0

I did the register part and everything went well. I have reached the part where the user must log in to the site. The problem is that if I enter the wrong data in the login page, I get a message that the data is wrong. But if I add the correct data for login, it redirects me to index.php, but the header does not change. Normally instead of the login and registration button, something like this should appear: Hi, Andrew. And a logout button.

Index header with login and register buttons

<?php
                  if(isset($_SESSION['id'])){
                    echo "<a href='login.html' class='login-panel'><i class='fa fa-user'></i>Salut, $_SESSION[name].  </a>
                        <button type='button' class='btn btn-light'><a href=\"logout.php\">Logout</a></button>";
                    }
                    else {
                        echo " <a href='login.html' class='login-panel'><i class='fa fa-user'></i>Login</a>
                                <a href='inregistrare.html' class='login-panel'><i class='fa fa-user-plus'></i>Înregistrare</a>";
                    }
                ?>

Login form from login.php

                        <form method="post" action="login.php">
                            <div class="form-group">
                                <label for="email">* Adresa de e-mail:</label>
                                <input type="text" id="email" name="email" class="form-control" required>
                            </div>
                            <div class="form-group">
                                <label for="password">* Parola:</label>
                                <input type="password" id="password" name="password" class="form-control" required>>
                            </div>
                            <div class="form-group gi-check">
                                <div class="gi-more">
                                    <label for="save-pass">
                                        Salvează parola
                                        <input type="checkbox" id="save-pass">
                                        <span class="checkmark"></span>
                                    </label>
                                    <a href="#" class="forget-pass">Ai uitat parola?</a>
                                </div>
                            </div>
                            <div class="form-group">
                                <button type="login" name="login" class="site-btn login-btn">Intră în cont!</button>
                            </div>
                        </form>

login.php

  session_start();
  include('config.php');
  // Cod pentru logare
  if(isset($_POST['login']))
  {
    $password=$_POST['password'];
    $dec_password=$password;
    $email=$_POST['email'];
    $ret= mysqli_query($con,"SELECT * FROM utilizatori WHERE email='$email' and password='$dec_password'");
    $num=mysqli_fetch_array($ret);
  if($num>0)
  {
    $extra="index.php";
    $_SESSION['login']=$_POST['email'];
    $_SESSION['id']=$num['id'];
    $_SESSION['name']=$num['nume'];
    $host=$_SERVER['HTTP_HOST'];
    $uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\\');
    header("location:http://$host$uri/$extra");
  exit();
  }
  else
    {
      echo "<script>alert('Nume sau parola invalide!');</script>";
      $extra="index.php";
      $host  = $_SERVER['HTTP_HOST'];
      $uri  = rtrim(dirname($_SERVER['PHP_SELF']),'/\\');
    exit();
  }
}
?>```
Cristi Marc
  • 25
  • 5
  • 2
    You have `session_start()` in the index header? – AbraCadaver Mar 02 '21 at 19:45
  • 1
    You have major security holes in this code. SQL injection, unhashed passwords. Someone submitting a password or email address with `'` in it will break your code; a malicious attacker can submit a password of `' OR '1'='1` and log in. – ceejayoz Mar 02 '21 at 19:47
  • Yes, I have it. But even if I enter on login.php again after login, there is the same problem, it doesn`t change to "Hi, Andrew." and logout button. – Cristi Marc Mar 02 '21 at 19:47
  • @ceejayoz I understand, but it`s a small project for my university. It`s a private site. – Cristi Marc Mar 02 '21 at 19:48
  • 2
    That's no excuse for insecure code. Consider it practice. If you practice something the wrong way, that's what you'll remember. Even in a small university, someone may choose a password with a `'` in it. – ceejayoz Mar 02 '21 at 20:40

1 Answers1

-1

Kindly check that have you manage exception if condition not satisfied. also if you enter wrong data and once you logout you have to update code for session_destroy() . other wise same session has be called next time as well. I hope it will help to you.

Rohan Sable
  • 25
  • 6