I need help setting up php website

[Ahmedhm007]

Hi good guy!

i'm facing some problems setting up pre-made website! i really need it for buisness use so far.

the problem is i don't have that much of knewledge of php and mysql ect ! i'm using 000webhost and when  i put the files together and link the website to mysql i always gets errors at login page when i'm sure there's just a very tiny problem can be fixed by you very quiq ! anyone can help me please ? just 10min of your time and i'll appericiate it! 

 

anyways here's the problem i gets on login..

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /storage/ssd1/425/3721425/public_html/login.php on line 22

i just attached the login and config files ! if you can just fix it by taking a look at these files let me know! if no please tell me that we can message each others.

BIIIIIIIIIIIIG THANKS

login.php

config.php

[requinix]

The query you did just before failed. Find out why. If you're not sure, try posting it.

 

FYI attachments are annoying. Putting the code directly in your post, with [code] tags, is easier for everyone.

[Ahmedhm007]

thanks! i tried to fix it , the problem was because the mysql table and structures names different  ! but i almost fixed everything and now having error password or username wrong when it's not ! here's my login.php code and mysql query datas

 

https://image.ibb.co/kbbZv6/2017_11_24_102202.png

<?php
session_start();
error_reporting(E_ALL);
ini_set('display_errors', 1);
include_once('module/config.php');
if(isset($_SESSION['id'])){
    header("location: index.php");
}
if(isset($_POST['login'])){
    $identification = $_POST['username'];
    $identification = mysqli_real_escape_string($link, $identification);
    $password = $_POST['password'];
    $password = mysqli_real_escape_string($link, $password);

    if($identification == "" || $password == "")
        {
            echo "Error Username / Password Wrong !";
        }else {

            $sql ="SELECT * FROM usrr WHERE usrname='$identification' LIMIT 1";
            $query = mysqli_query($link, $sql);
if (!$query ) { die(mysqli_error($link)); }
            $row = mysqli_fetch_array($query);
            $id= $row['uid'];
            $db_pss =$row['usrpass'];
            if (password_verify($password, $db_pss)){
                $_SESSION['id'] = $id;
                $_SESSION['name'] = $row['name'];
                header("location: index.php");

            }else{
                echo "Error Username / Password Wrong !";
            }

        }
}


?>


<form method="post">
<label>username : </label>
<input type="text" name="username"><br/>
<label>password : </label>
<input type="password" name="password"><br/>
<input type="submit" name="login" value="login">

</form>

Edited November 24, 2017 by Ahmedhm007

[requinix]

1. mysqli_real_escape_string() is only for when you are going to put a value into a query. The password is not going into a query. Therefore do not use mysqli_real_escape_string() with the password.

2. What is the code you used to store the usrpass value? Did you use password_hash() properly with it?

3. Doing a redirect with header() will not stop your script. It will keep on running quite happily. If you don't want that (and you don't) then exit; right after.

[Ahmedhm007]

i'm sorry for beign such a dumb but  i said i'm using premade website and i don't quite have that much of knewledge on php ect.. and means i'm not the builder and i don't who did build it 
but you can tell me which file i can copy the code from and post it here so you can check what's wrong and i'll be very thankfull !!

 

Here's main directory files  : 

 

 

Here's Module folder files : 

 

Edited November 24, 2017 by Ahmedhm007

[requinix]

How would I know what file to look at?

 

Find the code that puts the password into the database and post it.

[Ahmedhm007]

i do it manually i don't have register o add user panel for that purpose! i use mysql to add users 

do i need admin cpanel for that ? no way adding manually ?

if it's so can you recommend me any good boostrap admin cpanel !

Edited November 25, 2017 by Ahmedhm007

[requinix]

Okay, well, that's not going to work. The code requires the passwords be stored in a safe and secure format, but you won't be able to do that yourself.

 

What changes did you make to this "pre-made website" stuff? Because if you received as-is then you bought only part of a website.

 

Unless there are important files in that "plnadmm" directory you've forgotten about. Like something that lets you add users.

[Ahmedhm007]

yes there's an admin cpanel i just find out ! but even when i use it to add users it won't login ..

i believe the website is complete cuz i've seen ppls using it using the same files..

is there a way i can change login and users codes or the website is useless if i don't find out what the hell is wrong with this user login problem ?

Edited November 25, 2017 by Ahmedhm007

[Ahmedhm007]

i just checked out the website without user login, i removed this codes from the index to check if the website is broken or something

if (!isset($_SESSION['id'])){
    header("location: login.php");
}

but it's not all the pages works but still lack of user databse login then everything will be allright! anything you can help me with ?

i'm really thankfull that you stand up replying to my stupid posts when no one did on other website .. thanks you very much

[requinix]

Okay, so now that you've found the place where you add users,

 

What is the code used to store the usrpass value?

[Ahmedhm007]

This is the codes releated to password from create_user.php file  : 

<div class="form-group">
<label for="password" class="cols-sm-2 control-label">Password</label>
<div class="cols-sm-10">
<div class="input-group">
<span class="input-group-addon"><i class="fa fa-lock fa-lg" aria-hidden="true"></i></span>
<input type="text" class="form-control" name="password" id="password"  placeholder="Enter your Password"/>
</div>

and maybe this releated too : 

session_start();
include('../connection.php');
$connection = new createConnection(); 			//created a new object
$connection_ref = $connection->connectToDatabase();
// $connection->selectDatabase();				//selecting db

$fullname = $_POST['name'];
$username = $_POST['username'];
$password = $_POST['password'];
$solde = $_POST['Solde'];


$izzr = 0;
$tmp = mt_rand(1,9);
do {
    $tmp .= mt_rand(0, 9);
} while(++$izzr < 6);






$str="INSERT INTO usrr VALUES('$tmp','$username','$password','$fullname', '$solde')";




$re_result = mysqli_query ($connection_ref, $str); //run the query


//echo "inserted successfully";

echo "<script>
		var r = confirm('ADDED NEW ENTRY SUCCESSFULLY!Do You Want To Add One More?');
    		if (r == true) 
		{
			window.location.assign('adduser.php');    
		} 
		else 
		{
        		window.location.assign('../edit/users.php');
	    	}
	</script>";
?>

Edited November 25, 2017 by Ahmedhm007

[requinix]

Okay well that's completely and utterly wrong and explains why logins don't work. It also speaks volumes to the author of the code, and not in a good way.

 

Know that you've paid money for bad quality and insecure code. Personally I recommend you write it off as a lesson learned and find something else. I hope it wasn't too expensive.

 

If not then you can put a bandaid on this gaping wound of an application by changing

$password = password_hash($_POST['password'], PASSWORD_DEFAULT);

All the existing user passwords won't work so either you delete them all and start over or do write some code to fix what's been stored, which is (un)fortunately possible. There is a lot more work that probably needs to be done, though, however this is a paid application so we can't just go through and fix things for you. In fact I should take down those attachments...

[ajoo]

Hi requinix, 

 

I wonder what the $tmp is for ?

 

Wouldn't he need to make changes to the code that takes care of the login as well once he uses the password_hash() ?

 

Thanks.

[requinix]

I wonder what the $tmp is for ?

I think it might be a user ID.  

 

Wouldn't he need to make changes to the code that takes care of the login as well once he uses the password_hash() ?

That's the weird thing: the code for the login is apparently already using password_verify...

[Ahmedhm007]

i just find out there's a file "vendor.php" include this codes : 

<?php
	$options = [
    'cost' => 11,
    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
				];
	echo password_hash("pln123", PASSWORD_BCRYPT, $options);

?>

[requinix]

That's a reasonable demonstration for how passwords should be generated, however it should not create its own salts. So

$options = [
    'cost' => 11
];

echo password_hash("pln123", PASSWORD_BCRYPT, $options);

Try incorporating that into the user registration bit.