PHP Login System issue

Question

I'm working on a PHP web application for a small business, and I am now trying to incorporate a login system to the app. I have my login.php page which is collecting the UN/PW and storing it via $_POST, and I have my UN/PW stored in a MySQL table with a MD5 hash. When I click the login button from login.php, it calls includes/login.inc.php and processes the login. However, I only see a blank page when login.inc.php is called. I'm not sure where my issue is.

login.php:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
  <meta http-equiv="Content-type" content="text/html;charset=utf-8" />
  <title>Login Page</title>
  <link rel="stylesheet" type="text/css" href="css/login.css" />
</head>
<body>
  <form id="login-form" method="post" action="includes/login.inc.php">
    <fieldset>
      <legend>Login to Inventory System</legend>
      <p>Please enter your username and password to access the Inventory system</p>
      <label for="username">
        <input type="text" name="username" id="username" />Username:
      </label>
      <label for="password">
        <input type="password" name="password" id="password" />Password:
      </label>
      <label>
        <input type="submit" name="submit" id="submit" value="Login" />
      </label>
    </fieldset>
  </form>
</body>

</html>

login.inc.php:

<?php
// Include required MySQL configuration file and functions
require_once('config.inc.php');
require_once('functions.inc.php');

// Start session
session_start();

// Check if user is already logged in
if ($_SESSION['logged_in'] == true) {
    // If user is already logged in, redirect to main page
    redirect('../index.php');
  } else {
    // Make sure that user submitted a username/password and username only consists of alphanumeric chars
    if ( (!isset($_POST['username'])) || (!isset($_POST['password'])) OR
      (!ctype_alnum($_POST['username'])) ) {
        redirect('../login.php');
    }

// Connect to database
$mysqli = @new mysqli('localhost', 'username', 'password', 'db_name');

// Check connection
if (mysqli_connect_errno()) {
  printf("Unable to connect to database: %s", mysqli_connect_error());
    exit();
}

// Escape any unsafe characters before querying database
$username = $mysqli->real_escape_string($_POST['username']);
$password = $mysqli->real_escape_string($_POST['password']);

// Construct SQL statement for query & execute
$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . md5($password) . "'";
$result = $mysqli->query($sql);

// If one row is returned, username and password are valid
if (is_object)($result) && $result->num_rows == 1) {
  // Set session variable for login status to true
  $_SESSION['logged_in'] = true;
  redirect('../index.php');
} else {
  // If number of rows returned is not one, redirect back to login screen
  redirect('../login.php');
  }
}
?>

Does anyone see my problem?

Thanks!

Without commenting on the question, an MD5 hash isn't safe. The least you need is a salt. — Daedalus, Dec 29 '13 at 21:39
Stop limiting the character set of usernames. Stop suppressing error with the STFU operator. Stop using relative URIs for the `Location` header. Stop storing unsalted and unhashed passwords. Enable error reporting. start uing prepared statement with bound parameters. — PeeHaa, Dec 29 '13 at 21:43
@PeeHaa - Salted passwords are planned along with other enhancements such as escaping all mysql inputs. I'm very new to PHP and learning as I go, so I am trying to make sure basic functionality is there before taking it up a notch. This system is not on a live site yet either, with all testing being local. I understand I am not doing my error logging correctly, so could you please point me in the direction of how to properly do that? Also, how can I not use relative URIs? — tycoonbob, Dec 29 '13 at 22:08
[Enable error reporting](http://stackoverflow.com/questions/6575482/how-do-i-enable-error-reporting-in-php). [Safely store passwords](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php/17073604#17073604). [Prevent SQL injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). [The reason you should not use relative URIs](http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30) — PeeHaa, Dec 29 '13 at 22:27
@PeeHaa Thanks. Once I figure out why my current code isn't working, I will be going back to fix those other issues. I just can't seem to get debugging info to show for login.inc.php. — tycoonbob, Dec 29 '13 at 22:47

score 1 · Answer 1 · answered Dec 29 '13 at 21:42

1

If you have a blank screen you most likely are running into a fatal error. Check your error log for details. Or put this at the top of your script.

error_reporting(E_ALL);
ini_set('display_errors', '1');

I found one of your issues.

// This is a syntax error
if (is_object)($result) && $result->num_rows == 1) {

// Correct
if (is_object($result) && $result->num_rows == 1) {

answered Dec 29 '13 at 21:42

maxiscool

537
3
9

Thanks. I've fixed the syntax error and now I am not longer getting a blank page. Actually, I seem to be redirected to login.php over and over. This makes me thing login.inc.php is working as it should, but my UN/PW are incorrect, or are unable to hit the database. – tycoonbob Dec 29 '13 at 22:09
Ignore my last comment. I figured out that issue. I'm still getting a blank page though, and I've added the debug info to the top of login.inc.php and am getting no debug info. – tycoonbob Dec 29 '13 at 22:22
Sounds like another syntax error. Try running php -l on your script. – maxiscool Dec 30 '13 at 02:59

PHP Login System issue

1 Answers1