Login Form Trouble

[Xtremer360]

I'm not sure where the issue really lies after the form submits it DOES perform the error messages if there is one, however if the username and password are atleast filled in and the user clicks Log In it doesn't do anything after that. 

 

login.php

<?php

/**
* @author Jeff Davidson
* @copyright 2010
*/

if (isset($_POST['submitted'])) {
    
    require_once ('inc/login_functions.php');
    require_once ('inc/dbconfig.php');
    list ($check, $data) = check_login($dbc, $_POST['username'], $_POST['password']);
    
    if ($check) { // OK!
    
    // Set the session data:.
    session_start();
    $_SESSION['id'] = $data['id'];
    $_SESSION['firstname'] = $data['firstname'];
    
    // Redirect:
    $url = absolute_url ('loggedin.php');
    header("Location: $url");
    exit();
    
    }else {
    // Unsuccessful!
    $errors = $data;
    }
    
    mysqli_close($dbc);
    
} // End of the main submit conditional.

include ('inc/login_page.php')

?>

 

login_functions.php

<?php

/**
* @author Jeff Davidson
* @copyright 2010
*/

// This page defines two functions used by the login/logout process.

/* This function determines and returns an absolute URL.
* It takes one argument: the page that concludes the URL.
* The argument defaults to index.php.

*/

function absolute_url($page = 'index.php') {
    // Start defining the URL...
    // URL is http://plus the host name plus the current directory:
    $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
    
    // Remove any trailing slashing:
    $url = rtrim($url, '/\\');
    
    // Add the page
    $url .= '/' . $page;
    
    // Return the URL:
    return $url;
    
} // End of absolute_url() function.


/* This function validates the form data (the username and password).
* If both are present, teh database is queried.
* The function requires a database connection.
* The function returns an array of information, including:
* - a TRUE/FALSE variable indicating success
* - an array of either errors or the database result
*/

function check_login($dbc, $username = '', $password = '') {
    $errors = array(); // Initialize error array.
    
    // Validate the username
    if (empty($username)) {
        $errors[] = 'You forgot to enter your username.';
    } else {
        $u = mysqli_real_escape_string($dbc, trim($username));
    }
    
    // Validate the password:
    if (empty($password)) {
        $errors[] = 'You forgot to enter your password.';
    } else {
        $p = mysqli_real_escape_string($dbc, trim($password));
    }
    
    if (empty($errors)) { // If everythings OK.
        
        // Retrieve the firstname and lastname for the username/password combination:
        $q = "SELECT id, firstname FROM users WHERE username='$u' AND password=SHA('$p')";
        $r = @mysqli_query($dbc, $q); // Run teh query.
        
        // Check the result:
        if (mysqli_num_rows($r) == 1) {
            
            // Fetch the record:
            $row = mysqli_fetch_array($r, MYSQLI_ASSOC);
            
            // Return true and the record:
            return array(true, $row);
            
        }else { // Not a match!
        $errrors[] = 'The username and password entered do not match those on file.';
        }
    } // End of empty ($errrors) IF.
    
    // Return false and the errors:
    return array(false, $errors);
    
} //End of check_login() function.

?>

 

login_page.php

<?php

/**
* @author Jeff Davidson
* @copyright 2010
*/

// This page prints any errors associated with logging in and creates the login, including the form.

// Prints any error messages, if they exists:
if (!empty($errors)) {
    echo '<h1>Error!</h1>
    <p class="error">The following error(s) occured:<br />';
    foreach ($errors as $msg) {
        echo " - $msg<br />\n";
    }
    echo '</p><p>Please try again.</p>';
}

// Display the form:
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="description" content="Caracole" />
<title>Titanium</title>
<link HREF="favicon.ico" type="image/x-icon" rel="icon" />
<link HREF="favicon.ico" type="image/x-icon" rel="shortcut icon" />
<link rel="stylesheet" type="text/css" href="css/tripoli.simple.css" media="screen, projection, print" />
<link rel="stylesheet" type="text/css" href="css/base.css" media="screen, projection, print" />
<link rel="stylesheet" type="text/css" href="css/layout.css" media="screen, projection, print" />
<link rel="stylesheet" type="text/css" href="css/style.css" media="screen, projection, print" />
<link rel="stylesheet" type="text/css" href="css/theme.css" media="screen, projection, print" />
<link rel="stylesheet" type="text/css" href="css/icons.css" media="screen, projection, print" />
<script type="text/javascript" SRC="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
<script type="text/javascript">
//<![CDATA[
document.write('<link rel="stylesheet" type="text/css" href="css/js/js.css" media="screen, projection, print" />');
//]]>

$(document).ready(function(){

$(".close").click(function(){
	$(this).parents(".message").hide("puff");
});

});	


</script>
<!--[if IE]>
	<link rel="stylesheet" type="text/css" href="css/ie/ie.css" media="screen, projection, print" />
<![endif]-->
 <!--[if lt IE 7]>
<script src="js/DD_belatedPNG_0.0.7a-min.js" type="text/javascript"></script>
<script>

	DD_belatedPNG.fix(' #header, h1, h1 a, .close, .field,.paginate .current, .icon, .required-icon');

</script>
  <link rel="stylesheet" href="css/ie/ie6.css" type="text/css" media="screen, projection"/>
<![endif]-->
</head>
<body>
<!-- Content -->
<div id="login" class="content">	
	<div class="roundedBorders login-box">
		<!-- Title -->
		<div id="title" class="b2">
			<h2>Log In</h2>
			<!-- TitleActions -->
			<div id="titleActions">
				<div class="actionBlock">
				<a href="#">Forgot your password ?</a>
				</div>
			</div>
			<!-- /TitleActions -->
		</div>
		<!-- Title -->

		<!-- Inner Content -->
		<div id="innerContent">
			<form action="login.php" method="post">
				<div class="field">
					<label for="username">Username</label>
					<input type="text" class="text" id="username" name="username" />
				</div>
				<div class="field">
					<label for="password">Password</label>
					<input type="password" class="text" id="password" name="password"/>
				</div>
				<div class="clearfix login-submit">
					<span class="fleft">
						<input type="checkbox" name="remember-me" id="remember-me" />
						<label for="remember-me">Remember me</label>
					</span>
					<span class="fright">
						<button class="button" type="submit" name="submit"><strong>Log In</strong></button>
					</span>
				</div>
                    <input type="hidden" value="TRUE" name="submitted" />
			</form>
		</div>
		<!-- /Inner Content -->
		<div class="bBottom"><div></div></div>
	</div>
</div>

</body>
</html>

 

loggedin.php

<?php

/**
* @author Jeff Davidson
* @copyright 2010
*/

// The user is redirected here from login.php.

session_start(); // Star the session.

// If no session value is present, redirect the user:
if (!isset($_SESSION['id'])) {
    require_once('inc/login_functions.php');
    $url = absolute_url();
    header("Location: $url");
    exit();
}

$page_title = 'Logged In!';

// Print a customized message:
echo "<h1>Logged In!</h1>
<p>You are now logged in, {$_SESSION['firstname']}!</p>
<p><a href=\"logout.php\">Logout</a></p>";


?>

 

I thought I'd come back in and insert the file manager I have setup here.

 

root/loggedin.php

root/login.php

 

root/inc/login_page.php

root/inc/login_functions.php

 

[PFMaBiSmAd]

There's a typo in the $errors array name in following line that would prevent the code from reporting anything when the username/password does not match the database -

 

$errrors[] = 'The username and password entered do not match those on file.';

[Xtremer360]

That helps, however, I went in and corrected my mistake and now its saying that error message that the username and password don't match on file but it is the correct username and password.

[Xtremer360]

I'm wondering if it has to do with the password field in the database itself.  I have it has char(40) and when I went in and did a manual insert into my DB when I got to the password field I put in what I wanted my password to be and then I selected the SHA1 function. Is that what is complicating things for my login form?

[PFMaBiSmAd]

The fact that you have an @ on the mysqli_query() statement to suppress php errors from it, is a pretty good indication that the query is/was failing due to an error of some type. Why do you have that @ in your code?

 

but it is the correct username and password.

 

^^^ You might think that, but your code and the database disagrees. You would need to troubleshoot why your query is not matching one row in your database table.

[Xtremer360]

The fact that you have an @ on the mysqli_query() statement to suppress php errors from it, is a pretty good indication that the query is/was failing due to an error of some type. Why do you have that @ in your code?

 

but it is the correct username and password.

 

^^^ You might think that, but your code and the database disagrees. You would need to troubleshoot why your query is not matching one row in your database table.

 

That's just what I was reading out of the book I've been studying and learning up on. Should I not be doing that? Is what I reposted a second the possible problem ?

[Xtremer360]

I was just following what was in the book.

[Pikachu2000]

Have you echoed the SHA1 hashed password in the script, and compared it manually to what's in the database?

[PFMaBiSmAd]

So, you got this code from some book. Sadly, the code does not even have any logic to check if the query worked or not and it is in fact doing something (the @) that would prevent a php error with the query from being reported/displayed/logged.

 

You should remove any @'s that are in the code in front of statements. There's simply no reason for any code to have @'s in it. On a development system, display_errors should be ON because you want to know if there are any php errors occurring in the code so that you can find and fix them. On a live server, display_errors should be OFF and log_errors should be ON so that any php errors that might occur don't get displayed but they do get logged so that you can find and fix them. On both a development system and a live server, error_reporting should be at least E_ALL (using -1 is ever better since every php error category will be included) so that all the normal php detected errors will be displayed/logged.

 

Sorry to get side tracked on errors and error_reporting/display_errors/log_errors, but at this point you don't even know if the query executed or not. You may in fact have the correct data in your database, but if the query is failing due to some error, there is no result object in $r for mysqli_num_rows to even test and your code will never match that data in the database.

 

Short answer: When learning php or developing and debugging php code, you should have error_reporting set to E_ALL (or even better -1) and display_errors set to ON so that php will help you by reporting and displaying all the errors it finds.

[Xtremer360]

Wow that little @ symbol was what was preventing it from working correctly. After the login form submission it correctly goes to the loggedin.php file however why its not redirecting me to the admin panel which I have inside of /root folder called index.php file.

[Xtremer360]

Hmm that's odd a second ago it was going to the loggedin.php page and now its going to the index page but I don't remember doing anything oh well however in the url its done "root//index.php and don't know where the extra came from.

[Xtremer360]

Never mind I fixed it. Thank you for you two that helped me.