0

I have following code (php and jquery) for Login for Student and Teacher (using same form for both access). In my system the admin can create Student and Teacher. Once created, the details are saved into database. The saved details is suppose to be use for login to their admin panel. But, the problem is , when Student or Teacher wants to login with the login details, provided by the admin (which has already been saved in database table), It display error message : Login Failed, Please check your username and password. (Same details, saved into database table is used for login process). This aching my head. If someone can tell me , if there is some error in my code, will be much appreciated.

login_form.php

<form id="login_form1" class="form-signin" method="post">
    <h3 class="form-signin-heading"><i class="icon-lock"></i> Sign in</h3>
    <input type="text" class="input-block-level" id="username" name="username" placeholder="Username" required>
    <input type="password" class="input-block-level" id="password" name="password" placeholder="Password" required>
    <button data-placement="right" title="Click Here to Sign In" id="signin" name="login" class="btn btn-info" type="submit"><i class="icon-signin icon-large"></i> Sign in</button>
<script type="text/javascript">
$(document).ready(function(){
    $('#signin').tooltip('show');
    $('#signin').tooltip('hide');
});
</script>
</form>
<script>
jQuery(document).ready(function(){
    jQuery("#login_form1").submit(function(e){
        e.preventDefault();
        var formData = jQuery(this).serialize();
        $.ajax({
                type: "POST",
                url: "login.php",
                data: formData,
                success: function(html){            
                    if(html=='true_teacher') {
                        $.jGrowl("Loading File Please Wait......", { sticky: true });
                        $.jGrowl("Welcome to Soch College's E- Learning Management System", { header: 'Access Granted' });
                        var delay = 1000;
                        setTimeout(function(){ window.location = 'dasboard_teacher.php'  }, delay);  
                    } else if (html == 'true'){
                        $.jGrowl("Welcome to Soch College's E- Learning Management System", { header: 'Access Granted' });
                        var delay = 1000;
                        setTimeout(function(){ window.location = 'student_notification.php'  }, delay); 
                    } else {
                        $.jGrowl("Please Check your username and Password", { header: 'Login Failed' });
                    }
                }
        });

    return false;

    });
});
</script>

login.php

<?php include('admin/dbcon.php');
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
//for student login
$query_student = mysql_query("SELECT * FROM student WHERE username='$username' AND password='$password'");
$count_stu = mysql_num_rows($query_student);
$row_stu = mysql_fetch_array($query_student);
//for teacher login
$query_teacher = mysql_query("SELECT * FROM teacher WHERE username='$username' AND password='$password'")or die(mysql_error());
$count_tea = mysql_num_rows($query_teacher);
$row_tea = mysql_fetch_array($query_teacher);
if( $count_stu > 0 ) { 
    $_SESSION['id']=$row_student['student_id'];
    echo 'true';
}else if( $count_tea > 0 ) { 
    $_SESSION['id']=$row_teacher['teacher_id'];
    echo 'true_teacher';
}
else{ 

}?>
Sun_saurya
  • 33
  • 10
  • 2
    You need to deal with sql injection attacks. Use mysqli with prepared statements or PDO. The students will trash the tables – Drew Jun 28 '15 at 03:50
  • did you look to see what is being sent to thte server and what is being returned? – epascarello Jun 28 '15 at 03:51
  • So since this is all new stuff just throw out all the mysql_ stuff – Drew Jun 28 '15 at 03:54
  • @Drew Pierce, can you please give me some idea, but how can I? Mean, I am beginner in php and jquery. – Sun_saurya Jun 28 '15 at 03:58
  • 1
    possible duplicate of [Why login is not working for student and teacher?](http://stackoverflow.com/questions/31089082/why-login-is-not-working-for-student-and-teacher) – CBroe Jun 28 '15 at 04:43
  • @DrewPierce Not really since `mysql_query` does not allow multiple statements. – Gumbo Jun 28 '15 at 08:43
  • @Gumbo, Can you please address my problem mentioned above? Is there any error in my code? Why I am not able to logged in? its so urgent to accomplished my project. – Sun_saurya Jun 28 '15 at 08:48
  • @Gumbo not sure what is "not really" about what I wrote. Are you saying the original code presented by the OP is "not really highly susceptible to sql injection" ? – Drew Jun 28 '15 at 12:39
  • @DrewPierce No, I meant that you can’t drop tables as you suggested. – Gumbo Jun 28 '15 at 12:42
  • look at the code where you are fetching arrays for both student and teacher, e.g `$row_tea = mysql_fetch_array($query_teacher);` and then `$_SESSION['id']=$row_teacher['teacher_id'];` shouldn't it be `$_SESSION['id']=$row_tea['teacher_id'];` – Shehary Jun 28 '15 at 14:56

2 Answers2

1

It is critical to use prepared statements when dealing directly with user supplied data from a webpage like username and password.

Your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements.

From Fred: PHP Not Inserting Content in mySQL Database: Text, Images, Anything

Community
  • 1
  • 1
Drew
  • 24,851
  • 10
  • 43
  • 78
  • >> I did tried for mysqli connection code for db connect. But, it works well for admin login, but not working for teacher and student login!! Any suggestion? – Sun_saurya Jun 28 '15 at 05:22
  • Glad to take a look. Update question with source code. Also delete the question from yesterday that @cbroe mentioned – Drew Jun 28 '15 at 05:29
1

I think the problem is here;

if( $count_stu > 0 ) { 
    //$_SESSION['id']=$row_student['student_id'];// mistake
    $_SESSION['id']=$row_stu['student_id'];
    echo 'true';
}else if( $count_tea > 0 ) { 
    //$_SESSION['id']=$row_teacher['teacher_id'];// mistake
    $_SESSION['id']=$row_tea['teacher_id'];
    echo 'true_teacher';
}
else{ 
    echo 'Wrong Username Or Password';
}

I agree with @Drew Pierce, you should consider using pdo or mysqli.

Shehary
  • 9,926
  • 10
  • 42
  • 71