Having issue passing id to url after login

[ianhaney]

Hi

 

I have built a sign up form which works perfect and a login form that works perfect but if I try to add the id number into the url using php, it makes the login form load the same page and not redirect to the profile page, below is the code I have on the login form processing page

 

<?php


ob_start();

session_start();


$username = $_POST['username'];

$password = $_POST['password'];


$_SESSION['username'] = $username;


$conn = mysqli_connect('localhost', '********', '*******', '*******');


$id=$_GET['id'];


$username = mysqli_real_escape_string($conn, $username);

$query = "SELECT password, salt

        FROM recruiters

        WHERE username = '$username' AND id=$id;";


$result = mysqli_query($conn, $query);


if(mysqli_num_rows($result) == 0) // User not found. So, redirect to login_form again.

{

    header('Location: recruiter-login.php');

}


$userData = mysqli_fetch_array($result, MYSQL_ASSOC);

$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );


if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.

{

    header('Location: recruiter-login.php');

}else{ // Redirect to home page after successful login.

header('Location: recruiter-profile.php?id=$id');


}

?>

I put error reporting in and is not displaying any errors so is one good thing

 

If I take out AND id=$id from the sql query, the login works and logs me in

 

Hope someone can help

 

Thank you in advance

 

Ian

Edited December 30, 2015 by Barand
remove credentials

[ianhaney]

Think I found out the issue just unsure how to solve it

 

It is thinking the password is entered incorrectly so is loading the login page again, below is the code causing the issue

if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.
{
    header('Location: recruiter-login.php');
}else{ // Redirect to home page after successful login.
	header('Location: recruiter-profile.php?id=$id');
	
}

I found out cause I changed the line header('Location: recruiter-login.php'); to header('Location: index.php');

 

The lines above that checks the password part is below

$userData = mysqli_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );

I know the password is correct as I wrote it down just after typing it in the signup form

[Muddy_Funster]

You have some bad practices going on here, in fact that could be one of the most bizarre login procedures I have ever seen.  I also hope that those DB credentials are fake or run on a purely local test server.

 

What is the ID and where are you getting it from?

[sn00pers]

At some point the hash in the DB had to be created from a password and perhaps the method was slightly different? Why not print both hashes to confirm they don't match?

[Muddy_Funster]

At some point the hash in the DB had to be created from a password and perhaps the method was slightly different? Why not print both hashes to confirm they don't match?

 

It's probably more simple than that.  One of the issues with the script is that the OP has used the reserved word "password" for the title of a column in the database.  This means that the SELECT query isn't going to return what they think it is. To be honest though, that's only one of several serious issues here and can be fixed by wrapping the column name in backticks.

[Barand]

"password" is a keyword but is not reserved

 

http://dev.mysql.com/doc/refman/5.5/en/keywords.html

[ianhaney]

Hi

 

Sorry I have sussed this now but need to remove or edit my original post as contains my db info, I forgot to remove the info before posting, can th admin or moderator edit it for me please, sorry

[Barand]

I've already done the edit.