Why Login Page Logs Everyone In ?
Posted: Fri Oct 06, 2017 7:28 pm
Hi,
I need help in the login.php to why it logs in every Tom & Harry. I am showing you my original code below.
I need help fixing this. My questions are in the comments of the code. I need help in adding the cookie feature so any user can be auto logged-in when they check the "Remember Me" check box in the login page.
From your code and their comments, I aswell as other newbies would learn from them.
login.php
registration.php (working)
account_activation.php (working)
logout.php (working)
I need help in the login.php to why it logs in every Tom & Harry. I am showing you my original code below.
I need help fixing this. My questions are in the comments of the code. I need help in adding the cookie feature so any user can be auto logged-in when they check the "Remember Me" check box in the login page.
From your code and their comments, I aswell as other newbies would learn from them.
login.php
Code: Select all
<?php
/*
ERROR HANDLING
*/
declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
include 'config.php';
// check if user is already logged in
if (is_logged() === true)
{
//Redirect user to homepage page after 5 seconds.
header("refresh:2;url=home.php");
exit; //
}
if (isset($_POST["login_username_or_email"]) && isset($_POST["login_password"]))
{
$username_or_email = trim($_POST["login_username_or_email"]);
$password = $_POST["login_password"];
//Select Username or Email to check against Mysql DB if they are already registered or not.
if(strpos("$username_or_email", "@"))
{
$email = $username_or_email;
$query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE emails = ?";
$stmt = mysqli_stmt_init($conn);
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, 's', $email);
mysqli_stmt_execute($stmt);
//$result = mysqli_stmt_get_result($stmt); //Which line to use ? This line or the next ?
$result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // Which line to use ? This line or the one above ?
}
else
{
$username = $username_or_email;
$query = "SELECT ids, usernames, passwords, emails, accounts_activations_statuses FROM users WHERE usernames = ?";
$stmt = mysqli_stmt_init($conn);
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, 's', $username);
mysqli_stmt_execute($stmt);
//$result = mysqli_stmt_get_result($stmt); //Which line to use ? This line or the next ?
$result = mysqli_stmt_bind_result($stmt, $db_id, $db_username, $db_password, $db_email, $db_account_activation_status); // Which line to use ? This line or the one above ?
}
//Which of the following 3 to use and why that one over the other 2 ?
$row = mysqli_stmt_fetch($stmt); //Which line to use ? This line or 2 of the next 2 ?
//$row = mysqli_fetch_array($query, MYSQLI_ASSOC); //Which line to use ? This line or the one above this lone or the one below this line ?
//$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
mysqli_stmt_close($stmt);
printf("%s (%s)\n",$row["usernames"],$row["passwords"]);
if ($result == false)
{
echo "No result!"; // For debugging purpose!
exit();
}
elseif ($row['accounts_activations_statuses'] == '0')
{
{
echo "You have not activated your account yet! Check your email for instructions on how to activate it.
Check your spam folder if you don't find an email from us.";
exit();
}
}
else
{
if (password_verify($password, $db_password))
{
echo "IF triggered for password_verify! password_verify ok"; // For debugging purpose!
$_SESSION["user"] = $db_username;
header("location:home.php?user=$db_username");
}
else
{
echo "Incorrect User Credentials !';<br>";
exit();
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title><?php $site_name?> Member Login Page</title>
<meta charset="utf-8">
</head>
<body>
<form method="post" action="">
<h3><?= $site_name ?> Member Login Form</h3>
<fieldset>
<label for="login_name">Username/Email:</label>
<input type="text" name="login_username_or_email" id="login_name" value="">
<br>
<label for="login_pass">Password:</label>
<input type="password" name="login_password" id="login_pass" value="">
</fieldset>
<div class="submitsAndHiddens">
<label for="login_remember">Remember Login Details:</label>
<input type="checkbox" name="login_remember" />
<br>
<button type="submit">Login</button>
<br>
<a href="login_password_reset.php">Forgot your Password ? Reset it here!</a>
<br>
<a href="register.php">Register here!</a>
</div>
</form>
</body>
</html>
registration.php (working)
Code: Select all
<?php
/*
ERROR HANDLING
*/
declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
include 'config.php';
//Step 1: Before registering User account, check if User is already registered or not.
//Check if User is already logged-in or not.
if (is_logged() === true) {
die("You are already logged-in! No need to register again!");
}
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
//Step 2: Check User Submitted Details.
//Check if user made all the required inputs or not.
if (isset($_POST["username"]) &&
isset($_POST["password"]) &&
isset($_POST["password_confirmation"]) &&
isset($_POST["email"]) &&
isset($_POST["email_confirmation"]) &&
isset($_POST["first_name"]) &&
isset($_POST["surname"]) &&
isset($_POST["gender"])) {
//Step 3: Check User details for matches against database. If no matches then validate inputs and register User account.
//Create variables based on user inputs.
$username = trim($_POST["username"]);
$password = $_POST["password"];
$password_confirmation = $_POST["password_confirmation"];
$email = trim($_POST["email"]);
$email_confirmation = trim($_POST["email_confirmation"]);
$first_name = trim($_POST["first_name"]);
$surname = trim($_POST["surname"]);
$gender = $_POST["gender"];
$account_activation_code = sha1( (string) mt_rand(5, 30)); //Type Casted the INT to STRING on the 1st parameter of sha1 as it needs to be a STRING.
$account_activation_link = "http://www.".$site_domain."/".$social_network_name."/activate_account.php?email=".$_POST['email']."&account_activation_code=".$account_activation_code."";
$account_activation_status = 0; // 1 = active; 0 = not active.
$hashed_password = password_hash($password, PASSWORD_DEFAULT); //Encrypt the password.
//Select Username and Email to check against Mysql DB if they are already registered or not.
$stmt = mysqli_prepare($conn, "SELECT usernames, emails FROM users WHERE usernames = ? OR emails = ?");
mysqli_stmt_bind_param($stmt, 'ss', $username, $email);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
// Check if inputted Username is already registered or not.
if ($row['usernames'] == $username) {
$_SESSION['error'] = "That username is already registered.";
exit();
// Check if inputted Username is between the required 8 to 30 characters long or not.
} elseif (strlen($username) < 8 || strlen($username) > 30) {
$_SESSION['error'] = "Username must be between 8 to 30 characters long!";
exit();
// Check if both inputted Emails match or not.
} elseif ($email != $email_confirmation) {
$_SESSION['error'] = "Emails don't match!";
exit();
// Check if inputed Email is valid or not.
} elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$_SESSION['error'] = "Invalid email! Insert your real Email in order for us to email you your account activation details.";
exit();
// Check if inputted Email is already registered or not.
} elseif ($row['emails'] == $email) {
$_SESSION['error'] = "That email is already registered.";
exit();
// Check if both inputted Passwords match or not.
} elseif ($password != $password_confirmation) {
$_SESSION['error'] = "Passwords don't match.";
exit();
// Check if Password is between 8 to 30 characters long or not.
} elseif (strlen($password) < 8 || strlen($password) > 30) {
$_SESSION['error'] = "Password must be between 6 to 30 characters long!";
exit();
}
else
{
//Insert the user's inputs into Mysql database using php's sql injection prevention method "Prepared Statements".
$stmt = mysqli_prepare($conn, "INSERT INTO users(usernames, passwords, emails, first_names, surnames, genders, accounts_activations_codes, accounts_activations_statuses) VALUES (?, ?, ?, ?, ?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sssssssi', $username, $hashed_password, $email, $first_name, $surname, $gender, $account_activation_code, $account_activation_status);
mysqli_stmt_execute($stmt);
echo "INSERTING";
//Check if user's registration data was successfully submitted or not.
if (!$stmt)
{
$_SESSION['error'] = "Sorry! Our system is currently experiencing a problem registering your account! You may try registering some other time.";
exit();
}
else
{
//Email the account activation link for user to click it to confirm their email and activate their new account.
$to = $email;
$subject = "Your ".$site_name." account activation details!";
$body = nl2br("
===============================\r\n
".$site_name." \r\n
===============================\r\n
From: ".$site_admin_email."\r\n
To: ".$email."\r\n
Subject: Yours ".$subject." \r\n
Message: ".$first_name." ".$surname."\r\n You need to click on this following <a href=".$account_activation_link.">link</a> to activate your account. \r\n");
$headers = "From: " . $site_admin_email . "\r\n";
if (!mail($to,$subject,$body,$headers))
{
$_SESSION['error'] = "Sorry! We have failed to email you your account activation details. Please contact the website administrator!";
exit();
}
else
{
echo "<h3 style='text-align:center'>Thank you for your registration!<br /> Check your email for details on how to activate your account which you just registered.</h3>";
exit();
}
}
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title><?php $social_network_name ?> Signup Page</title>
</head>
<body>
<div class ="container">
<?php
// Error Messages.
if (isset($_SESSION['error']) && !empty($_SESSION['error'])) {
echo '<p style="color:red;">'.$_SESSION['error'].'</p>';
}
?>
<?php
//Session Messages.
if (isset($_SESSION['message']) && !empty($_SESSION['message'])) {
echo '<p style="color:red;">'.$_SESSION['error'].'</p>';
}
?>
<?php
//Clear Registration Session.
function clear_registration_session()
{
//Clear the User Form inputs, Session Messages and Session Errors so they can no longer be used.
unset($_SESSION['message']);
unset($_SESSION['error']);
unset($_POST);
exit();
}
?>
<form method="post" action="">
<center><h2>Signup Form</h2></center>
<div class="form-group">
<center><label>Username:</label>
<input type="text" placeholder="Enter a unique Username" name="username" required [A-Za-z0-9] value="<?php if(isset($_POST['username'])) { echo htmlentities($_POST['username']); }?>"></center>
</div>
<div class="form-group">
<center><label>Password:</label>
<input type="password" placeholder="Enter a new Password" name="password" required [A-Za-z0-9]></center>
</div>
<div class="form-group">
<center><label>Repeat Password:</label>
<input type="password" placeholder="Repeat a new Password" name="password_confirmation" required [A-Za-z0-9]></center>
</div>
<div class="form-group">
<center><label>Email:</label>
<input type="email" placeholder="Enter your Email" name="email" required [A-Za-z0-9] value="<?php if(isset($_POST['email'])) { echo htmlentities($_POST['email']); }?>"></center>
</div>
<div class="form-group">
<center><label>Repeat Email:</label>
<input type="email" placeholder="Repeat your Email" name="email_confirmation" required [A-Za-z0-9] value="<?php if(isset($_POST['email_confirmation'])) { echo htmlentities($_POST['email_confirmation']); }?>"></center>
</div>
<div class="form-group">
<center><label>First Name:</label>
<input type="text" placeholder="Enter your First Name" name="first_name" required [A-Za-z] value="<?php if(isset($_POST['first_name'])) { echo htmlentities($_POST['first_name']); }?>"></center>
</div>
<div class="form-group">
<center><label>Surname:</label>
<input type="text" placeholder="Enter your Surname" name="surname" required [A-Za-z] value="<?php if(isset($_POST['surname'])) { echo htmlentities($_POST['surname']); }?>"></center>
</div>
<div class="form-group">
<center><label>Gender:</label>
<input type="radio" name="gender" value="male" <?php if(isset($_POST['gender'])) { echo 'checked'; }?> required>Male<input type="radio" name="gender" value="female" <?php if(isset($_POST['gender'])) { echo 'checked'; }?> required>Female</center>
</div>
<center><button type="submit" class="btn btn-default" name="submit">Register!</button></center>
<center><font color="red" size="3"><b>Already have an account ?</b><br><a href="login.php">Login here!</a></font></center>
</form>
</div>
</body>
</html>
Code: Select all
<?php
/*
ERROR HANDLING
*/
declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
include 'config.php';
if (!isset($_GET["email"], $_GET["account_activation_code"]) === true)
{
$_SESSION['error'] = "Invalid Email Address! Invalid Account Activation Link! This email is not registered! Try registering an account if you do not already have one! <a href=\"register.php\">Register here!</a>";
exit();
}
else
{
$email = htmlspecialchars($_GET['email']);
$account_activation_code = htmlspecialchars($_GET['account_activation_code']);
$stmt_one = mysqli_stmt_init($conn);
if (mysqli_stmt_prepare($stmt_one, "SELECT usernames, accounts_activations FROM users WHERE emails = ? AND accounts_activations_codes = ?"))
{
mysqli_stmt_bind_param($stmt_one, 'si', $email, $account_activation_code);
mysqli_stmt_execute($stmt_one);
mysqli_stmt_bind_result($stmt_one, $username, $account_activation_state);
mysqli_stmt_fetch($stmt_one);
mysqli_stmt_close($stmt_one);
if ($account_activation_state != 0)
{
echo "Since your account is already activated, why are you trying to activate it again ? Do not do that again and just login from <a href=\"login.php\">this webpage</a> next time! Make a note of that webpage, ok ?";
exit;
}
else
{
$account_activation_state = 1;
$stmt_two = mysqli_stmt_init($conn);
if(mysqli_stmt_prepare($stmt_two, "UPDATE users SET accounts_activations = ? WHERE usernames = ?"))
{
mysqli_stmt_bind_param($stmt_two, 'is', $account_activation_state, $username);
mysqli_stmt_execute($stmt_two);
mysqli_stmt_fetch($stmt_two);
mysqli_stmt_close($stmt_two);
echo "Account Activation State: $account_activation_state";?><br>
<?php
echo "Username: $username";
echo "<h3 style='text-align:center'>Thank you for your confirming your email and activating your account.<br /> You may now try logging into your account.</h3>";
$_SESSION["user"] = $username;
}
else
{
echo 'Failure: Something is wrong. Unable to activate your account! Contact Site Admin.';
echo 'Failure: Mysqli_stmt_prepare($stmt_two)';
exit;
}
}
}
else
{
echo 'Failure: This account activation link is invalid or has expired. Try <a href="register.php">registering</a> for an account now.';
echo 'Failure: Mysqli_stmt_prepare($stmt_one)';
exit;
}
}
?>
Code: Select all
<?php
session_start();
session_destroy();
echo "You have successfully logged-out!";
?><br>
<?php
echo "<a href='login.php'>Re-Login.</a>";
?><br>