PHP Login Form Gives Error

Question

I have a login page for a website I am building , but when I try to login with my login page the $_GET[error] gives an error code of 1.I am using a wamp server with windows 7.The code was adapted from this wiki site.

This is the code for the login page.

<?php

include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start();
if (login_check($mysqli) == true) {
    $logged = 'in';
} else {
    $logged = 'out';
}
?>
<!DOCTYPE html>
<html>
    <head>
        <title>Secure Login: Log In</title>
        <script type="text/JavaScript" src="js/sha512.js"></script> 
        <script type="text/JavaScript" src="js/forms.js"></script>
<link href="styles/login_style.css" rel="stylesheet" type="text/css">

    </head>
    <body>
        <?php
        if (isset($_GET['error'])) {
            echo $_GET['error'];
            echo '<p class="error">Error Logging In!</p>';
        }
        ?> 
<div id="main">
<div id="login">
<h2>Login Form</h2>

        <form action="includes/process_login.php" method="post" name="login_form">          
            Email: <input type="text" name="email" />
            Password: <input type="password" 
                             name="password" 
                             id="password"/>
            <input type="button" 
                   value="Login" 
                   onclick="formhash(this.form, this.form.password);" /> 
        </form>
  </div>
</div>

    </body>
</html>

The echo $_GET['error']; line gives an error code of 1

Any help or suggestion for me.

Below is the process_login page

<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
    $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
    $password = $_POST['p']; // The hashed password.
     echo "$email";
  echo "<BR>$password";
    if (login($email, $password, $mysqli) == true) {
        // Login success 
        header("Location: ../index.php");
        exit();
    } else {
        // Login failed 
        header('Location: ../login.php?error=1');
        exit();
    }
} else {
    // The correct POST variables were not sent to this page. 
    header('Location: ../error.php?err=Could not process login');
    exit();
}

Below is the login function.

function login($email, $password, $mysqli) {
 mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
    // Using prepared statements means that SQL injection is not possible. 
    if ($stmt = $mysqli->prepare("SELECT member_id, username, email , password, salt 
      FROM members 
                                  WHERE email = ? LIMIT 1")) {
        $stmt->bind_param('s', $email);  // Bind "$email" to parameter.
        $stmt->execute();    // Execute the prepared query.
        $stmt->store_result();
        // get variables from result.
        $stmt->bind_result($user_id, $username,$email, $db_password, $salt);
        $stmt->fetch();
        // hash the password with the unique salt.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            // from too many login attempts 
            if (checkbrute($user_id, $mysqli) == true) {
                // Account is locked 
                // Send an email to user saying their account is locked 
                return false;
            } else {
                // Check if the password in the database matches 
                // the password the user submitted.
                   
                if ($db_password == $password) {
                    // Password is correct!
                    // Get the user-agent string of the user.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];

                    // XSS protection as we might print this value
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;

                    // XSS protection as we might print this value
                    $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['email'] = $email;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login successful. 
                    return true;
                } else {
                    // Password is not correct 
                    // We record this attempt in the database 
                    $now = time();
                    if (!$mysqli->query("INSERT INTO login_attempts(user_id, time) 
                                    VALUES ('$user_id', '$now')")) {
                        header("Location: ../error.php?err=Database error: login_attempts");
                        exit();
                    }
                    return false;
                }
            }
        } else {
            // No user exists. 
            return false;
        }
    } else {
        // Could not create a prepared statement
        header("Location: ../error.php?err=Database error: cannot4 prepare statement");
        exit();
    }
}
function checkbrute($user_id, $mysqli) {
    // Get timestamp of current time 
    $now = time();
    // All login attempts are counted from the past 2 hours. 
    $valid_attempts = $now - (2 * 60 * 60);
    if ($stmt = $mysqli->prepare("SELECT time 
                                  FROM login_attempts 
                                  WHERE user_id = ? AND time > '$valid_attempts'")) {
        $stmt->bind_param('i', $user_id);
        // Execute the prepared query. 
        $stmt->execute();
        $stmt->store_result();
        // If there have been more than 5 failed logins 
        if ($stmt->num_rows > 5) {
            return true;
        } else {
            return false;
        }
    } else {
        // Could not create a prepared statement
        header("Location: ../error.php?err=Database error: cannot2 prepare statement");
        exit();
    }
}

What is the full error? Also are you not confusing `$_GET` with `$_POST`? — Script47, Dec 31 '15 at 14:40
It's a bit thin to troubleshoot properly. What is `login_check($mysqli)`? Where is the `$_GET` being set from? — Qirel, Dec 31 '15 at 14:40
Post your includes/process_login.php. Also, mysql usually returns 1 when an insert, update or delete query has succeeded, so you might do something that actually works, and then storing it in $_GET['error'] — Glubus, Dec 31 '15 at 14:42
@MarkNg He is probably redirecting to login with some get paramters as the post action is not the same page as the one he posted — Glubus, Dec 31 '15 at 14:43
@Glubus oh well he said he get an error of at echo $_GET... no idea what is his question. — Mark Ng, Dec 31 '15 at 14:44
He probably queried the database, and storing the result in some variable $error. Then redirecting with location ?error=$error. So he can use the $_GET variable. — Glubus, Dec 31 '15 at 14:45
Sorry people but the problem is that with the right credentials I still don't get to login. The second if statement checks if there is an error and then displays an error page. But no login is allowed. — faisal abdulai, Dec 31 '15 at 14:48
@faisalabdulai as said above show us the function which logs people in. We can't help you otherwise. Do you expect us to just know your code? — Script47, Dec 31 '15 at 14:50
so where's the *probable* relevant SQL for this (and PHP)? along with db schema. seeing you are using a db for this — Funk Forty Niner, Dec 31 '15 at 14:58
`$_POST['p']` and your input's attribute is `password` and not `p`. — Funk Forty Niner, Dec 31 '15 at 15:00
possible duplicate of http://stackoverflow.com/questions/4261133/php-notice-undefined-variable-and-notice-undefined-index — Funk Forty Niner, Dec 31 '15 at 15:01
I have added the codes requested. Kindly take another look at it. — faisal abdulai, Dec 31 '15 at 15:09
so.... comment up there ? ^^^ like 8 mins. prior to this one. — Funk Forty Niner, Dec 31 '15 at 15:09
@faisalabdulai Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the [How to Ask](http://stackoverflow.com/help/how-to-ask) page for help clarifying this question. — Mr. Meeseeks, Dec 31 '15 at 15:17

PHP Login Form Gives Error

0 Answers0