So i am creating a website with login facility and I want the user to be redirected to a page if the details entered match the info in the database. However it is not working. everytime i submit the info it just redirects me to previous page ( should do if details are wrong ). The password and email are correct I have done some debugging for that. it must lay with the sessions. Here is my code.

checklogin - does the checking

PHP Code:

<?php

include("connect.php");

$email = $_POST["email"];
$password = $_POST["password"];


$password = md5($password);

$sql = "SELECT * FROM numbers";
$result = mysql_query($sql);


while ($row3 = mysql_fetch_array($result, MYSQL_ASSOC))
{
    if(($password == $row3["password"]) && ($email == $row3["email"]))
    {

        $_SESSION["userid"] = $row3["id"];
        header ('Location: control_panel.php');
        
        //debug
        //echo $password;
        //$useridvar = $_SESSION["userid"];
        //echo $useridvar;
    }

    if ($_SESSION["userid"]=="")
    {
        header ('Location: login.php');
        //echo "hi";
    }

}

?>

control_panel is the page the user should get directed too after a sucessful login. I dont really want to give you the whole page because its for a project I am working on and do not want to get in trouble for copyright. This is basically at the very top of the page.

PHP Code:

<?php 
if ($_SESSION["userid"]=="")
    {
        header ('Location: login.php');
    }

include('connect.php'); 
/*
Copyright 2010-2011 All Rights Reserved.
******************************************
*/


?>

you can try to add session_register("userid");before you using the session

still having the same problem

There are several things wrong with this script in addition to what is causing your problem:

1. You are wide open for a sql injection
2. md5 is not a password hashing function. Use something that is more resistant to collisions like sha1. Also, use a salt.
3. Don't select the entire table and then manually search through the results.

You're problem is being caused by #3. You're checking the email and password against every user in the database. However, you are redirecting back to login.php as soon as you find a user that does not match.

Quote:

Originally Posted by mushget

you can try to add session_register("userid");before you using the session

session_register is deprecated as of PHP 5.3 and according to the documentation:

Quote:

Use of $_SESSION is preferred, as of PHP 4.1.0

PHP Code:

 <?php 
session_start();
include("connect.php"); 

$email = $_POST["email"]; 
$password = $_POST["password"]; 


$password = md5($password); 

$sql = "SELECT * FROM numbers"; 
$result = mysql_query($sql); 


while ($row3 = mysql_fetch_array($result, MYSQL_ASSOC)) 
{ 
    if(($password == $row3["password"]) && ($email == $row3["email"])) 
    { 

        $_SESSION["userid"] = $row3["id"]; 
        header ('Location: control_panel.php'); 
        exit(); 
    } 

    if ($_SESSION["userid"]=="") 
    { 
        header ('Location: login.php'); 
        exit(); 
    } 

} 

?>

Sean's approach suffers from the same problems I mentioned above, including the problem the OP reported to begin with.

Quote:

Originally Posted by NullPointer

2. md5 is not a password hashing function.

it isn't?

Quote:

Originally Posted by Lashtal

it isn't?

Nope.

Md5 is useful for checking file integrity, but as a password hashing algo it hasn't been viable for a long time. http://en.wikipedia.org/wiki/Md5#Col...ulnerabilities

Using sha1 with a salt would be better, but still not ideal.

Personally I'd recommend sha2 algos, such as sha256.

PHP Code:

$password;
$salt;

$hash = hash( 'sha256', hash('sha256', $password) . $salt ); 


If you use the error reporting function; error_reporting(E_ALL, ~E_Notice); it should give you a better clue as to what is happeninf