Solved

My login form is not validating email or password.

Posted on 2011-09-23
13
402 Views
Last Modified: 2012-05-12
My login form is letting me login no matter what I type into the fields. I have a database set up and I am able to "register". However, my login form is not telling me that I do not have a valid email address and it is letting me put anything into the password field.

I have included three separate pieces of code

Below is the code for the top part of my Index page.
<?php

// This file is the home page. 

// Require the configuration before any PHP code as the configuration controls error reporting:
require ('./includes/config.inc.php');
// The config file also starts the session.

// To test the sidebars:
// $_SESSION['user_id'] = 1;
// $_SESSION['user_admin'] = true;

// Require the database connection:
require (MYSQL);

// If it's a POST request, handle the login attempt:
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	include ('./includes/login.inc.php');
}

Open in new window


The Login Form that is on the Index page;

<?php // Show the user info or the login form:

 if (isset($_SESSION['user_id'])) {

	// Show basic user options:
	// Includes references to some bonus material discussed in Chapter 5!
	echo '<div class="title">
				<h4>Manage Your Account</h4>
			</div>
			<ul>
			<li><a href="renew.php" title="Renew Your Account">Renew Account</a></li>
			<li><a href="change_password.php" title="Change Your Password">Change Password</a></li>
			<li><a href="favorites.php" title="View Your Favorite Pages">Favorites</a></li>
			<li><a href="history.php" title="View Your History">History</a></li>
			<li><a href="recommendations.php" title="View Your Recommendations">Recommendations</a></li>
			<li><a href="Logout.php" title="Logout">Logout</a></li>
			</ul>
			';
			
	// Show admin options, if appropriate:
	if (isset($_SESSION['user_admin'])) {
		echo '<div class="title">
					<h4>Administration</h4>
				</div>
				<ul>
				<li><a href="add_page.php" title="Add a Page">Add Page</a></li>
				<li><a href="add_pdf.php" title="Add a PDF">Add PDF</a></li>
				<li><a href="#" title="Blah">Blah</a></li>
				</ul>
				';		
	}
					
} else { // Show the login form:
	
	require ('includes/login_form.inc.php');
	
}

?>

Open in new window


The Login Code

<?php 

// This is the login page for the site.

// Array for recording errors:
$login_errors = array();

// Validate the email address:
if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
	$e = mysqli_real_escape_string ($connect, $_POST['email']);
} else {
	$login_errors['email'] = 'Please enter a valid email address!';
}

// Validate the password:
if (!empty($_POST['pass'])) {
	$p = mysqli_real_escape_string ($connect, $_POST['pass']);
} else {
	$login_errors['pass'] = 'Please enter your password!';
}
	
if (empty($login_errors)) { // OK to proceed!

	// Query the database:
	$q = "SELECT id, username, type, IF(date_expires >= NOW(), true, false) FROM users WHERE (email='$e' AND pass='"  .  get_password_hash($p) .  "')";		
	$r = mysqli_query ($connect, $q);
	
	if (mysqli_num_rows($r) == 1) { // A match was made.
		
		// Get the data:
		$row = mysqli_fetch_array ($r, MYSQLI_NUM); 
		
		// If the user is an administrator, create a new session ID to be safe:
		// This code is created at the end of Chapter 4:
		if ($row[2] == 'admin') {
			session_regenerate_id(true);
			$_SESSION['user_admin'] = true;
		}
		
		// Store the data in a session:
		$_SESSION['user_id'] = $row[0];
		$_SESSION['username'] = $row[1];
		
		// Only indicate if the user's account is not expired:
		if ($row[3] == 1) $_SESSION['user_not_expired'] = true;
			
	} else { // No match was made.
		$login_errors['login'] = 'The email address and password do not match those on file.';
	}
	
} // End of $login_errors IF.

// Omit the closing PHP tag to avoid 'headers already sent' errors!

Open in new window

0
Comment
Question by:wchirnside
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 36590487
Have a look at this article.  It shows the correct design pattern for PHP client authentication.  Then post back if there is anything you do not understand.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
 
LVL 16

Expert Comment

by:rbudj
ID: 36590511
I use PHP although I am far from an expert. I have never seen this before though:

require ('./includes/config.inc.php');

Are you sure it is not:

require ('includes/config.inc.php');

or

require ('../includes/config.inc.php');
0
 

Author Comment

by:wchirnside
ID: 36590617
Thank you for both posts.

I have two test sites set up both going into the same data base. On the one site the Login sections works and on the other it doesn't and the pages are set up differently on both pages.

They both have this code ('./includes/config.inc.php'): and I have changed this around thinking that this may be a factor.

I have quickly looked through the above article and there is no doubt there are items there I don't understand. I will definitely reread.

However, I am wondering about this particular piece of code and if I have this in the wrong spot.

// If it's a POST request, handle the login attempt:
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	include ('./includes/login.inc.php');
}

Open in new window


Thank you,

Wchirnisde
0
Get Database Help Now w/ Support & Database Audit

Keeping your database environment tuned, optimized and high-performance is key to achieving business goals. If your database goes down, so does your business. Percona experts have a long history of helping enterprises ensure their databases are running smoothly.

 
LVL 110

Expert Comment

by:Ray Paseur
ID: 36590669
I think I might put error_reporting(E_ALL) in the script.  And I would change the include() to require_once().  That way it should throw an error if anything is missing.
0
 
LVL 2

Expert Comment

by:shdwmage
ID: 36590671
rbudj the "./" indicates current directory.  
0
 
LVL 16

Expert Comment

by:rbudj
ID: 36590753
ok thank you shdwmage
0
 

Author Comment

by:wchirnside
ID: 36590758
Hello:

I received this error –

Parse error: syntax error, unexpected T_IF in  xxxxxxxx /Index.php on line 20

This is line 20 – if ($_SERVER['REQUEST_METHOD'] == 'POST') {

of the piece of code that I indicated may be in the wrong spot.

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	require_once ('./includes/login.inc.php');
}

Open in new window


Thank you,

Wchirnside
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 36590785
The word "unexpected" in a parse error message means that something upstream in the script is missing.  Maybe a semi-colon that ends a statement or something like that.
0
 

Author Comment

by:wchirnside
ID: 36590818
Okay, found out where the missing semicolon should be. Added the error script as mentioned and then changed the include to require_once. The page loaded and everything worked as before, meaning that I could put all xxx's or whatever in the email and password fields and I could hit the login button and go to the next page.

Wchirnside
0
 

Author Comment

by:wchirnside
ID: 36594036
Hello,

Have now figured this out. I did have that piece of code in the wrong spot considering that my Login button was going to a different page.

Your suggestions were helpful as I might not have reached that conclusion so quickly had I not got some outside input.

Thank you,

WChirnside
0
 

Author Closing Comment

by:wchirnside
ID: 36594038
I seem to be learning PHP in spite of myself.

Thank you for your help.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 36594078
;-)

This is a great book: http://www.sitepoint.com/books/phpmysql4/

Thanks for the points, ~Ray
0
 

Author Comment

by:wchirnside
ID: 36594086
Hello,

Believe it or not started out with that book over a year ago but needed how to integrate it with Dreamweaver or at least I thought I did so I got sidetracked somewhat. Have several other books and also like the ones by Larry Ullman.

WChirnside
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question