Page 1 of 1

Admin Login Form Doesn't Redirect

Posted: Sun Feb 06, 2011 2:53 pm
by alexistheanswer
Hey guys,

I'm kind of a n00b with PHP and i'm trying to practice by building a mock e-comm site, but i'm having a problem with my admin login form. When the information is submitted the form just clears and doesn't redirect me to the index.php file i have set-up. That is, I don't get any error messages, the information disappears and I remain on the login page. My knowledge of php isn't where i'd like it to be yet, so i'm here for help! I'll post the code for both the admin login page and the index.php file.

ADMIN LOGIN PAGE
|
|
V

Code: Select all

<?php
session_start();
if (isset($_SESSION["username"])) {
    header("location: index.php");
    exit();
}

?>
<?php

if (isset($_POST["username"]) && isset($_POST["password"])){

   $username = $_POST["username"]; // filter everything but numbers and letters
    $password = $_POST["password"]; // filter everything but numbers and letters

    include "../storescripts/connect_to_mysql.php";
    $sql = mysql_query("SELECT id FROM admin WHERE username='$username' AND password='$password' LIMIT 1");

    $existCount = mysql_num_rows($sql); // count the row nums
    if ($existCount == 1) { // evaluate the count
        while($row = mysql_fetch_array($sql)){
             $id = $row["id"];
       }
       $_SESSION["id"] = $id;
       $_SESSION["username"] = $username;
       $_SESSION["password"] = $password;
       header("location: index.php");
         exit();
    } else {
      echo 'That information is incorrect, try again <a href="index.php">Click Here</a>';
      exit();
   }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
      <title>Store Admin Area</title>
        <link rel="stylesheet" type="text/css" href="../css/main_style.css" />
   </head>

   <body>
           <div id="wrapper">
                  <div id="text"><br />
                     <div align="left" style="margin-left:100px; margin-top:100px;">
                        <h2>Please Login To Manage The Store</h2>
                        <br /><br />
                        <form id="form1" name="form1" method="post" action="admin_login.php">
                        <strong>Username</strong>
                           <input name="username" type="text" id="username" size="40" />
                        <br /><br />
                        <strong>Password</strong>
                           <input name="password" type="password" id="password" size="40" />
                        <br />
                        <br />
                           <input type="submit" name="button" id="button" value="Login" />
                        </form>
                     </div>
           </div><!--closes wrapper-->
   </body>
</html>

INDEX.PHP FILE
|
|
V

Code: Select all

<?php
session_start();
if (!isset($_SESSION["username"])) {
    header("location: admin_login.php");
    exit();
}

$usernameID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]);
$username = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["username"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]);

include "../storescripts/connect_to_mysql.php";
$sql = mysql_query("SELECT * FROM admin WHERE id='$usernameID' AND username='$username' AND password='$password' LIMIT 1"); // query the person

$existCount = mysql_num_rows($sql); // count the row nums
if ($existCount == 0) { // evaluate the count
    echo "Your login session data is not on record in the database.";
     exit();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
      <title>Store Admin Area</title>
        <link rel="stylesheet" type="text/css" href="../css/main_style.css" />
   </head>

   <body>
          <div id="wrapper">
                  <div id="text"><br />
                     <div align="left" style="margin-left:100px; margin-top:100px;">
                        <h2>Hello store manager, what would you like to do today?</h2>
                        <p><a href="inventory_list.php">Manage Inventory</a><br />
                        <a href="#">Manage Blah Blah </a></p>
                     </div>
                     <br />
                  <br />
                  <br />
                </div><!--closes wrapper-->
   </body>
</html>
Any help and suggestions are greatly appreciated! Thanks!

Re: Admin Login Form Doesn't Redirect

Posted: Sun Feb 06, 2011 5:58 pm
by Peter Kelly
Couple things you should use indenting it helps loads to find stuff and make sure you use PHP tags when posting on these forums!!!

Well if the admin form doesn't redirect maybe we should we should try some debugging, now there are lots of ways to debug and each person will have their own way but my method is to echo numbers after certain lines so we can see where it actually gets up to. Try use this version I have just printed out the $_SESSION array and the $_POST at the top of the page and then echoed out numbers, just check you have all the numbers you need echoing correctly to check where the code gets up to.

Code: Select all

<?php

session_start();
echo "<pre>";
print_r($_SESSION);
print_r($_POST);
echo "</pre>";
echo "1";
if (isset($_SESSION["username"]))
{
	header("location: index.php");
	exit();
}

?>
<?php

if (isset($_POST["username"]) && isset($_POST["password"]))
{
	echo "2";
	$username = $_POST["username"]; // filter everything but numbers and letters
	$password = $_POST["password"]; // filter everything but numbers and letters

	include "../storescripts/connect_to_mysql.php";
	$sql = mysql_query("SELECT id FROM admin WHERE username='$username' AND password='$password' LIMIT 1");
	$existCount = mysql_num_rows($sql); // count the row nums
	echo "3";
	if ($existCount == 1)
	{ // evaluate the count
		echo "4";
		while ($row = mysql_fetch_array($sql))
		{
			echo "5";
			$id = $row["id"];
		}
		$_SESSION["id"] = $id;
		$_SESSION["username"] = $username;
		$_SESSION["password"] = $password;
		header("location: index.php");
		exit();
	}
	else
	{
		echo "6";
		echo 'That information is incorrect, try again <a href="index.php">Click Here</a>';
		exit();
	}
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Store Admin Area</title>
<link rel="stylesheet" type="text/css" href="../css/main_style.css" />
</head>

<body>
<div id="wrapper">
<div id="text">

<div align="left" style="margin-left:100px; margin-top:100px;">
<h2>Please Login To Manage The Store</h2>



<form id="form1" name="form1" method="post" action="admin_login.php">
<strong>Username</strong>
<input name="username" type="text" id="username" size="40" />



<strong>Password</strong>
<input name="password" type="password" id="password" size="40" />




<input type="submit" name="button" id="button" value="Login" />
</form>
</div>
</div><!--closes wrapper-->
</body>
</html>
That is the admin_login.php page. Try it and paste back any responses it gives back at the top of the page.

Re: Admin Login Form Doesn't Redirect

Posted: Sun Feb 06, 2011 11:49 pm
by alexistheanswer
Ah interesting. So just to re-iterate, by adding an echo statement with an arbitrary number, we can determine where the code begins to break? Thanks for the tip!

Ok so this is what came out.

Array
(
)
Array
(
[PHPSESSID] => 639ef7fbecfc214810797e3905a0bf28
[username] => me1mast
[password] => *******
[button] => Login
)

12345

Re: Admin Login Form Doesn't Redirect

Posted: Mon Feb 07, 2011 2:09 am
by Peter Kelly
Well it shows that the code is getting the row from the sql table and has found the correct user so it should set the sessions and redirect. I would recommend try adding the numbers and printing out the sessions etc on the index page as well.

But just a bit of a worry I've found in your code is you are;
[*] Not encrypting passwords and setting your password in plain text in SESSIONS :O - This is extremely dangerous as even the simplest hacker can view sessions and cookies sent via the server. One way I would suggest doing your login is not by checking the username and password every time but when they login it stores the PHPSESS_ID in a table along with the associated user id and ip address who has logged in with it. As the $_SESSION['PHPSESS_ID'] is unique every time someone accesses your website.
[*]You are not using real_mysql_escape_string. Not using it allows yet again even simple hackers to inject sql into your querys. This is how it should look.

Code: Select all

$sql = mysql_query("SELECT id FROM admin WHERE username='" . real_escape_mysql_queries($username) . "' AND password='" . real_escape_mysql_queries($password) . "' LIMIT 1");

Re: Admin Login Form Doesn't Redirect

Posted: Mon Feb 07, 2011 1:14 pm
by alexistheanswer
Hey Peter,

Thanks for the info! Ok I added the real_escape_string, and will add the PHPSESS_ID as soon as I get this to work. Would I place the $_SESSIONS info in the same place as in the admin login file; in the evaluate count statement? I echoed out a few numbers in the index.php file and the only number that gets posted is 1, so I guess the code doesn't run past this point? I'm not too sure on how to correct this though. I'll post it below so you can have a look.

<?php
session_start();
echo "1";
if (!isset($_SESSION["username"])) {
header("location: admin_login.php");
exit();
}
// Be sure to check that this manager SESSION value is in fact in the database
echo "2";
$usernameID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); // filter everything but numbers and letters
$username = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["username"]); // filter everything but numbers and letters
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); // filter everything but numbers and letters
// Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
// Connect to the MySQL database
include "../storescripts/connect_to_mysql.php";
$sql = mysql_query("SELECT id FROM admin WHERE username='" . mysql_real_escape_string($username) . "' AND password='" . mysql_real_escape_string($password) . "' LIMIT 1"); // query the person
// ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
$existCount = mysql_num_rows($sql); // count the row nums
if ($existCount == 1) { // evaluate the count
echo "Your login session data is not on record in the database.";
exit();
}
?>

Re: Admin Login Form Doesn't Redirect

Posted: Mon Feb 07, 2011 1:35 pm
by Peter Kelly
before the echo "1"; put the following

Code: Select all

echo "<pre>";
print_r($_SESSION);
echo "</pre>";
See what that outputs

Re: Admin Login Form Doesn't Redirect

Posted: Mon Feb 07, 2011 3:30 pm
by alexistheanswer
This is what I get.

Array
(
)

1

Re: Admin Login Form Doesn't Redirect

Posted: Mon Feb 07, 2011 3:35 pm
by Peter Kelly
Is that after you've logged in? If it is then it means your sessions arent being set. Either way I'm a little stuck. :/ sorry

Re: Admin Login Form Doesn't Redirect

Posted: Mon Feb 07, 2011 4:37 pm
by alexistheanswer
Yes, I receive this message after i've logged in. No problem Peter, still very helpful.

Can you guys explain/give me an example of how I'd go about setting $_SESSION a different way or to another variable? I'm getting frustrated and I can't seem to clear my thoughts :S