How can I secure my HTML page using PHP? I am getting error

Question

I have created session in php and restricted the admin.php page. If user is not logged in he/she or any alien/robot cannot access the page. After login it must go to admin page. But it goes to contact.php which is mentioned in check.php. If I do not include check.php in admin.php. It goes to admin.php after login but admin.php can be access without login also. Can you check where I am wrong?

This is login.php--

<?php
include('connect.php'); // Include connect for login Script
if ((isset($_SESSION['username']) != '')) 
{
header('Location: admin.php');
}
?>

<!DOCTYPE html>
<html>
<head>
<link href='http://fonts.googleapis.com/css?family=Montserrat:400,700' rel='stylesheet' type='text/css'>
<meta charset="UTF-8">

<title>Admin Login</title>

</head>

<body>

<div class="login-block">
<form action="" method="POST">
    <h1>Login</h1><span><img src="/img/loginlogo.png"/></span>
    <span id="invalid"><?php echo $error; ?></span>
    <input type="text" name="username" placeholder="Username" id="username" />
    <span><?php echo $usererror; ?></span>
    <input type="password" name="password" placeholder="Password" id="password" />
    <span><?php echo $pwderror; ?></span>
    <input id= "btn" name="submit" type="submit" value=" Login "/>

    <a href="register.php" id="frgt">Forgot Password</a>
    <a href="register.php" id="register">Register Now</a>

</form>
</div>
</body>

</html>

This is admin.php--

<?php
    include('check.php');
?>

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Home</title>
<link rel="stylesheet" href="style.css" type="text/css" />
</head>

<body>
<h1 class="hello">Hello, <em><?php echo $login_user;?>!</em></h1>
<br><br><br>
<a href="logout.php" style="font-size:18px">Logout?</a>
</body>
</html>

This is check.php--

<?php
include('db.php');
session_start();
$user_check=$_SESSION['username'];

$sql = mysqli_query($db,"SELECT username FROM credentials WHERE username='$user_check' ");

$row=mysqli_fetch_array($sql,MYSQLI_ASSOC);

$login_user=$row['username'];

if(!isset($user_check))
{
header("Location: contact.php");
}
?>

This is my connect.php--

<?php
session_start();
include("db.php"); //Establishing connection with our database

$error = ""; //Variable for storing our errors.
if(isset($_POST["submit"]))
{
    if(empty($_POST["username"]) || empty($_POST["password"]))
    {
        $usererror = "Username can not be left blank";
        $pwderror = "Password can not be left blank";
    }

    else
    {
        // Define $username and $password
        $username=$_POST['username'];
        $password=$_POST['password'];

        // To protect from MySQL injection
        $username = stripslashes($username);
        $password = stripslashes($password);
        $username = mysqli_real_escape_string($db, $username);
        $password = mysqli_real_escape_string($db, $password);
        //$password = md5($password);

        //Check username and password from database
        $sql="SELECT id FROM credentials WHERE username='$username' and password='$password'";
        $result=mysqli_query($db, $sql);
        $row=mysqli_fetch_array($result, MYSQLI_ASSOC);

        //If username and password exist in our database then create a session.
        //Otherwise echo error.

        if(mysqli_num_rows($result) == 1)
        {
            $_SESSION['username'] = $login_user; // Initializing Session
            header("location: admin.php"); // Redirecting To Other Page
        }
        else
        {
            $error = "Incorrect username or password.";
        }

    }
}

?>

I can help you and say that you should stop following that tutorial. Everything it is telling you about how to use `HTML`, `PHP`, `MySQL` is deprecated, not best pracise and just wrong. ***STOP*** using that tutorial, throw your work away and read up on `Prepared SQL Statements` as well as `HTML5` and `PHP 7` . Good luck. — Martin, Aug 05 '17 at 19:14
Thanks Martin. I will surely do that. But it is a little urgent can you fix this? — Ravi Sharma, Aug 05 '17 at 19:15
ok. Thanks for this. Can you suggest me a good tutorial link for what you suggested. — Ravi Sharma, Aug 05 '17 at 19:19

Ravi Sharma · Answer 1 · 2017-08-05T20:36:36.687

1

I have fixed this issue.

I replaced my code in connect.php from:

$_SESSION['username'] = $login_user; // Initializing Session

to:

$_SESSION['username'] = $username; // Initializing Session

Thanks everyone.

edited Aug 05 '17 at 20:36

answered Aug 05 '17 at 20:06

Ravi Sharma

204
1
13

score 0 · Answer 2 · answered Aug 05 '17 at 19:23

0

I can help you and say that you should stop following that tutorial. Everything it is telling you about how to use HTML, PHP, MySQL is deprecated, not best pracise and just wrong. STOP using that tutorial, throw your work away and read up on Prepared SQL Statements as well as HTML5 and PHP 7 .

Always put die() or exit after a header("Location: ...); call.
Your login is checking your session value, therefore once you've logged in once correctly, then the session value will be remembered and you will always be "logged in". To break this cycle, clear your browser data for this website. Refresh the page.

I can't provide more detailed help without you Showing me what PHP errors (if any) you are getting and clarifying if you've been able to login correctly at all?

answered Aug 05 '17 at 19:23

Martin

19,815
6
53
104

I am getting this in log: `PHP Notice: Undefined variable: usererror in login.php on line 150\n PHP Notice: Undefined variable: pwderror in login.php on line 152 PHP Notice: Undefined variable: usererror in login.php on line 150 PHP Notice: Undefined variable: pwderror in login.php on line 152 Undefined variable: login_user in connect.php on line 37` – Ravi Sharma Aug 05 '17 at 19:30
1

@RaviSharma That error involves a file (login.php) which isn't even mentioned anywhere in your question. – duskwuff -inactive- Aug 05 '17 at 19:31
I included now. Can You check? – Ravi Sharma Aug 05 '17 at 19:35

How can I secure my HTML page using PHP? I am getting error

2 Answers2