-5

My login page seems to redirect me to index.php with any login field inputs. This is unexpected as it's supposed to perform checks. Also, if the login fields are left blank, it redirects to a blank page. This also should not be so as I have set up a condition to deal with this result. See

logininc.php

    <?php

require_once("assets/configs/db_config.php");
$user=$_POST['user']; 
$password=$_POST['password'];

if(isset($_POST['submit'])){

//To ensure that none of the fields are blank when submitting the form if
if($user != NULL || $password != NULL)

// if(isset($_POST['user']) && isset($_POST['password'])) old code
    {
        $user = stripslashes($user);
        $password = stripslashes($password);
        $user = mysqli_real_escape_string($user);
        $password = mysqli_real_escape_string($password);

        $sql="SELECT * FROM $test_db WHERE user='$user' and password='$password'";
        $result=mysqli_query($sql);

        $row=mysqli_fetch_array($result);

        if($row['user'] == $user && $row['password'] == $password)
        {
            session_start();
            $_SESSION['user'] = $user;
            $_SESSION['password'] = $password;
            $_SESSION['loggedin'] = "true";
            header("location:index.php");
        }
        else
        {
            echo ('<div id="error">Computer says no.</div>');

        }
            echo ('<div id="error">Enter something!</div>');

}


}

login.php

 <form id="login-form" method="post" action="logininc.php"> <fieldset> 
  <legend>Login </legend> 
  <p>Please enter your username and password to access the administrator's panel</p>

   <label for="user"> <input type="text" name="user" placeholder="Type your username here" id="user" /></label> 
   <label for="password"> <input type="password" name="password" placeholder="Type your password here" id="password" /></label>
   <label for="submit"> <input type="submit" class="btn btn-primary"name="submit" id="submit" value="Login" /> </label> </fieldset> </form>

Please advise.

John Smith
  • 9
  • 4

5 Answers5

0

Unlike the mysql_ extension, mysqli extension requires you pass the connection object to all the functions when used in a procedural style.

pass your connection resource assuming $con to the first parameter. 

mysqli_query($con, $sql);

also in your mysqli_real_escape_string($con, $string);

DevZer0
  • 13,433
  • 7
  • 27
  • 51
0

Change your code with this and let see..

$sql="SELECT count(*) FROM test_db WHERE user='$user' and password='$password'";
$result=mysqli_query($con,$sql);

$row=mysqli_fetch_array($result,MYSQLI_NUM);

if($row[0]==1)
{
    session_start();
    $_SESSION['user'] = $user;
    $_SESSION['password'] = $password;
    $_SESSION['loggedin'] = "true";
    header("location:index.php");
}

One more thing, since I notice, you are using $test_db instead of test_db. So, I change it to test_db.

Have a look, how to use mysqli_fetch_array

Ravi
  • 30,829
  • 42
  • 119
  • 173
0

you have to start session at the beginning of the code , you cannot start session anywhere in the code

start it like 

<?php
 session_start();
 ...

this page will again report error if no $_POST['user'] or $_POST['password'] exists u need to change the code like

if(isset($_POST['user'])&&isset($_POST['password']))
 {
    //proceed for login check
 }
 else{ 
    //error: all credentials not sent
 }
Minhaz
  • 937
  • 1
  • 10
  • 25
0

You should check type too, in this case:

if($row['user'] == $user && $row['password'] == $password)

use instead:

if($row['user'] === $user && $row['password'] === $password)

Why when you left blank fileds, it redirects to a blank page? Try that code:

$a = ''; //string type
$b = array(); // array type
var_dump($a==$b); // you will get true;
var_dump($a===$b); // you will get false;
whncode
  • 429
  • 3
  • 15
-1

As mentioned a field left empty does not yield Null, but an empty string. So check it with isset() and empty().

Also try 

$row = $result->mysqli_fetch_array(MYSQLI_ASSOC);

And you should really hash your passwords.

Jokke
  • 1