PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Tue Oct 24, 2017 2:51 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Fri Oct 06, 2017 7:28 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 171
Hi,

I need help in the login.php to why it logs in every Tom & Harry. I am showing you my original code below.
I need help fixing this. My questions are in the comments of the code. I need help in adding the cookie feature so any user can be auto logged-in when they check the "Remember Me" check box in the login page.
From your code and their comments, I aswell as other newbies would learn from them.

login.php
Code:
<?php

/*
ERROR HANDLING
*/
declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

include 'config.php';

// check if user is already logged in
if (is_logged() === true)
{
   //Redirect user to homepage page after 5 seconds.
   header("refresh:2;url=home.php");
   exit; //
}


if (isset($_POST["login_username_or_email"]) && isset($_POST["login_password"]))
   {
      $username_or_email = trim($_POST["login_username_or_email"]);
      $password = $_POST["login_password"];      
         
      //Select Username or Email to check against Mysql DB if they are already registered or not.
            
        if(strpos("$username_or_email", "@"))
      {
         $email = $username_or_email;
                  
         $query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE emails = ?";
         $stmt = mysqli_stmt_init($conn);
         $stmt = mysqli_prepare($conn, $query);         
         mysqli_stmt_bind_param($stmt, 's', $email);
         mysqli_stmt_execute($stmt);
          //$result = mysqli_stmt_get_result($stmt); //Which line to use ? This line or the next ?
         $result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // Which line to use ? This line or the one above ?
      }
      else
      {
         $username = $username_or_email;
                  
         $query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE usernames = ?";
         $stmt = mysqli_stmt_init($conn);
         $stmt = mysqli_prepare($conn, $query);
         mysqli_stmt_bind_param($stmt, 's', $username);
         mysqli_stmt_execute($stmt);
         //$result = mysqli_stmt_get_result($stmt); //Which line to use ? This line or the next ?
         $result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // Which line to use ? This line or the one above ?
      }          
      
      //Which of the following 3 to use and why that one over the other 2 ?
      $row = mysqli_stmt_fetch($stmt); //Which line to use ? This line or 2 of the next 2 ?
      //$row = mysqli_fetch_array($query, MYSQLI_ASSOC); //Which line to use ? This line or the one above this lone or the one below this line ?
      //$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
      
      mysqli_stmt_close($stmt);
      
      printf("%s (%s)\n",$row["usernames"],$row["passwords"]);
      
      if ($result == false)
      {
         echo "No result!"; // For debugging purpose!
         exit();
      }
      elseif ($row['accounts_activations_statuses'] == '0')
      {
         {
            echo "You have not activated your account yet! Check your email for instructions on how to activate it.
            Check your spam folder if you don't find an email from us.";
            exit();
         }
      }
      else
      {
         if (password_verify($password, $db_password))      
         {
            echo "IF triggered for password_verify! password_verify ok"; // For debugging purpose!
         
         $_SESSION["user"] = $db_username;
         header("location:home.php?user=$db_username");            
      }
      else
      {
         echo "Incorrect User Credentials !';<br>";
         exit();
      }
   }

   
?>

<!DOCTYPE html>
<html>
<head>
<title><?php $site_name?> Member Login Page</title>
  <meta charset="utf-8">
</head>
<body>
<form method="post" action="">
   <h3><?= $site_name ?> Member Login Form</h3>
   <fieldset>
      <label for="login_name">Username/Email:</label>
      <input type="text" name="login_username_or_email" id="login_name" value="">
      <br>
      <label for="login_pass">Password:</label>
      <input type="password" name="login_password" id="login_pass" value="">
   </fieldset>
   <div class="submitsAndHiddens">
      <label for="login_remember">Remember Login Details:</label>
      <input type="checkbox" name="login_remember" />
      <br>
      <button type="submit">Login</button>
      <br>
      <a href="login_password_reset.php">Forgot your Password ? Reset it here!</a>
      <br>
      <a href="register.php">Register here!</a>
   </div>
</form>

</body>
</html>



registration.php (working)

Code:
<?php

/*
ERROR HANDLING
*/
declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

include 'config.php';

//Step 1: Before registering User account, check if User is already registered or not.

//Check if User is already logged-in or not.
if (is_logged() === true) {
   die("You are already logged-in! No need to register again!");
}

if ($_SERVER['REQUEST_METHOD'] == "POST")
{
//Step 2: Check User Submitted Details.
   
   //Check if user made all the required inputs or not.
   if (isset($_POST["username"]) &&
      isset($_POST["password"]) &&
      isset($_POST["password_confirmation"]) &&
      isset($_POST["email"]) &&
      isset($_POST["email_confirmation"]) &&
      isset($_POST["first_name"]) &&
      isset($_POST["surname"]) &&
      isset($_POST["gender"])) {
         
//Step  3: Check User details for matches against database. If no matches then validate inputs and register User account.
         
      //Create variables based on user inputs.
      $username    = trim($_POST["username"]);
      $password    = $_POST["password"];
      $password_confirmation = $_POST["password_confirmation"];
      $email       = trim($_POST["email"]);
        $email_confirmation = trim($_POST["email_confirmation"]);
        $first_name   = trim($_POST["first_name"]);
        $surname    = trim($_POST["surname"]);
      $gender    = $_POST["gender"];   
         $account_activation_code = sha1( (string) mt_rand(5, 30)); //Type Casted the INT to STRING on the 1st parameter of sha1 as it needs to be a STRING.
      $account_activation_link = "http://www.".$site_domain."/".$social_network_name."/activate_account.php?email=".$_POST['email']."&account_activation_code=".$account_activation_code."";
      $account_activation_status = 0; // 1 = active; 0 = not active.
        $hashed_password = password_hash($password, PASSWORD_DEFAULT); //Encrypt the password.
       
      //Select Username and Email to check against Mysql DB if they are already registered or not.
      $stmt = mysqli_prepare($conn, "SELECT usernames, emails FROM users WHERE usernames = ? OR emails = ?");
      mysqli_stmt_bind_param($stmt, 'ss', $username, $email);
      mysqli_stmt_execute($stmt);
      $result = mysqli_stmt_get_result($stmt);      
      $row = mysqli_fetch_array($result, MYSQLI_ASSOC);
       
      // Check if inputted Username is already registered or not.
      if ($row['usernames'] == $username) {
         $_SESSION['error'] = "That username is already registered.";
         exit();
      // Check if inputted Username is between the required 8 to 30 characters long or not.
      } elseif (strlen($username) < 8 || strlen($username) > 30) {
         $_SESSION['error'] = "Username must be between 8 to 30 characters long!";
         exit();
      // Check if both inputted Emails match or not.
      } elseif ($email != $email_confirmation) {
         $_SESSION['error'] = "Emails don't match!";
         exit();
      // Check if inputed Email is valid or not.
      } elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
         $_SESSION['error'] = "Invalid email! Insert your real Email in order for us to email you your account activation details.";
         exit();
      // Check if inputted Email is already registered or not.
      } elseif ($row['emails'] == $email) {
         $_SESSION['error'] = "That email is already registered.";
         exit();
      // Check if both inputted Passwords match or not.
      } elseif ($password != $password_confirmation) {
         $_SESSION['error'] = "Passwords don't match.";
         exit();
      // Check if Password is between 8 to 30 characters long or not.
      } elseif (strlen($password) < 8 || strlen($password) > 30) {
         $_SESSION['error'] = "Password must be between 6 to 30 characters long!";
         exit();
      }
      else
      {
         //Insert the user's inputs into Mysql database using php's sql injection prevention method "Prepared Statements".
         $stmt = mysqli_prepare($conn, "INSERT INTO users(usernames, passwords, emails, first_names, surnames, genders, accounts_activations_codes, accounts_activations_statuses) VALUES (?, ?, ?, ?, ?, ?, ?, ?)");
         mysqli_stmt_bind_param($stmt, 'sssssssi', $username, $hashed_password, $email, $first_name, $surname, $gender, $account_activation_code, $account_activation_status);
         mysqli_stmt_execute($stmt);
         echo "INSERTING";

         //Check if user's registration data was successfully submitted or not.
         if (!$stmt)
         {
            $_SESSION['error'] = "Sorry! Our system is currently experiencing a problem registering your account! You may try registering some other time.";
            exit();
         }
         else
         {
            //Email the account activation link for user to click it to confirm their email and activate their new account.
            $to = $email;
            $subject = "Your ".$site_name." account activation details!";
            $body  = nl2br("
            ===============================\r\n
            ".$site_name." \r\n
            ===============================\r\n
            From: ".$site_admin_email."\r\n
            To: ".$email."\r\n
            Subject: Yours ".$subject." \r\n
            Message: ".$first_name." ".$surname."\r\n You need to click on this following <a href=".$account_activation_link.">link</a> to activate your account. \r\n");
            $headers = "From: " . $site_admin_email . "\r\n";
         
             if (!mail($to,$subject,$body,$headers))
            {
               $_SESSION['error'] = "Sorry! We have failed to email you your account activation details. Please contact the website administrator!";
               exit();
            }
            else
            {
               echo "<h3 style='text-align:center'>Thank you for your registration!
Check your email for details on how to activate your account which you just registered.</h3>";
               exit();
            }
         }
       }
   }
}

?>

<!DOCTYPE html>
<html>
   <head>
      <title><?php $social_network_name ?> Signup Page</title>
   </head>
<body>
<div class ="container">

<?php
// Error Messages.
if (isset($_SESSION['error']) && !empty($_SESSION['error'])) {
   echo '<p style="color:red;">'.$_SESSION['error'].'</p>';
}
?>

<?php
//Session Messages.
if (isset($_SESSION['message']) && !empty($_SESSION['message'])) {
   echo '<p style="color:red;">'.$_SESSION['error'].'</p>';
}
?>

<?php
//Clear Registration Session.
function clear_registration_session()
   {
      //Clear the User Form inputs, Session Messages and Session Errors so they can no longer be used.
      unset($_SESSION['message']);
      unset($_SESSION['error']);
      unset($_POST);
      exit();
   }
?>

<form method="post" action="">
   <center><h2>Signup Form</h2></center>
   <div class="form-group">
      <center><label>Username:</label>
      <input type="text" placeholder="Enter a unique Username" name="username" required [A-Za-z0-9] value="<?php if(isset($_POST['username'])) { echo htmlentities($_POST['username']); }?>"></center>
   </div>
   <div class="form-group">
      <center><label>Password:</label>
      <input type="password" placeholder="Enter a new Password" name="password" required [A-Za-z0-9]></center>
   </div>
   <div class="form-group">
      <center><label>Repeat Password:</label>
      <input type="password" placeholder="Repeat a new Password" name="password_confirmation" required [A-Za-z0-9]></center>
   </div>
      <div class="form-group">
      <center><label>Email:</label>
      <input type="email" placeholder="Enter your Email" name="email" required [A-Za-z0-9] value="<?php if(isset($_POST['email'])) { echo htmlentities($_POST['email']); }?>"></center>
   </div>
   <div class="form-group">
      <center><label>Repeat Email:</label>
      <input type="email" placeholder="Repeat your Email" name="email_confirmation" required [A-Za-z0-9] value="<?php if(isset($_POST['email_confirmation'])) { echo htmlentities($_POST['email_confirmation']); }?>"></center>
   </div>
   <div class="form-group">
      <center><label>First Name:</label>
      <input type="text" placeholder="Enter your First Name" name="first_name" required [A-Za-z] value="<?php if(isset($_POST['first_name'])) { echo htmlentities($_POST['first_name']); }?>"></center>
   </div>
   <div class="form-group">
      <center><label>Surname:</label>
      <input type="text" placeholder="Enter your Surname" name="surname" required [A-Za-z] value="<?php if(isset($_POST['surname'])) { echo htmlentities($_POST['surname']); }?>"></center>
   </div>
   <div class="form-group">
      <center><label>Gender:</label>
      <input type="radio" name="gender" value="male" <?php if(isset($_POST['gender'])) { echo 'checked'; }?> required>Male<input type="radio" name="gender" value="female" <?php if(isset($_POST['gender'])) { echo 'checked'; }?> required>Female</center>
   </div>
   <center><button type="submit" class="btn btn-default" name="submit">Register!</button></center>
   <center><font color="red" size="3"><b>Already have an account ?</b><br><a href="login.php">Login here!</a></font></center>
</form>
</div>
</body>
</html>


account_activation.php (working)
Code:
<?php

/*
ERROR HANDLING
*/
declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

include 'config.php';

if (!isset($_GET["email"], $_GET["account_activation_code"]) === true)
{
    $_SESSION['error'] = "Invalid Email Address! Invalid Account Activation Link! This email is not registered! Try registering an account if you do not already have one! <a href=\"register.php\">Register here!</a>";
    exit();
}
else
{   
   $email = htmlspecialchars($_GET['email']);
   $account_activation_code = htmlspecialchars($_GET['account_activation_code']);

   $stmt_one = mysqli_stmt_init($conn);   
   if (mysqli_stmt_prepare($stmt_one, "SELECT usernames, accounts_activations FROM users WHERE emails = ? AND accounts_activations_codes = ?"))
   {
      mysqli_stmt_bind_param($stmt_one, 'si', $email,  $account_activation_code);
      mysqli_stmt_execute($stmt_one);
      mysqli_stmt_bind_result($stmt_one, $username, $account_activation_state);
      mysqli_stmt_fetch($stmt_one);
      mysqli_stmt_close($stmt_one);
       
      if ($account_activation_state != 0)
      {   
         echo "Since your account is already activated, why are you trying to activate it again ? Do not do that again and just login from <a href=\"login.php\">this webpage</a> next time! Make a note of that webpage, ok ?";
         exit;
      }
      else
      {
         $account_activation_state = 1;
            
         $stmt_two = mysqli_stmt_init($conn);
         if(mysqli_stmt_prepare($stmt_two, "UPDATE users SET accounts_activations = ? WHERE usernames = ?"))
         {
            mysqli_stmt_bind_param($stmt_two, 'is', $account_activation_state, $username);
            mysqli_stmt_execute($stmt_two);   
            mysqli_stmt_fetch($stmt_two);
            mysqli_stmt_close($stmt_two);
         
            echo "Account Activation State: $account_activation_state";?><br>
            <?php
            echo "Username: $username";         
      
            echo "<h3 style='text-align:center'>Thank you for your confirming your email and activating your account.
You may now try logging into your account.</h3>";
            $_SESSION["user"] = $username;
         }
         else
         {
            echo 'Failure: Something is wrong. Unable to activate your account! Contact Site Admin.';
            echo 'Failure: Mysqli_stmt_prepare($stmt_two)';
            exit;
         }
      }   
   }
   else
   {
      echo 'Failure: This account activation link is invalid or has expired. Try <a href="register.php">registering</a> for an account now.';
      echo 'Failure: Mysqli_stmt_prepare($stmt_one)';
      exit;
   }         
}

?>


logout.php (working)

Code:
<?php
       session_start();
       session_destroy();
       echo "You have successfully logged-out!";
?><br>
<?php
       echo "<a href='login.php'>Re-Login.</a>";
?><br>


Top
 Profile  
 
PostPosted: Fri Oct 06, 2017 8:17 pm 
Offline
Forum Contributor

Joined: Fri Sep 05, 2008 3:34 pm
Posts: 487
Location: Victoria, BC
You might find and different idea faster and more in tune with your needs

JavaScript can deal with the client and cookies and PHP can handle the database

then use HTTP POST and HTTP GET is really simple to log in and carry on.

home page click logon, send the cookie to logon.php who then checks the hash with the database, returns home page or error.php

use a flow chart, makes your logic clearer

_________________
Hardcore Games Legendary is the Only Way to Play!
Vegan Advocate 16 lbs grain to make only 1 lb meat, water for 6 months of showers and 34.1 lbs carbon dioxide
My sites are made with WordPress, which is a content management system, Joomla and Drupal are some alternatives


Top
 Profile  
 
PostPosted: Sat Oct 07, 2017 6:07 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 171
Vegan wrote:
You might find and different idea faster and more in tune with your needs

JavaScript can deal with the client and cookies and PHP can handle the database

then use HTTP POST and HTTP GET is really simple to log in and carry on.

home page click logon, send the cookie to logon.php who then checks the hash with the database, returns home page or error.php

use a flow chart, makes your logic clearer


Thanks!
My login.php actually works (the non PREP STMT or non-hacking prevention version). But as soon as I added the PREP STMT and hash I encounter problems now.


Top
 Profile  
 
PostPosted: Sat Oct 07, 2017 6:10 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 171
Does anyone have any clue why the login.php logs anyone in ?
My login.php actually works (the non PREP STMT or non-hacking prevention version). But as soon as I added the PREP STMT and hash I encounter problems now.


Top
 Profile  
 
PostPosted: Sat Oct 07, 2017 7:11 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 171
I sorted the login.php problem.
Opening another thread and continuing the project there. This thread can now be closed.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 15 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group