0

I have a login, register page. The register page is working fine, but I have a problem with my login page. When I log in succesfully it is supposed to redirect me to a page called member.php but instead just stays on the same page and goes no where. Here is my code for the login.php page where I think the problem may be occuring:

<?php
if(isset($_POST["submit"])){

if(!empty($_POST['user']) && !empty($_POST['pass'])) {
    $user=$_POST['user'];
    $pass=$_POST['pass'];

    $con=mysql_connect('127.0.0.1:8889','root','root') or die(mysql_error());
    mysql_select_db('user_registration') or die("cannot select DB");

    $query=mysql_query("SELECT * FROM login WHERE username='".$user."' AND password='".$pass."'");
    $numrows=mysql_num_rows($query);
    if($numrows!=0)
    {
    while($row=mysql_fetch_assoc($query))
    {
    $dbusername=$row['username'];
    $dbpassword=$row['password'];
    }

    if($user == $dbusername && $pass == $dbpassword)
    {
    session_start();
    $_SESSION['sess_user']=$user;

    header("Location: member.php");
    }
    } else {
    echo "Invalid username or password!";
    }

} else {
    echo "All fields are required!";
}
}
?>

<form action="" method="POST">
Username: <input type="text" name="user"><br />
Password: <input type="password" name="pass"><br /> 
<input type="submit" value="Login" name="submit" />
</form>
JasperDaDolphin
  • 172
  • 1
  • 9
  • What is the address in the URL after you submit? – John Robertson Jul 22 '14 at 08:16
  • It doesn't send me anywhere. – JasperDaDolphin Jul 22 '14 at 08:18
  • The mysql family of functions is deprecated and support thereof will disappear. Please look into [PDO](http://www.php.net/manual/en/book.pdo.php) or [Mysqli](http://php.net/manual/en/book.mysqli.php). – ljacqu Jul 22 '14 at 08:18
  • Let me try to see the URL. – John Robertson Jul 22 '14 at 08:19
  • What kind of debugging have you done. I would replace `header(...)` with `echo 'Success';` and see if that works... – Mark Miller Jul 22 '14 at 08:20
  • try to echo `message` on successful login and what you get? – Sadikhasan Jul 22 '14 at 08:20
  • Additionally to the comment of @MarkM, set `error_reporting(E_ALL)` at the top of your file during development to see all errors. – ljacqu Jul 22 '14 at 08:20
  • Yes echo 'Success'; worked but i after replaced it again with header and if didn't work – JasperDaDolphin Jul 22 '14 at 08:25
  • 1. Add `exit` after `header` just in case. 2. All of this `if($user == $dbusername && $pass == $dbpassword)` is useless and give you nothing. 3. Completely open to SQL injection - use at least `mysql_real_escape` or better move to PDO extension. 4. `` should have `/>` at the end to make correct HTML. 5. Add limit to select and no loop, like `"SELECT * FROM user_registration WHERE username='".mysql_real_escape($user)."' AND password='".mysql_real_escape($pass)."' LIMIT 1"` – DarkSide Jul 22 '14 at 08:29
  • 1
    if echo 'Success' works, is possible that member.php redirect to login.php? – user3786597 Jul 22 '14 at 08:32

2 Answers2

2

I refractored your code a bit. You do some checking that you don't have to. First you fetch MySQL-results based on login-info and then you compare it again. You don't need to do that.

This code should work. If it does not, I am pretty sure you are logging in with wrong creditials or there is something wrong with your database structure.

<?php
if (isset($_POST['submit'])) {
    if (!empty($_POST['user']) && !empty($_POST['pass'])) {
        $con = mysql_connect('127.0.0.1:8889','root','root') or die(mysql_error());
        mysql_select_db('user_registration') or die('Could not select database');

        $login = 'SELECT * FROM login WHERE username = \'' . $user . '\' AND password = \'' . $pass . '\' LIMIT 1';
        $loginq = mysql_fetch_assoc(mysql_query($login));

        if (isset($loginq['username'])) {
            session_start();
            $_SESSION['sess_user'] = $loginq['username'];
            header('Location: member.php');
        }
        else {
            echo 'Invalid username or password!';
        }

    }
    else {
        echo 'All fields are required!';
    }
}
?>
OptimusCrime
  • 14,662
  • 13
  • 58
  • 96
  • please add `mysql_real_escape` - this never should be forgotten !!! AND `exit;` after `header()` is good routine too. I have seen some strange cases when header don't break code execution in past. – DarkSide Jul 22 '14 at 08:31
0

Try adding the page you are POSTing to in the HTML form, like so:

<form action="login.php" method="post">

Also, look into PDO as this is vulnerable to SQL Injection.

Coffeee
  • 143
  • 1
  • 2
  • 13
  • You could also look at ['PHP POSTing to itself'](http://stackoverflow.com/questions/5826784/how-do-i-make-a-php-form-that-submits-to-self) – Coffeee Jul 22 '14 at 08:23