Shadow_Walker Posted June 11, 2014 Share Posted June 11, 2014 Hello PHP freaks, my codes dont allow me to log-in to Student Home with unique id. It says "Invalid Login or Password" this is my form <tr bgcolor="#E1E1E1" class="stylesmall"> <td width="35%" align="left" class="style7 style1">Learner Id : </td> <td width="65%" align="left"><input name="learner_id" type="text" id="learner_id" action="Student_Home.php" method="post"></td> </tr> <tr bgcolor="#E1E1E1" class="stylesmall"> <td align="left" class="style7 style1">Password:</td> <td align="left"><input name="student_password" type="password" id="student_password">< /td> and this is my handler. <?php session_start(); include 'Connect.php'; $flag = ""; $learner_id = $_POST['learner_id']; $student_id = $_POST['student_id']; $student_password = $_POST['student_password']; $query = "select last_login_date from student_information where student_id='$student_id' and student_password='$student_password'"; $result = mysql_query($query,$link_id); if(mysql_error() != null){ die(mysql_error()); } if($date = mysql_fetch_array($result)) { $lastdate = $date['last_login_date']; $date2 = date("d-m-Y h:i A",strtotime($lastdate)); $_SESSION["student_id"] = $_POST["student_id"]; $_SESSION["lastlogin"] =$date2; $_SESSION["type"] = "Student"; mysql_query("UPDATE student_information SET last_login_date=now() where student_id='$student_id'",$link_id); if(mysql_error() != null){ die(mysql_error()); } header("location: Student_Home.php?id={$student_id}"); die(); } else { $flag = "invalid"; header("location:Student_login.php?flag=$flag"); die(); } ?> PLease help me PHP friends to correct my codes. Quote Link to comment Share on other sites More sharing options...
maxxd Posted June 11, 2014 Share Posted June 11, 2014 Several things going on, but the one that's probably tripping you up is that you're not hashing your password before comparing it to the one in the database. I'm assuming (hoping, really) that the stored passwords are all hashed and not just plain-text. Ignoring the deprecated mysql_ functions, the invitation to SQL injection, and undeclared variables, this is probably why you're not logging in correctly even with legit credentials. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted June 11, 2014 Share Posted June 11, 2014 (edited) Actually I am concerned about the input since I don't see a form tag nor a submit button. So just how do you even know that your data is arriving at your php point? I also agree with everything the Maxdd says. Nor do I see any imput for 'student_id'. Nor do I see anywhere that your message could be produced. Nor do I understand why you do a 'die' followed by an attempt to re-direct to yourself if the date update fails (which won't work). Edited June 11, 2014 by ginerjm Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted June 12, 2014 Author Share Posted June 12, 2014 Hello Advance Members maxdd and ginerjm,, Sorry i forgot to give you the submit button. Actually it's a table inside the form. <td colspan="2" align="center"> <?php if(!empty($_GET['flag']) && $_GET['flag'] == "invalid") { ?> <span class="stylered style1">Invalid Learner Id or Password</span> <?php }?> </td> </tr> <tr bgcolor="#E1E1E1"> <td colspan="2" align="center"><p> <input name="login" class="style10" type="submit" id="login" value="Login"> </p> Please suggest me to modify something inside my codes. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted June 12, 2014 Share Posted June 12, 2014 Can you give us a more complete view of your code? Pieces are hard to follow. Also - you really should consider separating your php logic from your presentation code. Create vars in your php code and then output your html with the vars included rather than turn on php mode to do something (that should have already been done) and turn off php mode. Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted June 16, 2014 Author Share Posted June 16, 2014 Hello ginerjm and Php Freaks!! Apology for that tidbits of codes. I manage to debug my codes and as of now using the learner id and password, they can now log-in to Student_Home.php. But another PROBLEM arise, eventhough every learner can log in now and direct to Student_Home.php the browser address goes like this http://localhost/a/Student_Home.php?id= It clearly shows that although they can log in, the field that does not provide their information because the unique id is not being called. I expect it must be like http://localhost/a/Student_Home.php?id=51 (51 is an example of unique id number per student) Here is my Student_login.php codes <body onLoad="javascript:document.form1.student_id.focus()"> <form name="form1" method="post" action="Student_login_handler.php" onSubmit="return validate();"> <table width="100%" height="100%" > <tr> <td height="15%"><?php include 'Header.php';?></td> </tr> <tr> <td width="100%" height="80%" align="center" valign="baseline"><table width="90%" > <tr> <td width="8%"><a href="index.php" class="stylelink style2 style3" style="text-decoration:none; font-family: Verdana, Arial, Helvetica, sans-serif;">Home</a></td> <td width="35%" align="center"><span class="style3"></span></td> <td width="27%"><span class="style3"></span></td> <td width="30%" align="right"> </td> </tr> <tr> <td><span class="style3"></span></td> <td><span class="style3"></span></td> <td><span class="style3"></span></td> <td><span class="style3"></span></td> </tr> <?php if(!empty($_GET['flag']) && $_GET['flag'] == "success") { ?> <tr> <td colspan="4" align="center" class="stylegreen style1 style2 style3">Congratulations! You Are successfully registered. You can use your Learner Id and Password to login to your account.</td> </tr> <?php } else if(!empty($_GET['flag']) && $_GET['flag'] == "exists") { ?> <tr> <td colspan="4" align="center" class="stylered style1 style2 style3">This Learner Id( <?=$_GET['learner_id']?>) already exists. Please, try again with another Learner Id</td> </tr> <?php }else if(!empty($_GET['flag']) && $_GET['flag'] == "error") { ?> <tr> <td colspan="4" align="center" class="stylered style1 style2 style3">Error while inserting data. Please, try again.</td> </tr> <?php } ?> <tr> <td> </td> <td> </td> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> </tr> <tr> <td colspan="4"><table width="30%" border="1" align="center" cellpadding="3" cellspacing="0" bordercolor="#CCCCCC" bgcolor="#CCCCCC"> <tr align="center" bgcolor="#999999"> <td colspan="2" bgcolor="#99CC33" class="stylebig style1">Learners Login Here</td> </tr> <tr bgcolor="#E1E1E1" class="stylesmall"> <td width="35%" align="left" class="style7 style1">Learner Id : </td> <td width="65%" align="left"><input name="learner_id" type="text" id="learner_id" action="Student_Home.php" method="post"></td> </tr> <tr bgcolor="#E1E1E1" class="stylesmall"> <td align="left" class="style7 style1">Password:</td> <td align="left"><input name="student_password" type="password" id="student_password"></td> </tr> <tr bgcolor="#E1E1E1"> <td colspan="2" align="center"> <?php if(!empty($_GET['flag']) && $_GET['flag'] == "invalid") { ?> <span class="stylered style1">Invalid Learner Id or Password</span> <?php }?> </td> </tr> <tr bgcolor="#E1E1E1"> <td colspan="2" align="center"><p> <input name="login" class="style10" type="submit" id="login" value="Login"> </p> <p><span class="style1">New Student?</span> Register <a href="Student_Registration.php">Here</a></p></td> </tr> </table></td> </tr> </table></td> </tr> <tr> <td height="5%" align="center"><?php include 'Footer.php';?></td> </tr> </table> </form> </body> </html> and here is my Student_login_handler codes <?php session_start(); include 'Connect.php'; $flag = ""; $learner_id = $_POST['learner_id']; $student_password = $_POST['student_password']; $student_id = htmlentities($_REQUEST['id'], ENT_QUOTES); $query = "select last_login_date from student_information where learner_id='$learner_id' and student_password='$student_password'"; $result = mysql_query($query,$link_id); if(mysql_error() != null){ die(mysql_error()); } if($date = mysql_fetch_array($result)) { $lastdate = $date['last_login_date']; $date2 = date("d-m-Y h:i A",strtotime($lastdate)); $_SESSION["student_id"] = $_POST["student_id"]; $_SESSION["lastlogin"] =$date2; $_SESSION["type"] = "Student"; mysql_query("UPDATE student_information SET last_login_date=now() where student_id='$GET[id]'",$link_id); if(mysql_error() != null){ die(mysql_error()); } header("location: Student_Home.php?id={$student_id}"); } else { $flag = "invalid"; header("location:Student_login.php?flag=$flag"); die(); } ?> Please take note of the header location in the Student_login_handler.php. I am expecting that the browser will post the unique student_id. Please advise gentlemen. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted June 16, 2014 Share Posted June 16, 2014 I'm going to start saying my next in all caps because it needs to be driven home for every php coder. TURN ON PHP ERROR CHECKING! error_reporting(E_ALL | E_NOTICE); ini_set('display_errors', '1'); WHEN YOU ARE DEVELOPING YOU NEED THIS! That said: What is $GET??? Quote Link to comment Share on other sites More sharing options...
maxxd Posted June 16, 2014 Share Posted June 16, 2014 OK. First off, do what ginerjm suggests. Always turn on error reporting on your development server. Now, fun times. You're assigning $student_id the value from $_REQUEST['id'], using $_GET['id'] in the query, assigning $_SESSION['student_id'] the value from $_POST['student_id'], and using $student_id in the redirect header. It also seems that the database contains a learner_id field, which you compare to $_POST['learner_id']. The sheer volume of inconsistent data sources, names, and data transfer methods makes debugging a nightmare. I would recommend selecting the student id from the student_information when you select last_login_date. The id should be an auto-incremented primary key for the table, so you'll know it's an integer and safe for CRUD operations. Compare that to either $_GET['id'] or $_POST['id'] (I'd recommend you choose a transfer method and stick with it - as you can see, it's easy to get confused if you don't know where the data is coming from) to make sure you're dealing with the right student, then you can a) assign the database-retrieved value to $_SESSION['student_id'], b) use the database-retrieved value to update the student_information table, and c) append the database-retrieved value to the location header. All of that aside, print out the value of $student_id before and after the htmlentities() call and see what the value actually is. From the documentation: If the input string contains an invalid code unit sequence within the given encoding an empty string will be returned, unless either the ENT_IGNORE or ENT_SUBSTITUTE flags are set. Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted June 24, 2014 Author Share Posted June 24, 2014 Dear Sir, I have been silent for weeks in understanding your suggestions since im still new in PHP i find it hard translating your suggestions into codes though im really doing my best to work for it. I would recommend selecting the student id from the student_information when you select last_login_date. The id should be an auto-incremented primary key for the table, so you'll know it's an integer and safe for CRUD operations. i tried this recommendations though it works but i think it would be hard for the students to log in using their assigned auto-incremented number as their student_id. And so i wanted for them to log in using their desired learner_id but still using their student_id ( their assigned auto-incremented number) to call their information in Student_Home page. i think you have given me suggestions for this one or i may have not understood it translating it to codes. If you may as my mentor kindly give me suggestions by modifying codes (i think i would understand it faster than the other way around) Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted June 24, 2014 Share Posted June 24, 2014 you won't know who someone is until they successfully login. ALL your code trying to use the student_id (auto-increment value from the database table) doesn't have a value until the login is successful and at that time you should be getting the value from the row you have retrieved from the sql query. the only things you should be doing for/with the student_id are - 1) upon a successful login, retrieve that student_id from the row from the database table. 2) store this in a session variable to identify who the current logged in visitor is. 3) if you want to redirect to a page that requires the student_id on the end of the url to determine what to display on that page, use the student_id you have just retrieved from the database query. you should have no other code, either in your login form (there's none anyway) or your login form processing logic that references the student_id. Quote Link to comment Share on other sites More sharing options...
mogosselin Posted June 24, 2014 Share Posted June 24, 2014 I don't think that providing you with a working code would help you more than if you try yourself to make it work. It's like learning to make a house. How will you learn, if somebody gives you a complete house or guide you to make one yourself? That being said, you might want to understand the difference between $_POST, $_REQUEST, $_GET and $_SESSION. Like maxxd said, your code is really confusing. It seems that you're settings variables here and there in different places form different sources. Why do you need the student id? Where does it come from? Why do you use $_REQUEST? Why can't you use $_POST most of the time? Here are some pointers based on your code here: $learner_id = $_POST['learner_id']; $student_password = $_POST['student_password']; $student_id = htmlentities($_REQUEST['id'], ENT_QUOTES); $_POST["something"] variables are coming from submitted input fields submitted with form using the POST method. <form method='POST'> See the 'method=POST'? It means that the input fields in this form will be submitted using the POST method. So, those input fields will be visible with the $_POST variable. So, if you have an input field like this : <input type="text" name='something'> You'll be able to find the value using $_POST['something'] . The value entered in the field will be available in the variable $_POST using it's NAME attribute. in this case, the input field has the name 'something'. Now, the variable $_GET is different. Its reading its values from the URL. For example, if you had this URL: http://www.mysite.com/test?something=hello&another_thing=bye You see the text in bold? It's called the query string. This is a way to pass parameters too. The method GET shouldn't be used with forms, except for certain situation. A login form should use the POST method, like you did. Anyway, so if I wanted to get the value from the URL for the parameter 'another_thing' I would use $_GET['another_thing']. The value would then be 'bye'. If you use $_REQUEST[''], it will look into $_POST, $_GET and $_COOKIES. Now, $_REQUEST shouldn't even exists, in my opinion. It's confusing if a variable can come from different places... The question to ask yourself would be: Why are you using $_REQUEST? In your case, it seems like a 'patch' that you used after you found out that it worked, somehow. Am I right? And here's another trick. Break it down. Break your code in logical parts, and ask help for each of those parts, one by one. What are you trying to achieve? Would it be something like this: - User enters his information - Get user information - Check if information OK with database - If information are OK, redirect user using its information - If information not OK, display error message I think that you only need 2 variables coming from the $_POST variable. The student number he uses to log in and the password. Those 2 variables will then be used in a SQL query to retreive the user's information (like its student_ID) Then, when you have its information, if the login is successful, redirect using the student_ID that you just found with the SQL query. Try to do this first. Then, when it works, add the code that will display error messages... Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted June 27, 2014 Author Share Posted June 27, 2014 Hello PHP Freaks, @mogosselin, that is a good tuturial i received from you.. so then i debug my codes and here is the Student_login.php <td width="35%" align="left" class="style7 style1">Learner Id : </td> <td width="65%" align="left"><input name="learner_id" type="text" id="learner_id" action="Student_Home.php" method="post"></td> </tr> <tr bgcolor="#E1E1E1" class="stylesmall"> <td align="left" class="style7 style1">Password:</td> <td align="left"><input name="student_password" type="password" id="student_password"></td> </tr> <tr bgcolor="#E1E1E1"> <td colspan="2" align="center"> <?php if(!empty($_GET['flag']) && $_GET['flag'] == "invalid") { ?> <span class="stylered style1">Invalid Learner Id or Password</span> <?php }?></td> and this is now the Student_login_handler.php <?php session_start(); include 'Connect.php'; $flag = ""; $learner_id = $_POST['learner_id']; $student_password = $_POST['student_password']; $query = "select last_login_date from student_information where learner_id='$learner_id' and student_password='$student_password'"; $result = mysql_query($query,$link_id); if(mysql_error() != null){ die(mysql_error()); } if($date = mysql_fetch_array($result)) { $lastdate = $date['last_login_date']; $date2 = date("d-m-Y h:i A",strtotime($lastdate)); $_SESSION["user_id"] = $_POST["student_id"]; $_SESSION["lastlogin"] =$date2; $_SESSION["type"] = "Student"; mysql_query("UPDATE student_information SET last_login_date=now() where student_id='$GET[id]'",$link_id); if(mysql_error() != null){ die(mysql_error()); } header("location: Student_Home.php?id={$student_id}"); die(); } else { $flag = "invalid"; header("location:Student_login.php?flag=$flag"); die(); } ?> i made it simple this time. when i click the log in button it directs me to http://localhost/a/Student_Home.php?id= but still i lost the student unique id,,i expect it to be http://localhost/a/Student_Home.php?id=51 (51 as the student_id "auto increment value" sometimes i suspected that the bugs are coming from Student_Home.php. Could it be possible, gentlemen? Quote Link to comment Share on other sites More sharing options...
davidannis Posted June 27, 2014 Share Posted June 27, 2014 On line 19 you use $GET. Do you mean to use $_GET? Also, put the variable to be evaluated in double quotes inside curly braces {$_GET[id]} (like you do on line 23 where it is not needed because that is not an array element). On line 23 you use $student_id but I don't see where you set that variable. Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted June 28, 2014 Author Share Posted June 28, 2014 Hi Freak Dr. -----------------i supposed this is what u meant on line 19 mysql_query("UPDATE student_information SET last_login_date=now() where student_id='{$_GET[id]}'",$link_id); ---------------and i recode the line 23 header("location: Student_Home.php?id=$student_id"); ----------------i set variable $student_id on line 7 with this $student_id = htmlentities($_GET['id'], ENT_QUOTES); but still everything went the same it directed me to http://localhost/a/S...nt_Home.php?id= and the unique id of student is still not in the URL. Maybe i got it wrong declaring in setting the variable $student_id. Please help me out here. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted June 28, 2014 Share Posted June 28, 2014 perhaps you missed this important information - you won't know who someone is until they successfully login. ALL your code trying to use the student_id (auto-increment value from the database table) doesn't have a value until the login is successful and at that time you should be getting the value from the row you have retrieved from the sql query. the only things you should be doing for/with the student_id are - 1) upon a successful login, retrieve that student_id from the row from the database table. 2) store this in a session variable to identify who the current logged in visitor is. 3) if you want to redirect to a page that requires the student_id on the end of the url to determine what to display on that page, use the student_id you have just retrieved from the database query. you should have no other code, either in your login form (there's none anyway) or your login form processing logic that references the student_id. Quote Link to comment Share on other sites More sharing options...
davidannis Posted June 30, 2014 Share Posted June 30, 2014 perhaps you missed this important information - I think the OP is doing the 2 of the 3 things you point out, just in an unorthodox manner. He retrieves the ID on line 7 and stores it on line 16. He just calls the ID 3 different things - learner_id, user_id, and student_id which makes it confusing. So, now all the OP needs to do is capitalize the first letter of location in the header on line 23, remove the part of the URL after the .php (no ?id=...) and get the id from $_SESSION in Student_Home.php. It would be a bonus if the naming of the id was the same everywhere. Quote Link to comment Share on other sites More sharing options...
maxxd Posted June 30, 2014 Share Posted June 30, 2014 I think the OP is doing the 2 of the 3 things you point out, just in an unorthodox manner. He retrieves the ID on line 7 and stores it on line 16. He just calls the ID 3 different things - learner_id, user_id, and student_id which makes it confusing. Actually, that's not what's going on. The only value returned on line 7 is the last_login_date - student_id is pulled from _POST on line 16. The problem is this assumes that the submitting form (the log in form) already knows the student_id. Which it quite literally can't. The solution to this specific problem is to add student_id to the list of fields returned from the query on line 7, then assign that value to $_SESSION['student_id']. The security issues and outdated mysql_ functions are other matters entirely. Quote Link to comment Share on other sites More sharing options...
davidannis Posted June 30, 2014 Share Posted June 30, 2014 Actually, looking at it again the problem goes a little deeper. If I assume (which I did) that learner_id, student_id, and id are all the same thing and he changed the name to be consistent then it doesn't matter that line 7 doesn't return the id because it only returns a result if the WHERE clause is true (if the id and password pair match). So, he wouldn't need to retrieve it -- he already has it and has validated it because he's matched the user supplied id with the password. However, when he sets it on line 16 he uses student_id which could be different and when he updates the date he's using _GET with yet another name for the id. If the form is using the POST method _GET is going to be empty. To make the script work, you need to name the id one thing and use that name everywhere and you need to use either GET or POST, trying to use both is just going to result in a mess. I agree that the code is very messy and would advise starting over. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.