1

I'm trying to do a website where you need to login to get access to a page. Everything works fine but I want to prevent direct acces.

loginserver.php :

<?php
$error=''; //Variable to Store error message;
if(isset($_POST['submit'])){
    if(empty($_POST['user']) || empty($_POST['pass'])){
        $error = "Username or Password is Invalid";
    }
    else
    {
        //Define $user and $pass
        $user=$_POST['user'];
        $pass=$_POST['pass'];
        //Establishing Connection with server by passing server_name, user_id and pass as a patameter
        $conn = mysqli_connect("localhost", "root", "");
        //Selecting Database
        $db = mysqli_select_db($conn, "test");
        //sql query to fetch information of registerd user and finds user match.
        $query = mysqli_query($conn, "SELECT * FROM userpass WHERE pass='$pass' AND user='$user'");

        $rows = mysqli_num_rows($query);
        if($rows == 1){
            header("Location: welcome.php"); // Redirecting to other page
        }
        else
        {
            $error = "Username of Password is Invalid";
        }
        mysqli_close($conn); // Closing connection
    }
}

?>

Welcome.php

<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<h1>Welcome</h1>
</body>
</html>
Spoody
  • 2,852
  • 1
  • 26
  • 36
Alarewyn
  • 11
  • 3
  • 1
    **Your code is vulnerable to SQL injection and will be hacked** even if [you are escaping inputs!](https://stackoverflow.com/a/5741264/2595450) Use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. Check: [How can I prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Spoody May 16 '18 at 17:58
  • 2
    **Please do not store plain text passwords** nor hash it with weak algorithms, use the [password functions](http://php.net/manual/en/faq.passwords.php) provided by PHP. Check: [How do you use bcrypt for hashing passwords in PHP](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) – Spoody May 16 '18 at 17:59
  • read about [php sessions](http://php.net/manual/en/intro.session.php) – Jeff May 16 '18 at 18:01
  • you set up a login page and it WORKS!, but what do you mean by prevent direct access ? – xanadev May 16 '18 at 18:02
  • then include a simple file (in all others) that checks for a valid login (in session) and redirect to login.php if not logged in – Jeff May 16 '18 at 18:02
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text** or a weak hash like **SHA1 or MD5**. – tadman May 16 '18 at 19:08

1 Answers1

0
In loginserver.php page you have to start session at top of page.

<?php
session_start();
include('conn.php');

//  rest of code...

    $row = mysql_fetch_array($query);
if($rows == 1){
    $_SESSION['uname'] = $row['user'];

            header("Location: welcome.php"); // Redirecting to other page
        }
?>  

after that check it in welcome.php page check session variable coming from user login page is active or not.    

<?php
session_start();
include('conn.php');

if(!isset($_SESSION['uname'])){
 header("Location:loginserver.php");    
}
?>

I Hope it works foe you.

Mohit Kumar
  • 952
  • 2
  • 7
  • 18