Jump to content

LoginScript doesn't work properly

Niklas954

By Niklas954
in PHP Coding Help

 Share

Recommended Posts

Niklas954 Newbie

Niklas954

Posted
Posted

Hello, I scripted a login script for a small website, which is just for a few people.

 

My problem is, that if you try to login and enter an username, which doesn't exist, you get redirected to the ''login_2.php', which looks empty

If you enter the correct username and correct password, you get redirected to the 'login.php' or you stay on this page.

the only thing, which works correctly is, if you enter a correct username and a wrong password.

I hope, you can help me.

 

Here are my code files:

 

So, I have the login.php

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>TGSA - CP - LOGIN</title>
<link href="/design.css" rel="stylesheet" type="text/css"> //The design.css is empty at the moment
</head>

<body>
<?php
include 'functions.php';
include 'db_connect.php';
sec_session_start();
if(login_check($mysqli) == true)
{
	echo "Du bist bereits angemeldet, du wirst nun zur Mainpage weitergeleitet"; //This is german, but it doesn't matter
	header('LOCATION: ./main.php');
}
else
{
	if(isset($_GET['error']))
	{ 
		if($_GET['error'] == 3) //These textes are all german too, but haven't something to do with my problem.
		{
			echo 'Fehler beim Login!<br />
				Du hast ein falsches Passwort eingegeben.<br />';
		}
		elseif($_GET['error'] == 2)
		{
			echo 'Fehler beim Login!<br />
				Der eingegebene Benutzername existiert in der Datenbank nicht.<br />';
		}
		elseif($_GET['error'] == 1)
		{
			echo 'Fehler beim Login!<br />
				Die Datenbankabfrage war nicht erfolgreich.<br />';
		}
		elseif($_GET['error'] == 4)
		{
			echo 'Fehler beim Login!<br />
				Du hast nicht beide Felder ausgefüllt.<br />';
		}
	}
	?>
    <form action="login_2.php" method="post" name="Login"> //This is my Login-form
    Benutzername: <input type="text" name="username" /> <br />
    Passwort: <input type="password" name="password" /><br />
    <input type="button" value="Login" onClick="form.submit()" />
    </form>
<?php	
}
?>
</body>
</html>

Ok, and here is my login_2.php, which should be called, when somebody clicks on "Login".

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>TGSA - CP - LOGIN-2</title>
</head>

<body>
<?php
include 'functions.php';
include 'db_connect.php';
If(isset($_POST['password'], $_POST['username']))
{
	$username = $_POST['username'];
	$password = hash("md5", $_POST['password']);
	$_POST['password'] = "";
	if(login($username, $password, $mysql) == 1)
		header('LOCATION: ./main.php');
	elseif(login($username, $password, $mysql) == -1)
		header('LOCATION: ./login.php?error=1');
	elseif(login($username, $password, $mysql) == -2)
		header('LOCATION: ./login.php?error=2');
	elseif(login($username, $password, $mysql) == -3)
		header('LOCATION: ./login.php?error=3');
}
else
	header('LOCATION: ./login.php?error=4');
?>
</body>
</html>

The functions.php and the db_connect.php

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>TGSA - CP - FUNKTIONEN</title>
</head>

<body>
<?php
function sec_session_start() // This is of a tutorial and should be more secure, than the normal php session
{
	$session_name = 'TGSA_CP_Session_ID'; 
	$secure = false; 
	$httponly = true; 
	ini_set('session.use_only_cookies', 1); 
	$cookieParams = session_get_cookie_params(); 
	session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
	session_name($session_name); 
	session_start(); 
	session_regenerate_id(true); 
}
function login($username, $password, $mysql)
{
	$query = "SELECT `UserID`, `Password` FROM `ControlPanel` WHERE `Username` = '" . $username . "' LIMIT 1";
	$result = mysql_query($query);
	if(!$result)
		return -2; 
	if($row = mysql_fetch_array($result))
	{
		$Password_DB = $row['Password'];
		$UserID = $row['UserID'];
		if($Password_DB == $password) //This part is copied of a tutorial, but nearly all of the rest is self written
		{
			$user_browser = $_SERVER['HTTP_USER_AGENT']; 
			$user_id = preg_replace("/[^0-9]+/", "", $UserID); 
			$_SESSION['user_id'] = $user_id; 
			$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); 
			$_SESSION['username'] = $username;
			$_SESSION['login_string'] = hash('sha512', $password.$user_browser);
			return 1;
		}
		else
			return -3; 
	}	
}
function login_check($mysql) //the basic idea of this function is from a tutorial, but it's rewritten.
{
	
	if(isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string']))
	{
		$user_id = $_SESSION['user_id'];
		$username = $_SESSION['username'];
		$login_string = $_SESSION['login_string'];
		$user_browser = $_SERVER['HTTP_USER_AGENT'];
		$query = "SELECT `Password` FROM `ControlPanel` WHERE `UserID` = '" . mysql_real_escape_string($user_id) . "' LIMIT 1";
		$result = mysql_query($query);
		if(!$result)
		{
			echo "Fehler beider Datenbankabfrage! <br />
				" . mysql_errno() . ": " . mysql_error(). " <br / >";
			return false; //Benutzer existiert nicht
		}
		if($row = mysql_fetch_array($result))
		{
			$password = $row['Password'];
			$login_check = hash("sha512", $password.$user_browser);
			if($login_check == $login_string)
				return true;
			else
				return false;
		}
		else
			return false; 
	}
	else
		return false;
}
?>
</body>
</html>

!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>TGSA - CP - DB Config</title>
</head>

<body>
<?php 
define("HOST", "**.**.***.***"); 
define("USER", "*****");
define("PASSWORD", "*****"); 
define("DATABASE", "*****");
$mysql = mysql_connect(HOST, USER, PASSWORD);
if(!$mysql)
{
	echo "Fehler beim versuch mit der Datennbank zu verbinden! <br /> //german text
		" . mysql_errno($mysql) . ": " . mysql_error($mysql). " <br / >";
}
$select_db = mysql_select_db(DATABASE, $mysql);
if(!$select_db)
{
	echo "Fehler beim versuch die Datenbank auszuwählen! <br /> // german text
		" . mysql_errno() . ": " . mysql_error(). " <br / >";
}
?>
</body>
</html>

And here is the main.php, which should be called, if you are successfully logged in.

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>TGSA - CP - MAINPAGE</title>
<link href="/design.css" rel="stylesheet" type="text/css">
</head>
<body>
<?php
include 'functions.php';
include 'db_connect.php';
sec_session_start();
if(login_check($mysql) == true)
{
	echo "Du bist eingeloggt!" ;
}
else
	header('LOCATION: ./login.php');
?>
</body>
</html>

So, i use mysql instead of mysqli because the owner of the database said, that mysqli don't work with his database and i should use the normal mysql,

And I know, that the passwords are saved insecure and I could use sha512 with a random salt... but my partner don't want to use it.

 

If you haven't understood something, because my English is too bad, just say something and I'll try to explain what I've meant.

Link to comment
Share on other sites
Csharp Newbie

Csharp

Posted
Posted

The point is that you are probably getting an headers already sent error. Try putting the PHP code always above the HTML and tell us if it worked better.

And remember that header location does not end the execution, you need to do something like this die(header('location: x')); //Yeah, that's not really clean but does the job.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.