Jump to content

Recommended Posts

Hi

 

I have built a sign up form which works perfect and a login form that works perfect but if I try to add the id number into the url using php, it makes the login form load the same page and not redirect to the profile page, below is the code I have on the login form processing page

 



<?php

ob_start();
session_start();

$username = $_POST['username'];
$password = $_POST['password'];

$_SESSION['username'] = $username;

$conn = mysqli_connect('localhost', '********', '*******', '*******');

$id=$_GET['id'];

$username = mysqli_real_escape_string($conn, $username);
$query = "SELECT password, salt
FROM recruiters
WHERE username = '$username' AND id=$id;";

$result = mysqli_query($conn, $query);

if(mysqli_num_rows($result) == 0) // User not found. So, redirect to login_form again.
{
header('Location: recruiter-login.php');
}

$userData = mysqli_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );

if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.
{
header('Location: recruiter-login.php');
}else{ // Redirect to home page after successful login.
header('Location: recruiter-profile.php?id=$id');

}
?>


I put error reporting in and is not displaying any errors so is one good thing

 

If I take out AND id=$id from the sql query, the login works and logs me in

 

Hope someone can help

 

Thank you in advance

 

Ian

Edited by Barand
remove credentials

Think I found out the issue just unsure how to solve it

 

It is thinking the password is entered incorrectly so is loading the login page again, below is the code causing the issue

if($hash != $userData['password']) // Incorrect password. So, redirect to login_form again.
{
    header('Location: recruiter-login.php');
}else{ // Redirect to home page after successful login.
	header('Location: recruiter-profile.php?id=$id');
	
}

I found out cause I changed the line header('Location: recruiter-login.php'); to header('Location: index.php');

 

The lines above that checks the password part is below

$userData = mysqli_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );

I know the password is correct as I wrote it down just after typing it in the signup form

You have some bad practices going on here, in fact that could be one of the most bizarre login procedures I have ever seen.  I also hope that those DB credentials are fake or run on a purely local test server.

 

What is the ID and where are you getting it from?

At some point the hash in the DB had to be created from a password and perhaps the method was slightly different? Why not print both hashes to confirm they don't match?

 

It's probably more simple than that.  One of the issues with the script is that the OP has used the reserved word "password" for the title of a column in the database.  This means that the SELECT query isn't going to return what they think it is. To be honest though, that's only one of several serious issues here and can be fixed by wrapping the column name in backticks.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.