Login Form keeps coming back

Question

This is my login page :

" This is the form , form action="" is set to none (may be the problem?)

< form action="" method="POST">
Username: < input type="text" name="user">
Password: < input type="password" name="pass">
< input type="submit" value="Login" name="submit" />
< /form>"

$query=mysql_query("SELECT * FROM login WHERE username='".$user."' AND password='".$pass."'");
$numrows=mysql_num_rows($query);
if($numrows!=0)
{
while($row=mysql_fetch_assoc($query))
{
$dbusername=$row['username'];
$dbpassword=$row['password'];
}

if($user == $dbusername && $pass == $dbpassword)
{
session_start();
$_SESSION['sess_user']=$user;

/* Redirect browser */
header("Location: member.php");
}
} else {
echo "Invalid username or password!";
}

second page

<?php 
session_start();
if(!isset($_SESSION["sess_user"])){
header("location:login.php");
} else {

Whenever I click the 'log in' button , the form comes back instead of the page redirecting me .. help please ,

thanks in advance

if the form action has no content, the post is submitted to the current page. — Patrick, Feb 26 '15 at 22:12
I know it's logging me in because if I tty to access the other page it lets me in , I just can't get redirected from the login form . — Badina Filip, Feb 26 '15 at 22:20
This article may help... seems to have the same issue: http://stackoverflow.com/questions/7467330/php-headerlocation-force-url-change-in-address-bar — Edwin Krause, Feb 26 '15 at 22:21

score 0 · Answer 1 · answered Feb 26 '15 at 22:40

Why don't try it like this:

    <?php
session_start();
$query = mysql_query("SELECT * FROM login WHERE username='" . $user . "' AND password='" . $pass . "'");
$numrows = mysql_num_rows($query);
if ($numrows > 0) {
    while ($row = mysql_fetch_assoc($query)) {
        $dbusername = $row['username'];
        $dbpassword = $row['password'];
    }
        $_SESSION['sess_user'] = $user;
        header("Location: http://peopleinvestment.ro/filip/member.php");
} else {
    echo "Invalid username or password!";
}

it also is smarter and shorter because you are checking 2 times if the username and the password matches

score 0 · Accepted Answer · answered Feb 27 '15 at 22:05

0

I actually found another way around :

basically :

echo "<script>
top.location='admin.php'
</script>"

answered Feb 27 '15 at 22:05

Badina Filip

21
5

michael jones · Answer 3 · 2015-02-27T00:36:14.320

I think the header() raises a LOT of errors. So instead what I use is this:

<meta http-equiv='refresh' content="0; url=yoururlhere"

Leave it as is, and it will redirect you to a new page :) Works the same as header. This should fix your problems.

EDIT

Ok, here are some updates that will help make it more secure, and it should fix your problem! :) First lets begin with the database connection file:

<?php
$db_username = ""; //Input your database username here
$db_password = ""; //Input your database password here
$db_host = ""; //Input your database host here
$db_name = ""; //Input your database name here

$options = array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8');

try {
    $connection = new PDO("mysql:host={$db_host};dbname={$db_name};charset=utf8", $db_username, $db_password, $options);
    $connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}

catch(PDOException $ex) {
    echo "Can not connect to database.";
}

header('Content-Type: text/html; charset=utf-8');
?>

The above will connect to your database for you! :) Ok next lets work with the PHP (Please put this at the top of your , before your inputs):

<?php

//Grabs the database connection
require("path to database connection file");

$user = $_POST["user"];
$pass = $_POST["pass"];

$query="SELECT * FROM login WHERE username=:username AND password=:password";

$params->execute(array(':username' => $user,
                       ':password' => $pass));

try{
    $stmt = $connection->prepare($query);
    $result = $stmt->execute($params);
}

catch(PDOException $ex){
    echo ("Failed to run query: " . $ex->getMessage());
}

$fetch = $stmt->fetch();

if($fetch) {
    while($row=mysql_fetch_assoc($query)){
        $usernamefetch=$fetch['username'];
        $passwordfetch=$fetch['password'];
    }

    if($user == $usernamefetch && $pass == $passwordfetch)
        session_start();
        $_SESSION['sess_user']=$user;
?>
        <meta http-equiv='refresh' content="0; url=page_to_redirect_to"
<?php
    {

    else {
        echo "Invalid username or password!";
    }
}
else {
    echo "Invalid username or password!";
}

?>

And that is the code, and it should work perfectly! :) The only thing you should make sure to change is the mets tag on where to redirect to. Then of course your simple HTML:

<form action="" method="POST">
    Username: <input type="text" name="user">
    Password: <input type="password" name="pass">
    <input type="submit" value="Login" name="submit" />
</form>

Please test out this code, I think it will work much better now! :) Not to mention it will be much more secure.

EDIT

Finally, I got this to work 100%!!! :) Ok now use this:

<?php
$db_username = "peoplein"; //Input your database username here
$db_password = "xxxxxxx"; //Input your database password here
$db_host = "localhost"; //Input your database host here
$db_name = "xxxxxxxx"; //Input your database name here

$options = array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8');

try {
    $connection = new PDO("mysql:host={$db_host};dbname={$db_name};charset=utf8", $db_username, $db_password, $options);
    $connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}

catch(PDOException $ex) {
    echo "Cannot connect to database.";
}

header('Content-Type: text/html; charset=utf-8');
?>

<!doctype html>
<html>
<head>
<title>Login</title>
</head>
<body>

<?php

    if (isset($_POST["user"])) {
        $user = $_POST["user"];
    }
    else {
        $user = "";
    }
    if (isset($_POST["pass"])) {
        $pass = $_POST["pass"];
    }
    else {
        $pass = "";
    }

    $query="SELECT * FROM login WHERE username=:username";

    $params=(array(':username' => $user));

    try{
        $stmt = $connection->prepare($query);
        $result = $stmt->execute($params);
    }

    catch(PDOException $ex){
        echo ("Failed to run query: " . $ex->getMessage());
    }

    $fetch = $stmt->fetch();
    $passwordfetch=$fetch['password'];

    if (password_verify($pass, $passwordfetch)) {
            session_start();
            $_SESSION['sess_user']=$user;
?>
            <meta http-equiv='refresh' content="0; url=http://peopleinvestment.ro/filip/admin.php">
<?php
    }
    else {
        echo "Invalid Information";
    }

?>

<center>
<h3>Login</h3>
<form action="" method="POST">
    Username: <input type="text" name="user">
    Password: <input type="password" name="pass">
    <input type="submit" value="Login" name="submit" />
</form>

</body>
</html>

DO NOT CHANGE ANYTHING but the db_password and db_name. Now next thing that you should change. First off if someone ever got in your database your passwords are NOT secure because they are not "hashed". Now you can hash these passwords by doing this right before submitting them into the database:

password_hash($pass, PASSWORD_DEFAULT);

So basically right before the user is about to register it will automatically password_hash, and then input it into the database. Now that MUST be done or else the code above will NOT work. Yet if you choose not to password_hash (bad idea), then you could just use this code: http://pastebin.com/SJisBwnB. That should fix your problems, if any errors are still being raised or if you have any questions please just make another comment! :) This worked perfectly for me.

if I put that in the html side , it will just refresh the page an infinite amount of times — Badina Filip, Feb 26 '15 at 22:47
yes , but I don't get the change to submit , it refreshes just before. Is there a way for it to do that only if the user and pass check out? — Badina Filip, Feb 26 '15 at 22:54
I edited everything , and it still won't redirect me to that page. I don't get why I am being redirected , I added a few ";" and some other stuff to that code and it still won't work ... — Badina Filip, Feb 26 '15 at 23:40
http://pastebin.com/27de9Asw This is it , if I fall asleep , Ill check back tomorrow , been up for quite a while on this damn code.. — Badina Filip, Feb 26 '15 at 23:45
This is the page I am trying to get redirected to by the way : http://pastebin.com/y5agcBbe — Badina Filip, Feb 26 '15 at 23:50
I get server error , at some point you forgot to close the meta ">" and some other small stuff but , yeah , it didn't work :( — Badina Filip, Feb 26 '15 at 23:55
Hi, what part is not working? Is it raising any errors? If no errors then it is someone thing with something else, because this code works perfectly for me. By the way are to "password_hashing" your information? If you are please post the code you are using for that, if you are not are you using the second set of code I posted (in the pastebin)? — michael jones, Feb 27 '15 at 21:59
BTW Please post the full code you are using. And if there are any errors please post the full message. Thank You! — michael jones, Feb 27 '15 at 22:03

Login Form keeps coming back

3 Answers3