my login in php doesn't work properly -
i trying login page in php, , have no errors, says "username missing" , "password missing" if aren't. here code, doing wrong?
connection.php
<?php $mysql_hostname = "localhost"; $mysql_user = "root"; $mysql_password = ""; $mysql_database = "simple_login"; $prefix = ""; $bd = mysqli_connect($mysql_hostname, $mysql_user, $mysql_password, $mysql_database) or die("could not connect database"); ?> login_exec.php
<?php //start session session_start(); //include database connection details require_once('connection.php'); //array store validation errors $errmsg_arr = array(); //validation error flag $errflag = false; //function sanitize values received form. prevents sql injection function clean($bd,$str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysqli_real_escape_string($bd, $str); } //sanitize post values $username = clean($_post['username']); $password = clean($_post['password']); //input validations if($username == '') { $errmsg_arr[] = 'username missing'; $errflag = true; } if($password == '') { $errmsg_arr[] = 'password missing'; $errflag = true; } //if there input validations, redirect login form if($errflag) { $_session['errmsg_arr'] = $errmsg_arr; session_write_close(); header("location: index.php"); exit(); } //create query $qry="select * member username='$username' , password='$password'"; $result=mysqli_query($bd, $qry); //check whether query successful or not if($result) { if(mysqli_num_rows($result) > 0) { //login successful session_regenerate_id(); $member = mysqli_fetch_assoc($result); $_session['sess_member_id'] = $member['mem_id']; $_session['sess_first_name'] = $member['username']; $_session['sess_last_name'] = $member['password']; session_write_close(); header("location: home.php"); exit(); }else { //login failed $errmsg_arr[] = 'user name , password not found'; $errflag = true; if($errflag) { $_session['errmsg_arr'] = $errmsg_arr; session_write_close(); header("location: index.php"); exit(); } } }else { die("query failed"); } ?> home.php
<?php //require_once('auth.php'); ?> <!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" /> <title>untitled document</title> <style type="text/css"> <!-- .style1 { font-size: 36px; font-weight: bold; } --> </style> </head> <body> <p align="center" class="style1">login </p> <p align="center">this page home, can put stuff here......</p> <p align="center"><a href="index.php">logout</a></p> </body> </html> and index.php
<?php //start session session_start(); //unset variables stored in session unset($_session['sess_member_id']); unset($_session['sess_first_name']); unset($_session['sess_last_name']); ?> <html> <body> <form name="loginform" action="login_exec.php" method="post"> <table width="309" border="0" align="center" cellpadding="2" cellspacing="5"> <tr> <td colspan="2"> <!--the code bellow used display message of input validation--> <?php if( isset($_session['errmsg_arr']) && is_array($_session['errmsg_arr']) && count($_session['errmsg_arr']) >0 ) { echo '<ul class="err">'; foreach($_session['errmsg_arr'] $msg) { echo '<li>',$msg,'</li>'; } echo '</ul>'; unset($_session['errmsg_arr']); } ?> </td> </tr> <tr> <td width="116"><div align="right">username</div></td> <td width="177"><input name="username" type="text" /></td> </tr> <tr> <td><div align="right">password</div></td> <td><input name="password" type="text" /></td> </tr> <tr> <td><div align="right"></div></td> <td><input name="" type="submit" value="login" /></td> </tr> </table> </form> </body> </html>
here bug:
function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysqli_real_escape_string($str); # <-- bug! } mysqli_real_escape_string expects 2 parameters. code written in procedural style have pass:
- the mysqli link/resource
- the string escape
so function must extended way:
function clean($bd, $str) { //new $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysqli_real_escape_string($bd, $str); //new } in case mysqli_real_escape_string returns null, false or empty string - causes error messages.
edit:
you're missing param on mysqli_query. have pass link first param. function knowns on connection should executed.
also should check of topics, make login more secure:
Comments
Post a Comment