I am trying to authenticate a login for my php/sql webpage.
The first code shows part of the Login.php where I take two text fields, email & password, and pass them to authenticate.php
The second code shows where I take the two values and try to process them.
The problem I have having is that I get directed to index.php everyime, even if I have the correct data entered in the field.
Any help would be appreciated.
Part of Login.php
<td width="70">Email</td>
<td width="6" align="center">:</td>
<form action="authenticate.php" method="post" name="authenticate_form">
<td><input name="email" type="text" id="email"></td>
</tr>
<tr>
<td width="70">Password</td>
<td width="6" align="center">:</td>
<td><input name="password" type="text" id="password"></td>
</tr>
<tr>
<td width="70">Login</td>
<td width="6" align="center">:</td>
<td>
<input type="submit" name="submit" value="Login" />
</form>
</td>
Authenticate.php
// ----------------------
// Retrieve login information
include("db_info.php");
// ----------------------
$conn = oci_connect($db_user, $db_pwd, '(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(Host=asuka.cs.ndsu.nodak.edu)(Port=1521)))(CONNECT_DATA=(SID=asuka)))');
if (!$conn) {
$e = oci_error();
print_r($e);
exit();
}
// ----------------------
// Get POST values
if(isset($_POST['email']) && $_POST['email'] && isset($_POST['password']) && $_POST['password']) {
// Get posted form information and strip out unsafe characters
$email = htmlspecialchars(stripslashes($_POST['email']));
$password = htmlspecialchars(stripslashes($_POST['password']));
} else {
// Illegal access.
// Redirect back to index.php
header("location: index3.php");
exit();
}
// ----------------------
// Authenticate User
// Create query
$sql = "SELECT PASSWORD FROM CUSTOMER WHERE EMAIL = '$email'";
// Create database query statement
$statement_id = oci_parse($conn, $sql);
// Execute query statement
$result = oci_execute($statement_id, OCI_COMMIT_ON_SUCCESS);
$queryResult = oci_fetch_row($statement_id);
//var_dump($queryResult);
// Check for successful authentication
if($password == $queryResult[0]) {
if ($email=="admin@hotmail.com") {
$db_login_status = 2;
header("location: admin.php");
} else {
$db_login_status = 1;
header("location: normal.php");
}
} else {
header("location: fail.php");
}
// ----------------------
// Close connections
oci_free_statement($statement_id);
oci_close($conn);
If you are being sent to index.php, that must mean you are not logging in with “admin@hotmail.com”. Try using that email address. Otherwise, try removing the code above and just leave these two lines:
The thing is that you’re not getting redirected even though you entered the correct login, you are getting redirected because you did so. If you do not want to be redirected upon logging in, you will have to change your script to do whatever you are intending.
Edit: Based on your comment, it seems
$emailis empty. That would be because the<input name="email">in your form is a hidden input which is not filled with anything when you type in your password. I was assuming that you had a javascript which imported the values from the visible text inputs in the other table cells. Do you? Otherwise, there’s your problem. Your<form>tag needs to actually include the inputs which the login data gets entered into. You can solve the problem by wrapping the form around the whole login table.Apart from that, your
$resultwill always be 1 because the query succeeded, and not because it contained a result. After that, you additionally need to do$row = oci_fetch_row($statement_id);. Then check forif($row)rather thanif($statement_id). Or simplyif(oci_fetch_row($statement_id))As a side note that turned out to be another problem: Don’t forget to commit edits which you make to the database on an external editor. If they’re not committed, other queries will not see them. In this case, the record for ‘admin@hotmail.com’ was added in an external program and not committed – so PHP refused to acknowledge the login.