-1

sorry if what I'm about to ask is something really basic, but I've been stuck on this for two weeks.

I have a login page where User can login to my website. Different user's role will be prompt to different pages. Now, the login is fine, but when my user key in wrong password or username, there's no warning triggered and user stays on the blank login.php page when user supposed to be redirected back at index.php and warning is triggered.

Below is my code

login form (index.php)

<div class="login-box-body">
  <form method="post" action="login.php">
    <div class="form-group has-feedback">
      <input type="username" name="username" class="form-control" placeholder="Username">
      <span class="glyphicon glyphicon-user form-control-feedback"></span>
    </div>
    <div class="form-group has-feedback">
      <input type="password" name="password" class="form-control" placeholder="Password">
      <span class="glyphicon glyphicon-lock form-control-feedback"></span>
    </div>
    <div class="row">
      <div class="col-xs-8">
      </div>
      <!-- /.col -->
      <div class="col-xs-4">
        <button class="btn btn-primary btn-block btn-flat" type="submit" name="login" value="true">Sign In</button>
      </div>
      <!-- /.col -->

    </div>
  </form>
</div>

and here my back end script (login.php)

<?php
session_start();
$conn=mysqli_connect('localhost','root','','snapshot');
//Getting Input value
if(isset($_POST['login'])){
  $username=mysqli_real_escape_string($conn,$_POST['username']);
  $password=mysqli_real_escape_string($conn,$_POST['password']);
  if(empty($username)&&empty($password)){
  $error= 'Fields are Mandatory';
  }else{
 //Checking Login Detail
 $result=mysqli_query($conn,"SELECT*FROM user WHERE username='$username' AND password='$password'");
 $row=mysqli_fetch_assoc($result);
 $count=mysqli_num_rows($result);
 if($count==1){
      $_SESSION['user']=array(
 'id' =>$row['id'],
 'username'=>$row['username'],
 'uname'=>$row['uname'],
 'password'=>$row['password'],
 'role'=>$row['role']
   );
   $role=$_SESSION['user']['role'];
   //Redirecting User Based on Role
    switch($role){
  case 'user':
  header('location:user/dashboard.php');
  break;
  case 'management':
  header('location:management/index.php');
  break;
  case 'admin':
  header('location:admin/index.php');
  break;
 }
 }else{
 $error='Your PassWord or UserName is not Found';
 }
}
}
?>

and before asking I already read few similar questions and find no solutions. Thank you in advance for the help.

WanHazyan
  • 257
  • 1
  • 12
  • Can you add a default case to the switch and send the user to login page itself? I hope that wil solve the issue. – Santhosh J Apr 22 '20 at 03:50
  • There is nothing here to redirect a user back to `index.php` if they enter an incorrect password. All this script does is assign a value to the `$error` variable and then stop. You need to redirect them back to `index.php` and then display the error code (possibly using a query string). – yaakov Apr 22 '20 at 03:55
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Apr 22 '20 at 19:26
  • @Dharman thank you for giving out the guidance – WanHazyan Apr 23 '20 at 05:28

1 Answers1

1

At the end of login.php you're setting the value of $error to Your PassWord or UserName is not Found - however nothing further is happening.

Your switch that redirects the user only comes into play if the user is found in the database, on a side note here you should be encrypting the users password and comparing the hashes.

To solve your issue, try doing something like the following:

} else {
 $error='Your PassWord or UserName is not Found';
 header('location:login.php?error=' . $error);
}

Then in your login form you can simply check for the error message and display it:

<?php if(isset($_GET['error'])): ?>
<div><?= $_GET['error'] ?></div>
<?php endif ?>
Tim Sheehan
  • 3,994
  • 1
  • 15
  • 18
  • Just something I noticed quickly, if you move the header redirect to the very bottom, outside of that else condition, the value of $error will change dynamically depending on what happened. Keeping it inside the last condition will only ever show the password/username not found error. – Tim Sheehan Apr 22 '20 at 05:00