1

for some reason when I click login it dose not work gives me a error, its the button click event related to the form. ive got a url. When click login you are meant to be able to login but it dose not work. im quite new to using this level of php so any help would be wonderful/

http://stuweb.cms.gre.ac.uk/~ob219/logsystem/

password is password and user beep

Code for index

<?php
session_start();

$errorMessage = '';
if (!empty($_POST['user_name']) && !empty($_POST['user_password']){
    include 'library/connect.php';

    $user_name = $_POST['user_name'];
    $user_password = $_POST['user_password'];

    $sql = "SELECT user_id FROM Login WHERE user_name = '$user_name' AND user_password = '$user_password'";

    $result = mysql_query($sql) or die('Query failed. ' . mysql_error());
    $row = mysql_fetch_array($result);

    if (mysql_num_rows($result) == 1) {
    $_SESSION['user_logged_in'] = true;
    $_SESSION['id'] = "$row[user_id]";
    header("Location: user.php");
    }
        else {
            $errorMessage = 'Sorry, wrong username / password';
            }
                include 'library/close.php';
}
?>
<html>
<head>
<title>login</title>
</head>
<body>
<?php
if ($errorMessage != '') {
?>
<p align="center"><strong><font color="998000"><?php echo $errorMessage; ?></font></strong></p>
<?php
}
?>

<p align="center"><b>Passwords and user names stored in database with personalised message</b></p>
<form name="formLogin" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">


<table width="400" border="1" align="center" cellpadding="2" cellspacing="2">
<tr>
    <td width="150">User name</td>
    <td><input name="user_name" type="text" id="user_name"></td>
</tr>
<tr>
    <td width="150">Password</td>
    <td><input name="user_password" type="password" id="user_password"></td>
</tr>
<tr>
    <td width="150"></td>
    <td><input name="btnLogin" type="submit" id="btnLogin" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>
Beep
  • 2,737
  • 7
  • 36
  • 85
  • The `mysql_*` functions are **no longer maintained** and shouldn't be used in any new codebase. It is being phased out in favor of newer APIs. Instead you should use [**prepared statements**](https://www.youtube.com/watch?v=nLinqtCfhKY) with either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). Also, storing unhashed password is a **really bad idea**. Try [this new API](http://uk3.php.net/manual/en/ref.password.php) for that. – tereško Dec 06 '13 at 17:29
  • 1
    Not only are the mysql_* functions deprecated, but watch out for [Bobby Tables](http://bobby-tables.com/) too. – Matthew Johnson Dec 06 '13 at 17:37
  • well .. the video kinda explain it too. – tereško Dec 06 '13 at 17:44
  • 1
    By the way, I think you (may) have a `byte order mark` issue => `` welcome beep – Funk Forty Niner Dec 06 '13 at 18:49
  • @ Fred -ii- yeah.. I am any idea how to fix? – Beep Dec 06 '13 at 18:52
  • 1
    Yes, you'll need to save it as UTF-8 without `BOM`. You can download a [free copy of Notepad++](http://notepad-plus-plus.org/) to achieve this, if you don't have an editor already. – Funk Forty Niner Dec 06 '13 at 19:05

7 Answers7

3

The string you are posting to is literally:

<?php echo $_SERVER['PHP_SELF']; ?>

If you just want to post to the same page, you can just leave out the action element from the form. (Is it a good practice to use an empty URL for a HTML form's action attribute? (action=""))

Community
  • 1
  • 1
Advocation
  • 578
  • 3
  • 14
2

Your PHP isn't being processed. It's just being printed inline with the HTML. Since you have open and close php statements, my guess is that you may have this file saved as index.html and don't have Apache set to parse HTML as PHP.

View your page source to confirm.

Try saving your file as index.php. You may also need to add this to a .htaccess file in the same folder:

DirectoryIndex index.php
Will
  • 2,343
  • 1
  • 14
  • 14
2

Few corrections:

  • Firstly as @Advocation said leave out the action element empty if you want to post in the same page.

  • Your missing brackets in if statement.

Change this:

if (!empty($_POST['user_name']) && !empty($_POST['user_password']){

To:

if ((!empty($_POST['user_name']) && !empty($_POST['user_password'])){
Joke_Sense10
  • 5,341
  • 2
  • 18
  • 22
2

After further searching into what is going on, I figured it out!

You are using

http://stuweb.cms.gre.ac.uk/~ob219/logsystem/index.html

you need to change your file to (.php)

http://stuweb.cms.gre.ac.uk/~ob219/logsystem/index.php

Also yes you do have apache installed! See here

Arian Faurtosh
  • 17,987
  • 21
  • 77
  • 115
  • 1
    Great @Arian, almost there few more bugs to sort out now. thank you always a simple problem. – Beep Dec 06 '13 at 17:45
2

Use php isset() function to check whether the variables are set or not and use htmlspecialchars($_SERVER["PHP_SELF"]) to prevent $_SERVER["PHP_SELF"] exploitation.

Besides to prevent sql injection, you should use PDO or Mysqli and you can use session_id() function and can bind IP address to prevent session hijacking.

$ip = getenv ( "REMOTE_ADDR" );
Hasib Mahmud
  • 806
  • 1
  • 10
  • 29
1

Like quasivivo said, none of your php is being processed by your server, I posted a picture to show you what is going on. Are you sure you have apache installed? and not ASP?

As you can see, all your script isn't processed by your server! This is a major problem, make sure you don't have any passwords variables, because anyone can see them. like for example:

$db_password = 'ilovelamp';

Everything is in here

Arian Faurtosh
  • 17,987
  • 21
  • 77
  • 115
1

It is working in my server correction the lines if (!empty($_POST['user_name']) && !empty($_POST['user_password'])) You have forgotten to close if condition ")"

Asraful Haque
  • 1,109
  • 7
  • 17
  • its working fine now, thank you for your input I will have a look at mi if statement and close. – Beep Dec 06 '13 at 19:22