Php Website Logging In Code

[Nebin]

Hi Guys. Really Stuck here. I am making a website, its basicall an online shop of sorts. I am making a login page for our customers and an admin page for us lot to upload new products to sql etc. Whats its meant to do is accept the username and pw then allow me to access the adminpage. Although its just saying that user doesnt exist all the time. I dont know why becuase the details are correct. :-\

 

admin_login page is the code below.

 

<?php

session_start();

if(isset($_SESSION["manager"])){

header("location:index.php");

exit();

}

 

?>

<?php

if(isset($_POST["username"])&&isset($_POST["password"])){

 

$manager = preg_replace('#[A-Za-z0-9]#i','',$_POST["username"]);

$password = preg_replace('#[^A-Za-z0-9]#i','',$_POST["password"]);

 

include"../storescripts/connect_to_mysql.php";

$sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1");

 

$existCount = mysql_num_rows($sql);

if($existCount == 1){

while($row = mysql_fetch_array($sql)){

$id = $row["id"];

}

$_SESSION["id"] = $id;

$_SESSION["manager"] = $manager;

$_SESSION["password"] = $password;

header("location: index.php");

exit();

}else{

echo 'That Information Is Incorrect. Try again <a href="index.php">Click Here</a>';

exit();

}

}

 

 

?>

 

 

and now the index.php which is what the admin see when they log in successfully.

 

<?php

session_start();

if(isset($_SESSION["manager"])){

header("location: admin_login.php");

exit();

}

//Be Sure To Check That This Manager Session Value Is Infact In The DataBase

$managerID = preg_replace('#[^0-9#i','',$_SESSION["id"]);

$manager = preg_replace('#[^A-Za-z0-9]#i','',$_SESSION["manager"]);

$password = preg_replace('#[^A-Za-z0-9]#i','',$_SESSION["password"]);

 

include "../strorescripts/connect_to_mysql.php";

$sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1");

 

$existCount = mysql_num_rows($sql);

if($existCount == 0){

header("location:../index.php");

exit();

}

 

?>

[requinix]

Take a look:

preg_replace('#[A-Za-z0-9]#i','',$_POST["username"])

[fugix]

1. are you connecting to your db

 

2. have you tried echoing the number of rows to make sure you are grabbing any.

 

3. have you tried to debug your query yet. eg

$sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1") or die(mysql_error());

 

[wo66]

You have different paths on you include file..

 

include "../storescripts/connect_to_mysql.php";

 

include "../strorescripts/connect_to_mysql.php";

__________^ Remove the r !!

[White_Lily]

It also looks like your going to need to process the form through AJAX / JSON if you intend to have 3 fields per form slide, you may also want to consider client-side validation so that the user's page doesn't have to refresh all the time just to bring up any errors.

[MDCode]

Noooo don't use any Adam Khoury (whatever) scripts (you're using one now). He stores passwords in his tutorials unhashed and unsalted and just tells you to go learn how. He's never heard of XSS, CSRF, and 2nd Order SQL Injection either. I would suggest either learning how to secure it first, build one from scratch, or follow another tutorial.