Hello, I scripted a login script for a small website, which is just for a few people.
My problem is, that if you try to login and enter an username, which doesn't exist, you get redirected to the ''login_2.php', which looks empty
If you enter the correct username and correct password, you get redirected to the 'login.php' or you stay on this page.
the only thing, which works correctly is, if you enter a correct username and a wrong password.
I hope, you can help me.
Here are my code files:
So, I have the login.php
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>TGSA - CP - LOGIN</title>
<link href="/design.css" rel="stylesheet" type="text/css"> //The design.css is empty at the moment
</head>
<body>
<?php
include 'functions.php';
include 'db_connect.php';
sec_session_start();
if(login_check($mysqli) == true)
{
echo "Du bist bereits angemeldet, du wirst nun zur Mainpage weitergeleitet"; //This is german, but it doesn't matter
header('LOCATION: ./main.php');
}
else
{
if(isset($_GET['error']))
{
if($_GET['error'] == 3) //These textes are all german too, but haven't something to do with my problem.
{
echo 'Fehler beim Login!<br />
Du hast ein falsches Passwort eingegeben.<br />';
}
elseif($_GET['error'] == 2)
{
echo 'Fehler beim Login!<br />
Der eingegebene Benutzername existiert in der Datenbank nicht.<br />';
}
elseif($_GET['error'] == 1)
{
echo 'Fehler beim Login!<br />
Die Datenbankabfrage war nicht erfolgreich.<br />';
}
elseif($_GET['error'] == 4)
{
echo 'Fehler beim Login!<br />
Du hast nicht beide Felder ausgefüllt.<br />';
}
}
?>
<form action="login_2.php" method="post" name="Login"> //This is my Login-form
Benutzername: <input type="text" name="username" /> <br />
Passwort: <input type="password" name="password" /><br />
<input type="button" value="Login" onClick="form.submit()" />
</form>
<?php
}
?>
</body>
</html>
Ok, and here is my login_2.php, which should be called, when somebody clicks on "Login".
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>TGSA - CP - LOGIN-2</title>
</head>
<body>
<?php
include 'functions.php';
include 'db_connect.php';
If(isset($_POST['password'], $_POST['username']))
{
$username = $_POST['username'];
$password = hash("md5", $_POST['password']);
$_POST['password'] = "";
if(login($username, $password, $mysql) == 1)
header('LOCATION: ./main.php');
elseif(login($username, $password, $mysql) == -1)
header('LOCATION: ./login.php?error=1');
elseif(login($username, $password, $mysql) == -2)
header('LOCATION: ./login.php?error=2');
elseif(login($username, $password, $mysql) == -3)
header('LOCATION: ./login.php?error=3');
}
else
header('LOCATION: ./login.php?error=4');
?>
</body>
</html>
The functions.php and the db_connect.php
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>TGSA - CP - FUNKTIONEN</title>
</head>
<body>
<?php
function sec_session_start() // This is of a tutorial and should be more secure, than the normal php session
{
$session_name = 'TGSA_CP_Session_ID';
$secure = false;
$httponly = true;
ini_set('session.use_only_cookies', 1);
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name);
session_start();
session_regenerate_id(true);
}
function login($username, $password, $mysql)
{
$query = "SELECT `UserID`, `Password` FROM `ControlPanel` WHERE `Username` = '" . $username . "' LIMIT 1";
$result = mysql_query($query);
if(!$result)
return -2;
if($row = mysql_fetch_array($result))
{
$Password_DB = $row['Password'];
$UserID = $row['UserID'];
if($Password_DB == $password) //This part is copied of a tutorial, but nearly all of the rest is self written
{
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$user_id = preg_replace("/[^0-9]+/", "", $UserID);
$_SESSION['user_id'] = $user_id;
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password.$user_browser);
return 1;
}
else
return -3;
}
}
function login_check($mysql) //the basic idea of this function is from a tutorial, but it's rewritten.
{
if(isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string']))
{
$user_id = $_SESSION['user_id'];
$username = $_SESSION['username'];
$login_string = $_SESSION['login_string'];
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$query = "SELECT `Password` FROM `ControlPanel` WHERE `UserID` = '" . mysql_real_escape_string($user_id) . "' LIMIT 1";
$result = mysql_query($query);
if(!$result)
{
echo "Fehler beider Datenbankabfrage! <br />
" . mysql_errno() . ": " . mysql_error(). " <br / >";
return false; //Benutzer existiert nicht
}
if($row = mysql_fetch_array($result))
{
$password = $row['Password'];
$login_check = hash("sha512", $password.$user_browser);
if($login_check == $login_string)
return true;
else
return false;
}
else
return false;
}
else
return false;
}
?>
</body>
</html>
!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>TGSA - CP - DB Config</title>
</head>
<body>
<?php
define("HOST", "**.**.***.***");
define("USER", "*****");
define("PASSWORD", "*****");
define("DATABASE", "*****");
$mysql = mysql_connect(HOST, USER, PASSWORD);
if(!$mysql)
{
echo "Fehler beim versuch mit der Datennbank zu verbinden! <br /> //german text
" . mysql_errno($mysql) . ": " . mysql_error($mysql). " <br / >";
}
$select_db = mysql_select_db(DATABASE, $mysql);
if(!$select_db)
{
echo "Fehler beim versuch die Datenbank auszuwählen! <br /> // german text
" . mysql_errno() . ": " . mysql_error(). " <br / >";
}
?>
</body>
</html>
And here is the main.php, which should be called, if you are successfully logged in.
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>TGSA - CP - MAINPAGE</title>
<link href="/design.css" rel="stylesheet" type="text/css">
</head>
<body>
<?php
include 'functions.php';
include 'db_connect.php';
sec_session_start();
if(login_check($mysql) == true)
{
echo "Du bist eingeloggt!" ;
}
else
header('LOCATION: ./login.php');
?>
</body>
</html>
So, i use mysql instead of mysqli because the owner of the database said, that mysqli don't work with his database and i should use the normal mysql,
And I know, that the passwords are saved insecure and I could use sha512 with a random salt... but my partner don't want to use it.
If you haven't understood something, because my English is too bad, just say something and I'll try to explain what I've meant.