Jump to content

Header Vanishes if I remove LIMIT 1

Moorcam

By Moorcam
in PHP Coding Help

 Share
Go to solution Solved by benanamen,

Recommended Posts

Moorcam Advanced Member

Moorcam

Posted
Posted

Hi folks,

 

This issue has me baffled with days.

I have a query string which works fine. The idea is to display the name of the logged in user, with SESSION. However, if I use the query string without LIMIT 1 on the end, the header area vanishes. If I put it back in, it appears again. 

Also, I have 2 users registered for testing. But no matter what account I login with, it still shows the same name.

 

Here is the area of code that is playing up, including the HTML area where the name of the logged in user is displayed.

include 'templates/header.php';

  $result = mysqli_query($mysqli, "SELECT * FROM admin_users LIMIT 1");

    if ($row = mysqli_fetch_array($result)) {
include 'templates/navbar.php'; 
$_SESSION['fname'] = $row['fname'];
?>
     <div class="dcm-content-wrapper">
        <div class="dcm-content">
          <h1><i class="fa fa-home"></i> Dashboard</h1>
          <p>Hello <?php echo $_SESSION['fname']; ?> You are logged in as Admin!</p>
<?php
	}

?>

Please note that SESSION_START() is in the header.php file.

Any help is greatly appreciated.

 

Link to comment
Share on other sites
Moorcam Advanced Member

Moorcam

Posted
  • Author
Posted (edited)

How do you expect to login a particular user without a WHERE condition? Of course you are going to keep getting the same user.

Hi.

Thanks for the reply.

I have tried even putting

WHERE id = $_SESSION['id'];

And that also makes the html vanish.

Also note, login is working fine. The OP shows the code from the start of index.php after login.

Edited by DanEthical
Link to comment
Share on other sites
Moorcam Advanced Member

Moorcam

Posted
  • Author
Posted

No.  What you have is nothing close to login code. I will let someone else take it from here.

As I said, the above code is not the login. This is the Index after login is completed.

 

Here is the login code:

<?php
// Coach Manager
// Version 0.0.0.1
// Author Dan O'Riordan
session_start();
if (isset($_SESSION['id'])) {
header("Location: index.php");
}
include_once 'includes/config.php';
include_once 'includes/db_connect.php';

//check if form is submitted
if (isset($_POST['login'])) {

    $email = mysqli_real_escape_string($mysqli, $_POST['email']);
    $password = mysqli_real_escape_string($mysqli, $_POST['password']);
	$psalt = 'eghriwugfro78974togfg0487tr';
	$password = hash('sha256', $password);
    $result = mysqli_query($mysqli, "SELECT * FROM admin_users WHERE email = '" . $email. "' and password = '" .$password . "'");

    if ($row = mysqli_fetch_array($result)) {
        $_SESSION['id'] = $row['id'];
        $_SESSION['fname'] = $row['fname'];
        header("Location: index.php");
    } else {
        $errormsg = "Incorrect Email or Password Combination!";
    }
}
?>
 <!DOCTYPE html>
<html >
<head>
  <meta charset="UTF-8">
  <title>Tour Manager | Login</title>
  
       <!-- FONTAWESOME STYLES-->
    <link rel="stylesheet" href="assets/font-awesome/css/font-awesome.min.css" rel="stylesheet" />
  <link rel='stylesheet prefetch' href='http://netdna.bootstrapcdn.com/bootstrap/3.0.2/css/bootstrap.min.css'>

      <link href="css/styles.css" rel="stylesheet">

  
</head>

<body>
<div id="loginModal" class="modal show" tabindex="-1" role="dialog" aria-hidden="true">
  <div class="modal-dialog">
  <div class="modal-content">
      <div class="modal-header">
          <h1 class="text-center">Tour Manager</h1>
      </div>
      <div class="modal-body">
	<form class="form-signin" role="form" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="loginform">
                                        <div class="form-group">
                                            <input type="text" name="email" required class="form-control input-lg" placeholder="Email">
                                        </div>
                            
                                        <div class="form-group">
                                            <input type="password" name="password" required class="form-control input-lg" placeholder="Password">
                                        </div>
                       					
            <div class="form-group">
              <button class="btn btn-primary btn-lg btn-block" name="login">Sign In</button>
	<span class="text-danger"><strong><?php if (isset($errormsg)) { echo $errormsg; } ?></strong></span>
            </div>
          </form>
      </div>
      <div class="modal-footer">
          <div class="col-md-12">
          Powered by <a href="http://www.danethical.com" target="_blank">Tour Manager</a>
		  </div>	
      </div>
  </div>
  </div>
</div>
	<!-- script references -->
		<script src="//ajax.googleapis.com/ajax/libs/jquery/2.0.2/jquery.min.js"></script>
		<script src="js/bootstrap.min.js"></script>
	</body>
</html>
<?php
Exit();
?>

Cheers

Link to comment
Share on other sites
  • Solution
benanamen Prolific Member

benanamen

Posted
  • Solution
Posted (edited)

Ok, now we are getting somewhere. Let's start from the beginning.

 

You shouldn't be using sha256. You need to use password_hash.

 

Line 13 should be if ($_SERVER['REQUEST_METHOD'] == 'POST') Depending on getting the name of a button to be submitted for your script to work can be problematic in certain instances.

 

Do not SELECT *. Specify the exact columns you want.

 

$_SERVER['PHP_SELF'] is vulnerable to an XSS Attack. Just leave the action out to submit to the same page.

 

You need to kill the script at the header redirect.

die(header("Location: index.php")); 

 

You need to use prepared statements

 

On the index page, there is no need for another query. You have already set the fname session on login. Just use it now.

 

index.php 

<?php
session_start();
?>
<p>Hello <?= $_SESSION['fname'] ?> You are logged in as Admin!</p>

I highly recommend you use PDO https://phpdelusions.net/pdo

Edited by benanamen
Link to comment
Share on other sites
Moorcam Advanced Member

Moorcam

Posted
  • Author
Posted

Hi bananamen,

 

Thank you so much. I really appreciate you taking the time to help.

The issues of html vanishing has been resolved as is the correct name being displayed, thanks to your instructions.

 

Regarding PDO and password_hash, I will be changing over to these when I get home later.

 

Thanks so much again. You are a legend. :)

 

Cheers,

Danno

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.