Login problem

[nemanja28]

I have a probrem with a login, and there are no one error in my log

I'a tired looking for a mistake.

Look at my code and tell me if see anything bad

 

there is login.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>

<?php


		error_reporting(E_ALL | E_STRICT);
		ini_set("display_errors", 0);
		ini_set("log_errors", 1);
		ini_set("error_log", "logovi.log");


		session_start();
		if (isset($_POST['ime'])&&isset($_POST['pas']))
		{
				// without sql injection
			//$ime = $_POST['ime'];
			//$pasvord = $_POST['pas'];



			// for sql injection
			 $ime = mysql_real_escape_string($_POST['ime']);

			define('skrembl', '48762497&*%$#(%$1');
			$pasvord = md5(skrembl . $_POST['pas']);	




			include "konekcija.php";
			$sql="SELECT k.*, u.* FROM korisnik k JOIN uloga u ON k.UlogaID = u.UlogaID WHERE KorisnickoIme = '".$ime."' AND Lozinka = '".$pasvord."'";
			$q = mysql_query($sql);
			if (mysql_num_rows($q)==1)
			{
				$_SESSION['ime'] = $_POST['ime'];
				$red=mysql_fetch_array($q);			
					$_SESSION['korisnickoIme'] =$red["Ime"];  	
					$_SESSION['prezime'] =$red["Prezime"];  
					$_SESSION['telefon'] =$red["Telefon"];  
					$_SESSION['email'] =$red["Mail"];  


					if($red["NazivUloge"] == "Administrator")
						header('Location: admin.php');
					else
						header('Location: prva.php');

			} 
			else 
			{
				header('Location: MojNalog.php');
			}
		} 
		else 
		{
			//Ako POST parametri nisu prosledeni
			echo "Nisu prosledeni parametri!";
		}
		mysql_close($db);

	?>

</body>
</html>

 

 

And there is my connection on database - konekcija.php (this database I use fore many other function, and i think that the file work properly )

 

<?php
$mysql_server = "localhost";
$mysql_user = "root";
$mysql_password = "";
$mysql_db = "nekretnine";
if (!$db=mysql_connect($mysql_server, $mysql_user, $mysql_password)) {
die ("<p>Spajanje na mysql server je bilo neuspešno</p>");
}
if (!mysql_select_db($mysql_db, $db))
{
die ("<p>Greška pri odabiru baze</p>");
} else {
mysql_query("SET NAMES utf8");
mysql_query("SET CHARACTER SET utf8");
mysql_query("SET COLLATION_CONNECTION='utf8_unicode_ci'");
}
?>

 

and code where is input of username and password is in file MojNalog.php

<form method="post" action="login.php">
					              	<div class="contact_form">

				 <?php
                                                //[b]View if user succeed to login[/b]
					if (isset($_SESSION['korisnickoIme']))
							{
								print "<div class=\"form_row\">

										<label class=\"contact\"><strong>Vasi Podaci</strong></label><p></p>
										<label class=\"contact\"><strong>Ime: </strong></label>
										<label class=\"contact\"><strong>".$_SESSION['korisnickoIme']."</strong></label>
										</div>

										<div class=\"form_row\">
										<label class=\"contact\"><strong>Prezime: </strong></label>
										<label class=\"contact\"><strong>".$_SESSION['prezime']."</strong></label>
										</div>

										<div class=\"form_row\">
										<label class=\"contact\"><strong>Korisnicko ime: </strong></label>
										<label class=\"contact\"><strong>".$_SESSION['ime']."</strong></label>
										</div>

										<div class=\"form_row\">
										<label class=\"contact\"><strong>Telefon: </strong></label>
										<label class=\"contact\"><strong>".$_SESSION['telefon']."</strong></label>
										</div>

										<div class=\"form_row\">
										<label class=\"contact\"><strong>Email: </strong></label>
										<label class=\"contact\"><strong>".$_SESSION['email']."</strong></label>
										</div>

										";



							}

					else
							{
                                                                             //[b]LOGIN FORM[/b]
								print "<div class=\"form_row\">
									<label class=\"contact\"><strong>Unesite korisni&#269;ko ime:</strong></label>
									<input type=\"text\" class=\"contact_input\" name = \"ime\"/>
									</div>  

									<div class=\"form_row\">
									<label class=\"contact\"><strong>Unesite šifru:</strong></label>
									<input type=\"password\" class=\"contact_input\" name=\"pas\"/>
									</div>
									<div class=\"form_row\">
									<input type=\"submit\" class=\"contact\" value= \"Log In\"/>
									</div>   ";

							}
				?>      
                       
									</div>
									</form>

 

please help i don't see any mistake

[DarkMantis]

Try limiting the Query to 1

 

ie: $sql="SELECT k.*, u.* FROM korisnik k JOIN uloga u ON k.UlogaID = u.UlogaID WHERE KorisnickoIme = '".$ime."' AND Lozinka = '".$pasvord."' LIMIT 1";

 

this is from your login.php

 

I don't think this will be a solution but it should prevent any unforseen errors

[nemanja28]

That doesn't resolve my problem....

[litebearer]

perhaps it due to you starting sessions after you have output html

When you start a session, it must be at the very beginning of your code, before any HTML or text

is"sent.http://www.tizag.com/phpT/phpsessions.php

[nemanja28]

Same thing, again login form doesn't work...

PS. I forget to write that session start exist on file MojProfil.php at the beginning of the page before html code.

[litebearer]

is login.php as shown above, the ENTIRE file?

[Bryce910]

What exactly is not working? I noticed how you have your code which includes a header() in the body tags which will cause header problems lots of the time.

Also I would put name="submit" for the submit button and then put at top of file.

if(isset($_POST['submit']))
{
do the log in code...
}

[litebearer]

there are several errors in the login.php code

1. Sessions MUST start before you output and HTML code - your first several lines are outputting

2. You MUST connect to your db BEFORE you use mysql_real_escape_string

3. You cannot output ANYTHING before header redirect (see 1. above)

 

[nemanja28]

OK, I agree with yours statments, but:

1. Session start before my output. What are you meaning that is my output before session start??

2. I put on comment mysql_real_escape_string and try without sql injection and doesn't work login form.

 

Therefore, I try every your suggestion and same problem again exist...  :-\

 

[litebearer]

Show us the new code

[nemanja28]

What exactly is not working? I noticed how you have your code which includes a header() in the body tags which will cause header problems lots of the time.

Also I would put name="submit" for the submit button and then put at top of file.

if(isset($_POST['submit']))
{
do the log in code...
}

 

I try to login but they didn't do that

i already have submit name and i dont need that code because I have ACTION on form to do login.php

 

 

is login.php as shown above, the ENTIRE file?

 

I dont understand what are you meaning

 

 

Show us the new code

 

there is a code

<?php
session_start();
?>



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>

<?php


		error_reporting(E_ALL | E_STRICT);
		ini_set("display_errors", 0);
		ini_set("log_errors", 1);
		ini_set("error_log", "logovi.log");



		if (isset($_POST['ime'])&&isset($_POST['pas']))
		{
				// without sql injection
			$ime = $_POST['ime'];
			$pasvord = $_POST['pas'];



			// for sql injection
			// $ime = mysql_real_escape_string($_POST['ime']);

			// define('skrembl', '48762497&*%$#(%$1');
			// $pasvord = md5(skrembl . $_POST['pas']);	




			include "konekcija.php";
			$sql="SELECT k.*, u.* FROM korisnik k JOIN uloga u ON k.UlogaID = u.UlogaID WHERE KorisnickoIme = '".$ime."' AND Lozinka = '".$pasvord."'";
			$q = mysql_query($sql);
			if (mysql_num_rows($q)==1)
			{
				$_SESSION['ime'] = $_POST['ime'];
				$red=mysql_fetch_array($q);			
					$_SESSION['korisnickoIme'] =$red["Ime"];  	
					$_SESSION['prezime'] =$red["Prezime"];  
					$_SESSION['telefon'] =$red["Telefon"];  
					$_SESSION['email'] =$red["Mail"];  


					if($red["NazivUloge"] == "Administrator")
						header('Location: admin.php');
					else
						header('Location: prva.php');

			} 
			else 
			{
				header('Location: MojNalog.php');
			}
		} 
		else 
		{
			//Ako POST parametri nisu prosledeni
			echo "Nisu prosledeni parametri!";
		}
		mysql_close($db);

	?>

</body>
</html>

 

 

 

 

[litebearer]

Compare this to your login.php -

<?php
session_start();
/* make sure form values have been submitted */
if (isset($_POST['username']) && isset($_POST['password'])){
/* validate and sanitize the form values */
/* if bad send back to form */
/* connect to database */
/* prepare query to see if username and password are in the table and if it is user or admin */
/* execute the query */
        query = select NaxivUloge, id from tablename where username = '$username' AND password = '$password'
/* if number rows !=1 redirect to form */
/* get the NazivUloge from your db result set */
/* store the approrpriate values in their session variables */
/* redirect to appropriate page */
}else{
/* send back to form page */
}
?>

Clear?

[nemanja28]

I have everything but I can figure out where is the bug

PS. I used code from my friend and change little bit for my site. On his site code working properly, on my site isn't working...

[litebearer]

and change little bit for my site

If that is the case then look VERY closely at the differences

 

Side note: Did you rewrite your script to follow EXACTLY how my psuedo code showed?

[jotorres1]

Take a look at this article, and try to understand about headers in PHP.

Header Errors in PHP

 

Your PHP script should be above any output.

[nemanja28]

and change little bit for my site

If that is the case then look VERY closely at the differences

 

Side note: Did you rewrite your script to follow EXACTLY how my psuedo code showed?

 

I looking 2 day for a mistake in a code or difference in regard to code of my friend and nothing can find :-/

[nemanja28]

litebearer, are you have some time to see whole site and try to find what is the problem on this Login file? I will send you whole site if you want...

[litebearer]

Maybe this will help...

<?php
session_start();
$error_message = "You must enter a valid username and password!";
/* make sure form values have been submitted */
if (isset($_POST['username']) && isset($_POST['password'])){
/* validate and sanitize the form values */
$username = trim($_POST['username']);
$password = trim($_POST['password']);
/* check that both username and password have some content */
if(strlen($usename<1) OR strlen($password<1)) { /* you can change lengths to you choice */
	$_SESSION['message'] = $error_message;
	header('Location: form.php');
}
/* check that both username and password only contain letters and numbers */
if($username != preg_replace("/[^a-zA-Z0-9]/", "", $username) OR $password != preg_replace("/[^a-zA-Z0-9]/", "", $password)) {
	$_SESSION['message'] = $error_message;
	header('Location: form.php');
}
/* connect to database */
include('db.php');
/* prepare query to see if username and password are in the table and if it is user or admin */
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
/* note you really should be hashing the password */
$query = "SELECT id, user_level FROM usertable WHERE username = '$username' AND password = '$password";
/* execute the query */
$result = mysql_query($query)  or die(mysql_error());
/* if number rows !=1 redirect to form */
if(mysql_num_rows($result) !=1) {
	$_SESSION['message'] = $error_message;
	header('Location: form.php');
}
$row = mysql_fetch_array($result);
/*	get the NazivUloge from your db result set */
$row = mysql_fetch_array($result);
/* store the approrpriate values in their session variables */
$_SESSION['user'] = $row['id'];
$_SESSION['level'] = $row['user_level'];
/* redirect to appropriate page */
if($row['user_level'] == 1) {
	header('Location: admin.php');
}else{
	header('Location: non_admin.php');
}
}else{
/* send back to form page */
	header('Location: form.php');
}
?>

[nemanja28]

I try to implement your code but same problem again and again...

[litebearer]

show us the the most recent version of what you have tried

[Drummin]

You may have got things fixed with all the help you've had but just based on your first post, login.php should be like this with all session updates and headers made before ANYTHING is sent to browser (as already pointed out).

<?php
session_start();	
include "konekcija.php";
error_reporting(E_ALL | E_STRICT);
ini_set("display_errors", 0);
ini_set("log_errors", 1);
ini_set("error_log", "logovi.log");
	if (isset($_POST['ime'])&&isset($_POST['pas']))
		{
		$ime = mysql_real_escape_string($_POST['ime']);
		define('skrembl', '48762497&*%$#(%$1');
		$pasvord = md5(skrembl . $_POST['pas']);
		$sql="SELECT k.*, u.* FROM korisnik k JOIN uloga u ON k.UlogaID = u.UlogaID WHERE KorisnickoIme = '".$ime."' AND Lozinka = '".$pasvord."'";
		$q = mysql_query($sql);
	if (mysql_num_rows($q)==1)
	{
		$_SESSION['ime'] = $_POST['ime'];
		$red=mysql_fetch_array($q);			
		$_SESSION['korisnickoIme'] =$red["Ime"];  	
		$_SESSION['prezime'] =$red["Prezime"];  
		$_SESSION['telefon'] =$red["Telefon"];  
		$_SESSION['email'] =$red["Mail"];  

	if($red["NazivUloge"] == "Administrator")
	header('Location: admin.php');
	else
	header('Location: prva.php');
} 
else 
{
header('Location: MojNalog.php');
}
} 
else 
{
//Ako POST parametri nisu prosledeni
echo "Nisu prosledeni parametri!";
}
?>