PHP Moderator Login page not working

Question

I have created a HTML login page, it has a user login form and a moderator login form, the user login is working fine, it connects to the database, retrieves the email and password then redirects the user back to the home page, I'm using basically the same code for the moderator login but it wont work.

Here are screenshots of my database http://i59.tinypic.com/91fcpj.png This is after the user logs in, it redirects to index.php http://i61.tinypic.com/21ahjt.png This is after the admin tries to login, it's meant to redirect to adminData.php but it doesn't http://i58.tinypic.com/23m1r8p.png

Login.html Code

<!DOCTYPE html>

<html>

<head>

<title>Sign In</title>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="css/style.css"/>

</head>
<body>
<div id="container">

<header>

<a href="index.html"><img src="images/Header.jpg" alt="logo" /></a>
<a href="login.html"><img src="images/login.jpg" alt="login" /></a>
<a href="https://www.facebook.com/ArcticMonkeys"><img src="images/Facebook.jpg" alt="FB" /></a>
<a href="https://twitter.com/arcticmonkeys"><img src="images/Twitter.jpg"     alt="Twitter" /></a>

</header>

<div class="menu">
<div align="center">
<ul class="list">
    <li class="item"><a href="index.html">Home</a>
    <li class="item"><a href="gallery.html">Gallery</a>
    <li class="item"><a href="videos.html">Videos</a>
    <li class="item"><a href="discography.html">Discography</a>
    <li class="item"><a href="register.php"#">Register</a>

     <li class="item"><a href="#">About</a>
        <ul class="list">
            <li><a href="alex.html">Alex Turner</a></li>
            <li class="list">
                <a href="matt.html">Matt Helders</a>
                <ul class="list">
                    <a href="jamie.html">Jamie Cook</a>
                    <ul class="list">
                        <a href="nick.html">Nick O'Malley</a>
                        <ul class="list">
                            <a href="andy.html">Andy Nicholson</a>
                            <ul class="list">
                        </ul>
            </li>


</div>
</div>


<div align="center"><BR><BR><BR><BR>
<body id="body-color"> 

<div id="Sign-In"> 




</head>

<form action="login.php" method="post">

<table width="500" align="center">

<tr align="center">

<td colspan="3"><h2>User Login</h2></td>

</tr>

<tr>

<td align="right"><b>Email</b></td>

<td><input type="text" name="email" required="required"/></td>

</tr>

<tr>

<td align="right"><b>Password:</b></td>

<td><input type="password" name="pass" required="required"></td>

</tr>

<tr align="center">

<td colspan="3">

<input type="submit" name="login" value="Login"/>


</td>

</tr>

</table>

</form>

<br><br>

<form action="moderatorLogin.php" method="post">

<table width="500" align="center">

<tr align="center">

<td colspan="3"><h2>Moderator Login</h2></td>

</tr>

<tr>

<td align="right"><b>Email</b></td>

<td><input type="text" name="email" required="required"/></td>

</tr>

<tr>

<td align="right"><b>Password:</b></td>

<td><input type="password" name="pass" required="required"></td>

</tr>

<tr align="center">

<td colspan="3">

<input type="submit" name="Admin" value="Login"/>


</td>

</tr>

</table>
</form>






<H3>If you do not have an account please register <a href="register.html">HERE</a><br>otherwise access is restricted to member pages<h3>

</div> 

</body> 

</html>

moderatorLogin.php Code

<?php session_start();
// establishing the MySQLi connection



$con = mysqli_connect("localhost","root","","admin");

if (mysqli_connect_errno())

{

echo "MySQLi Connection was not established: " . mysqli_connect_error();

}

// checking the user

if(isset($_POST['login'])){

$email = mysqli_real_escape_string($con,$_POST['email']);

$pass = mysqli_real_escape_string($con,$_POST['pass']);

$sel_user = ("select * from moderators where email='$email' AND password='$pass'");
$sel_user = ("select * from moderators where email='$email' AND password='$pass'");

$run_user = mysqli_query($con, $sel_user);

$check_user = mysqli_num_rows($run_user);

if($check_user>0){

$_SESSION['email']=$email;

echo "<script>window.open('adminData.php','_self')</script>";

}

else {

echo "<script>alert('Email or password is not correct, try again!')</script>
            <script>window.open('register.php','_self')</script>";

}



}

?>

Note: this website will not be hosted online, i will be looking to make it more complex in the future in terms of security and what not, but for now i just want to get what i have working before i start learning about security etc...

Any help at all is greatly appreciated.

Ryan.

So what is the problem exactly? Did you look at the source of the HTML? Did you look at PHP errors log? — rlanvin, Aug 21 '15 at 09:26
@rlanvin when i enter the admin email and password and try login i am directed to a blank page, it should go to moderatorLogin.php determine if the email and pass are correct, if they are it should redirect to adminData.php, if not it should pop up and error message. i am not receiving any errors that's one of the problems, also i have the exact same php code working for another form just not this one. — Ryan, Aug 21 '15 at 09:32

score 1 · Accepted Answer · edited May 23 '17 at 12:00

1

Seems like your are having a problem with Redirecting.

Try

// similar behavior as an HTTP redirect
   window.location.replace("http://stackoverflow.com");

// similar behavior as clicking on a link
    window.location.href = "http://stackoverflow.com";

window.location.replace(...) will best simulate an HTTP redirect.

It is better than using window.location.href =, because replace() does not put the originating page in the session history, meaning the user won't get stuck in a never-ending back-button fiasco. If you want to simulate someone clicking on a link, use location.href. If you want to simulate an HTTP redirect, use location.replace

I cannot take credit for this answer. You could check out the original SO post here

edited May 23 '17 at 12:00

Community

1
1

answered Aug 21 '15 at 09:38

Niket Pathak

6,323
1
39
51

thanks for your reply but after altering my code it still seems to be getting stuck, completely lost here as the code is working fine for another login form i have. – Ryan Aug 21 '15 at 09:54
@Ryan Did you ensure that `if($check_user>0){ $_SESSION['email']=$email; echo ""; }` part of your code actually gets executed or not? Comment out the JS redirect and try to print something random there so you can pin-point your actual issue. – Niket Pathak Aug 21 '15 at 11:18
It's not getting that far, the error seems to be before that, even after commenting the script and trying to print something random it just leads to a blank moderatorLogin.php page – Ryan Aug 21 '15 at 12:11
Oh you made a mistake here in Login.html -> `` its supposed to be `` It doesn't get that far because your `$_POST["login"]` is empty – Niket Pathak Aug 21 '15 at 12:35
That's it, working perfectly now thank you very much for taking the time to help me! – Ryan Aug 21 '15 at 12:57

score 0 · Answer 2 · edited Jun 20 '20 at 09:12

This is not an answer, just my 2 cents.

If anyone wonders why, there's no real reason, just seeing a structure that can be improved without too much effort and seeing plain text passwords in a database.

However I did notice how you save your users into the DB. You have two different groups here, one group are regular users in the users table in the info db and the other are moderators in the moderator table within the admin db.

Most CMSses like wordpress, joomla, typo3 etc.. they use one database. You already have two containing only information about users which leads me to think that you're overcategorizing.

I am no database expert at all but instead of using two seperate databases for two different tables with the same (maybe slightly different) data.

What I would do in this situation is create a column in the users table within the info db named user_type.

Then in my application I'd set some constants (define('ADMIN', 1) and define('USER', 0)) etc...

In your new user_type column the type would also be a number, e.g.

----------------------------------------------------
|  name  |    email    |   password    | user_type |
----------------------------------------------------
| John   | john@gm...  | sha1(pass)    | 0         |
| Lisa   | lisa@gm...  | sha1(pass)    | 1         |
----------------------------------------------------

Now you can fetch your users and admins using the same table. You also have a distinction within the user array when fetching it with mysql so you'll always know if a user is admin or not, this looks something like:

$_SESSION['user'] = [
    'name' => 'John',
    'email' => 'john@gmail.com',
    'password' => 'sha1',
    'user_type', 0
];

Now when you want to check if a user is admin, anywhere in your code: (as long as you have set this $_SESSION['user'])

if ($_SESSION['user']['user_type'] == ADMIN) { //remember the define? :D
    //do cool admin stuff
} else {
    //do regular user stuff
}

Another minor thing I noticed is that you use no hashing technique whatsoever in your database. Passwords are stored as plain text.

You might actually still have to do this but it would be sane to implement this while implementing the user system otherwise you might forget or be to lazy to do this in the future (no offense intended, just how some devs are ;)).

PHP has a few builtin functions that deal with storing a password in a way that it is one-way encrypted.

This means that there isn't a method to decrypt the password so it's safe. However this also makes it more complex to compare the password.

A typical method to use would be PHP's SHA1 function. You'd just do sha1($_POST['password']) and get a 40 character long string of hexadecimal characters (0-9a-f)

Your password should look like something below:

a89f88e9d9ce9d8f9e98d09c90e9f5431a21b12a

When you try to compare any password in plain text against that hash above, it'd return false - which is normal. The strings are completely different.

However, when you encrypt the same string again it will produce the same output.

So it's just an extra step really but if someone decides to steal your database they won't steal all of your users passwords either.

Your current password check routine looks like this at the moment:

User registers -> save info

Validate login -> (user->password == input->password)

Now what you do looks like this:

User registers -> sha1 password -> save info

Validate login -> (user->password == sha1(input->password))

Now I could go on about this a long time but that would be an absolute minimum necessity and responsibility towards your users, if you don't protect their password for them there is a good chance that someone breaks into your DB and steals that password.

If you think that does no harm you have to realise that most users are simple and use one password for everything since remembering multiple would be more difficult.

This leads to the same password login for many (also secure) services which a hacker can then exploit to the fullest because he got a password basically for free.

PHP Moderator Login page not working

2 Answers2

This is not an answer, just my 2 cents.