2

I have developed a website in php in which I have a login form that checks user's authentication using user name and password. The pages to be accessible only by authenticated users checks session variables either true or false. These variables are set to true if username and password of user are true and I have set that during login check and so users can't access webpages by directly writing page name in URL. php login authentication is working on localhost but when i hosted to the server authentication is not working. Please help me to solve this problem 

<!DOCTYPE html>
<html>
<head>
    <title>Admin</title>
    <link rel="icon" href="../images/logo.png">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width,initial-scale=1.0">

    <!-- CSS STYLES -->
    <link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">
    <link rel="stylesheet" type="text/css" href="css/font-awesome.min.css">
    <link rel="stylesheet" type="text/css" href="css/login.css">

    <!-- JS SCRIPT -->

    <script type="text/javascript" src="js/respond.js"></script>
    <script type="text/javascript" src="js/jquery.js"></script>
</head>
<body>


<div class="login-page">
    <div class="login-section">
    <div class="login-heading">
        <img src="../images/logo.png">
        <h2>Department Of Business Administration</h2>
        <div class="border"><div class="line"></div></div>
        <div class="border1"><div class="line"></div></div>
        <h5>Please, <span class="text2"></span></h5>
    </div>
    <?php 
            session_start();
            include '../inc/db.php';
            if (isset($_POST['submit'])) {
                $username = mysqli_real_escape_string($conn,$_POST['username']);
                $password = mysqli_real_escape_string($conn,md5($_POST['password']));
                $_SESSION['login'] = false;

                $query = "SELECT * FROM admin_user WHERE username='$username' AND password='$password' ";
                $rslt = mysqli_query($conn,$query);
                if (mysqli_num_rows($rslt)>0) {
                    $_SESSION['login'] = true;
                    $_SESSION['username'] = $username;
                    header('location:index.php');
                }else{
                    echo  "<div class='alert alert-danger inputmsg-txt'>Username or Password does not matched</div>";
                }
            }
        ?>
    <form  method="POST" class="form-horizontal" action="">
      <div class="form-group">
        <label for="Username" class="col-sm-2 control-label">Username</label>
        <div class="col-sm-10">
          <input type="text" class="form-control" name="username" id="Username" placeholder="Username">
        </div>
      </div>
      <div class="form-group">
        <label for="Password" class="col-sm-2 control-label">Password</label>
        <div class="col-sm-10">
          <input type="password" class="form-control" name="password" id="Password" placeholder="Password">
        </div>
      </div>
      <div class="form-group">
        <div class="col-sm-offset-2 col-sm-10">
          <button type="submit" name="submit" class="btn btn-success">Sign in</button>
          <a href="" class="btn btn-info">Forgot Password</a>
        </div>
      </div>
    </form>
</div>
</div>
<script type="text/javascript" src="js/bootstrap.min.js"></script>
<script type="text/javascript" src="js/typed.min.js"></script>
<script type="text/javascript" src="js/main.js"></script>
</body>
</html>
MAHBUBUR RAHMAN
  • 31
  • 5
  • Not an answer but a security warning. You have two major security holes in your code. 1) You need to stop using md5 hashing and use a real hashing algorithm that hasn't been shown to be breakable and 2) you need to use parameterizes queries to avoid sql injection attacks (https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Sam M Dec 30 '17 at 04:27
  • What is the problem? Does the session has been started or not? Check the query does the query return true or false. – Mr Hery Dec 30 '17 at 04:31

2 Answers2

0

Try this

I tested this code and working on the localhost and server both.

Don't use MD5 for a password.

I will suggest you use the Password verify and password hash

http://php.net/manual/en/function.password-verify.php

http://php.net/manual/en/function.password-hash.php

if (isset($_POST['submit'])) {
    $username = $conn->real_escape_string($_POST['username']);
    $password = $conn->real_escape_string(md5($_POST['password']));

    $_SESSION['login'] = false;
    $query = "SELECT * FROM admin_user WHERE username='$username' AND password='$password' ";
    $rslt = mysqli_query($conn,$query);
    $check_user = mysqli_num_rows($rslt);
    if($check_user>0){
    echo "<script>window.open('index.php','_self')</script>";
    }else{

    echo  "<div class='alert alert-danger inputmsg-txt'>Username or Password does not matched</div>";
       }
        $conn->close();
     }
Naren Verma
  • 2,205
  • 5
  • 38
  • 95
0

please use php artisan tinker, for input password

Aldi JAV
  • 15
  • 2