login code not working properly

Question

i've used a login for my application..firstly i used admin login only and it was working perfectly, but now when i added teacher and student logins as well, but i cudnt find a problem, its not logging me inn.,, but just redirecting to unauthorized access pleas help

login.php

<?php include("../includes/config.php");?>

<!DOCTYPE HTML>
<html>
<head>
<title>Admdin Login</title>
</head>
<body>
    <form method="post" action="login-action.php">
    <label>User Name:</label> <input type="text" name="un" />
    <label>Password:</label> <input type="password" name="pd" />  <br /><br />
    <input type="submit" value="Login" />
</form>

<a href="forgot-password.php">Forgot Password?</a>
</body>
</html>

this is login-action.php

<?php include("../includes/config.php");?>
<?php

$uid=$_POST["un"];
$pwd=$_POST["pd"];
$encpwd=md5($pwd);
$con=mysql_connect($dbserver,$dbusername,$dbpassword);
if (!$con) { die('Could not connect: ' . mysql_error()); }

mysql_select_db($dbname, $con);

$result = mysql_query("SELECT * FROM accounts WHERE (email='".$uid."' AND   password='".$encpwd."')");

$num_rows = mysql_num_rows($result);
if ($num_rows > 0) {

while($row = mysql_fetch_array($result))
{
   $_SESSION['firstname'] = $row['firstname'];
   $_SESSION['lastname'] = $row['lastname'];
   $_SESSION['type'] = $row['type'];
   $_SESSION['id'] = $row['id'];
   $_SESSION['email'] = $row['email'];

   $_SESSION["loggedin"]=true;
}
}
else {
 $_SESSION["loggedin"]=false;
}

mysql_close($con);

if ($_SESSION["loggedin"])
{
if ($_SESSION["type"]=="A")
    {
        $_SESSION["isadmin"]=true;
    }

if ($_SESSION["type"]=="T")
    {
        $_SESSION["isteacher"]=true;
    }
if ($_SESSION["type"]=="S")
     {
         $_SESSION["isstudent"]=true;
     }

 }
if ($_SESSION["isadmin"])
{
header("Location: $fullpath"."admin/000.php");
}

if ($_SESSION["isteacher"])
{
header("Location:$fullpath"."teacher/");
}

if ($_SESSION["isstudent"])
{
header("Location:$fullpath"."student/");
}

else {
   header("Location: $fullpath"."login/unauthorized.php");
}
?>

Have you checked that your query works, and is getting the correct information in `$result`? — andrewsi, Aug 30 '12 at 15:18
**Your code is vulnerable to SQL injection.** You *really* should be using [prepared statements](http://stackoverflow.com/a/60496/623041), into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of [Bobby Tables](http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain). — eggyal, Aug 30 '12 at 15:18
Don't mean to be obvious but did you double-check the capitalization? The case sensitive nature of usernames/passwords has tripped me up many times before. — bobbiloo, Aug 30 '12 at 15:18
Perhaps your session type is the wrong case: `a, t, s` instead of `A, T, S` — Ja͢ck, Aug 30 '12 at 15:22
You should not be storing raw passwords in your database; you should encrypt them. See http://www.ietf.org/rfc/rfc2104.txt — dar7yl, Aug 30 '12 at 16:33
thanks for giving so much useful information :) i'll check that but i really dont know about sql injection and dont knw how to avoid them... :( yup i double checked everything, i dont know where is the problem.. yup i used md5 for encryption, im not ustoring passwords as it is,... :) — trouble creator, Aug 30 '12 at 17:29

score 0 · Accepted Answer · answered Aug 30 '12 at 15:21

0

    if ($_SESSION["isadmin"])
    {
        header("Location: $fullpath"."admin/000.php");
    }

    elseif ($_SESSION["isteacher"])
    {
        header("Location:$fullpath"."teacher/");
    }

    elseif ($_SESSION["isstudent"])
    {
        header("Location:$fullpath"."student/");
    }

    else {
        header("Location: $fullpath"."login/unauthorized.php");
    }

answered Aug 30 '12 at 15:21

Mike

1,791
13
13

Mike i alter the code as u said but its still not working... isnt there any problem in the $_SESSION["loggedin"] and the code in it??? – trouble creator Aug 30 '12 at 17:33
1

I would stick an echo "No User Found!"; just before or after $_SESSION["loggedin"]=false; to see if its even setting those values – Mike Aug 30 '12 at 17:43

login code not working properly

1 Answers1