    $hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );

    if ( $hash != $userData['password'] ) {
       header('Location: login.html');
    } else { // Redirect to home page after successful login.
       $_SESSION['username'] = $userData['username'];
       header('Location: stats.php');
    }
?>

and here is the script for stats.php

<?php 
   session_start();
   if ( !isset( $_SESSION['username'] ) ) {
       header("Location:register.html");
   }
?>

I'm trying to make this page only accessible if your logged in however anyone can access stats.php.

Tepken Vannkorn
  • 9,648
  • 14
  • 61
  • 86
Rodrigo Lessa
  • 69
  • 3
  • 11
  • try dumping $_SESSION with `print_r($_SESSION);` and see if the session is actually set – SoWhat Sep 12 '13 at 07:11
  • possible duplicate of [php session login issue](http://stackoverflow.com/questions/18757248/php-session-login-issue) – Bora Sep 12 '13 at 07:11
  • If you clear cookies for the site and try again does it let you in? – Scott Helme Sep 12 '13 at 07:14
  • **By building SQL statements with outside variables, you are leaving yourself wide open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started, and [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. – Andy Lester Sep 12 '13 at 22:42
  • If I enter a username of `' OR 1=1 OR username='`, then I will always get logged in. – Andy Lester Sep 12 '13 at 22:42

1 Answers1

0

In your register page, add:

<?php 
   session_start();
   if ( isset( $_SESSION['username'] ) ) {
       header("Location:stats.php");
   }
?>
Tepken Vannkorn
  • 9,648
  • 14
  • 61
  • 86