-1

Here is the full code:

<?php 
session_start();
session_regenerate_id(true);
require_once('connect.php');
require_once "lib.php";
require_once "utils.php";

$EmailAddress = mysqli_real_escape_string($link,htmlentities($_POST['EmailAddress']));
$Password = mysqli_real_escape_string($link,htmlentities($_POST['Password']));
$Fname = mysqli_real_escape_string($link,htmlentities($_POST['Fname']));

function login($result,$EmailAddress,$Password) 
{
    if($result)
    {
        if(mysqli_num_rows($result) == 1)
        {
                $email_exists = true;
                $pass_exists = true;
            if($pass_exists = true && $email_exists = true)
            {
                $_SESSION['active']=true;
                $_SESSION['EmailAddress']=$EmailAddress;
                //$_SESSION['Password']=$Password;
                header("Location: myIndex.php");
                exit();
            }
        }
        else 
            echo "<div id='error'><h4>Error: Incorrect Password or Email</h4></div>";
    }
}

function redirect_if_active() 
{
    header("Location: myIndex.php");
    exit();   
}

if(isset($_SESSION['active']) && $_SESSION['active'] ===true)
{
    redirect_if_active();
}

// only processes login information if the submit button has been clicked
if (isset($_POST['submit'])) {

    $sql="SELECT * FROM users WHERE EmailAddress ='$_POST[EmailAddress]' AND
        Password ='$_POST[Password]'";
    $result = mysqli_query($link,$sql);
    login($result,$EmailAddress,$Password);
}

if(isset($_POST['signup'])){
    header("Location: register.php");
    exit();
}

?>

My guess is that the error is where the $sql = SELECT * FROM users WHERE but I', not entirely sure. I'll input the Email and the password, but it continues to return me to the login page. I'm not sure why it's doing that, but it needs to go to the Profile page once the user has logged in.

KwBionic
  • 9
  • 1
  • 5
  • 2
    [You need to prevent SQL Injection!](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Mar 16 '15 at 17:56
  • this looks fishy: `WHERE EmailAddress ='$_POST[EmailAddress]'` Store `$_POST['EmailAddress']` in a variable first then use it in your query – Michael Doye Mar 16 '15 at 17:56
  • 1
    Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Mar 16 '15 at 17:57
  • Your problem is that you are doing an assignment instead of comparing the values if($pass_exists **=** true; – Amit Verma Mar 16 '15 at 18:00
  • So I added the error_reporting(E_ALL); ini_set('display_errors', 1); tag and I have Undefined index for EmailAddress, Password, for line 9, 10 , 11, 49, and 50. I also know the $sql = SELECT syntax is wrong, but I do not know what is wrong. – KwBionic Mar 16 '15 at 18:19

2 Answers2

1
$link = "somethingrelatedtoyourdb";
$EmailAddress = $_POST['EmailAddress'];
$Password = $_POST['Password'];
//$Fname = $_POST['Fname'];  THIS IS NEVER POSTED
echo "<pre>";
print_r($_POST);
echo "</pre>";



function login($result,$EmailAddress,$Password) 
{
    if($result)
    {
        if(($result) == true)//TRUE AGAIN
        {
             //THIS MAKES NO SENSE
            //    $email_exists = true;
            //    $pass_exists = true;
            //if($pass_exists = true && $email_exists = true)
           // {
                $_SESSION['active'] == true;
                $_SESSION['EmailAddress'] == $EmailAddress;
                //$_SESSION['Password']=$Password;
                header("Location: myIndex.php");
                exit();
          //  }
        }
        else 
            echo "<div id='error'><h4>Error: Incorrect Password or Email</h4></div>";
    }
}

function redirect_if_active() 
{
    header("Location: myIndex.php");
    exit();   
}

if(isset($_SESSION['active']) && $_SESSION['active'] ===true)
{
    redirect_if_active();
}

// only processes login information if the submit button has been clicked
if (isset($_POST['submit'])) {

    $sql="SELECT * FROM users WHERE EmailAddress ='$EmailAddress' AND
        Password ='$Password'";
    print_r($sql);
   // $result = mysqli_query($link,$sql); Ill make this true for a moment
    $result = true;
    login($result,$EmailAddress,$Password);
}

if(isset($_POST['signup'])){  
    header("Location: register.php");
    exit();
}

?>
<html>
<head></head>
<body>
<div id='form'> 
<form action='example.php' method='POST'> 
<div id='email'>Email:</div> 
<div id='email2'>
<input name='EmailAddress' type='email'/>
<br>
</div> Password: <input name='Password' type='password'/>
<br> 
<input class="submit" name='submit' type='submit' value='Login'/> 
<input class="submit2" name='signup' type='submit' value='SignUp!'/> </form> 
</body></html>
Roberto Rojas
  • 19
  • 4
0

You have quite a few issues that I see right off the bat

  1. In your sql query this $_POST[Password] should be $_POST['Password']. Same thing with the email address. This might fix your query, however please note, passing in raw post data to mysql is a big security problem. You are already setting these post params as escaped variables. You could use those, but you should look at prepared statements to keep yourself safe.

  2. This block, has an error, and also doesn't make sense

    $email_exists = true;
$pass_exists = true;
if($pass_exists = true && $email_exists = true)

It should be

if($pass_exists == true && $email_exists == true)

Or better yet

if($pass_exists && $email_exists)

However since you are explicitly setting both of these vars to true right before checking if they are true, then this will always be true.

Jacob
  • 920
  • 6
  • 19