Redirecting?

PHP
1

Im trying to create a members area and an admin area for my site. I have a form which asks for email/password then either redirects the user (if they are in the Members table to either the Admin section (if the type is 0) or simply back to the index.php (if the type is 1) and back to login.php if they dont sign in… Heres my logic

<?php
session_start();
	include("db/configPDO.php");


// Define $myusername and $mypassword
$Email=$_POST['email'];
$Password=$_POST['password'];


// We Will prepare SQL Query
    $STM = $dbh->prepare("SELECT type FROM Members WHERE email = :Email AND password = :Password");
// bind paramenters, Named paramenters alaways start with colon(:)
    $STM->bindParam(':Email', $Email);
    $STM->bindParam(':Password', $Password);
// For Executing prepared statement we will use below function
    $STM->execute();
// Count no. of records	
$count = $STM->rowCount();
//just fetch. only gets one row. So no foreach loop needed :D
$row  = $STM -> fetch();
// User Redirect Conditions will go here
	if(($count==1) && ($row==0))
	{
		$_SESSION[type]=$row[0];
		$_SESSION[email]=$Email;
		
		header( "location:Admin/"); 	
	}
	else if (($count==1) && ($row==1))
	{
		$_SESSION[type]=$row[0];
		$_SESSION[email]=$Email;
		
		header( "location:index.php"); 	
	}	
	else
	{
	header("location:login.php");
	}




// Closing MySQL database connection
    $dbh = null;	
?>

this is using the PDO thing so I’m not too sure.

2

I changes the PHP code to

<?php
session_start();
	include("db/configPDO.php");


$Email=$_POST['email'];
$Password=$_POST['password'];


$sql =  "SELECT type FROM Members WHERE email = :Email AND password = :Password";
// We Will prepare SQL Query
    $STM = $dbh->prepare($sql);
// bind paramenters, Named paramenters alaways start with colon(:)
    $STM->bindParam(':Email', $Email);
    $STM->bindParam(':Password', $Password);
// For Executing prepared statement we will use below function
    $STM->execute();
// Count no. of records	
$count = $STM->rowCount();
//just fetch. only gets one row. So no foreach loop needed :D
echo $sql;
$row  = $STM -> fetch();
// User Redirect Conditions will go here
//	if(($count==1) && ($row==0))
//	{
//		$_SESSION[type]=$row[0];
//		$_SESSION[email]=$Email;
//		
//		header( "location:Admin/"); 	
//	}
//	else if (($count==1) && ($row==1))
//	{
//		$_SESSION[type]=$row[0];
//		$_SESSION[email]=$Email;
//		
//		header( "location:index.php"); 	
//	}	
//	else
//	{
//	header("location:login.php");
//	}




// Closing MySQL database connection
    $dbh = null;	
?>

Just to take a look at the query, I tried to echo $sql, I get

SELECT type FROM Members WHERE email = :Email AND password = :Password

How do I make sure the : things are being replaced?

3

I don’t think there’s a way you can check that BindParam() is actually working, it doesn’t alter the copy of the query in your PHP so you can’t echo it. A quick google suggests that you could use:


$STM->debugDumpParams();

but only in certain versions.

What was your original question - you said what you were trying to do, showed some code but didn’t ask anything.

Only thing I could see that didn’t look right (and I’m learning, so it might be fine) is that you’re checking for “$row==0” or “$row==1” in your if() statements, not $row[0] as you do when setting session variables. Can you substitute the plain varname for the first element of an array?

4

I am trying to create a members area of tghe site (So if a member logins and there type is 0, they are taken to an Admin/ section. If they login and the type is 1 they would simply be taken to the imndex.php. Lastly if they try to login, but cant they would be taken back to the login page


<?php
session_start();
	include("db/configPDO.php");


$Email=$_POST['email']; 
$Password=$_POST['password']; 


$sql =  "SELECT type FROM Members WHERE email = :Email AND password = :Password";


$STM = $dbh->prepare($sql);


$STM->bindParam(':Email', $Email);
$STM->bindParam(':Password', $Password);
$STM->execute();


$count = $STM->rowCount();


$row  = $STM -> fetch();


	if(($count==1) && ($row==0))
	{
		$_SESSION[type]=$row[0];
		$_SESSION[email]=$Email;
		
		header( "location:Admin/"); 	
	}
	else if (($count==1) && ($row==1))
	{
		$_SESSION[type]=$row[0];
		$_SESSION[email]=$Email;
		
		header( "location:index.php"); 	
	}	
	else 
	{
	header("location:login.php");
	}


$dbh = null;	
?>
5

Do you get an error message, if so what is it? Or does the code not do what you expect it to? If not, what does it do that you don’t think it should?

6

Sorry, im not good at explaining. If I login as Admin, I should get redirected to the admin directory, if I login as a regular user I’m redirected to the index page. However if I cant login, I simply am redirected back to the login form…


<?php
session_start();
	include("db/configPDO.php");


$Email=$_POST['email']; 
$Password=$_POST['password']; 


$sql =  "SELECT type FROM Members WHERE email = :Email AND password = :Password";


$STM = $dbh->prepare($sql);


$STM->bindParam(':Email', $Email);
$STM->bindParam(':Password', $Password);
$STM->execute();


$count = $STM->rowCount();


$row  = $STM -> fetch();


if(($count==1) && ($row['type']==0))
{
	$_SESSION[type]=$row[0];
	$_SESSION[email]=$Email;
	
	header( "location:Admin/"); 	
}
else if (($count==1) && ($row['type']==1))
{
	$_SESSION[type]=$row[0];
	$_SESSION[email]=$Email;
	
	header( "location:index.php"); 	
}	
else 
{
header("location:login.php");
}


$dbh = null;	
?>
7

I assume, then, that it’s not sending you to the correct page?

  1. Most comments I read about using header-location to redirect say that you should specify an absolute path, not the relative path as you have. You could use server vars, but for example I mean “http://www.yoursite.com/login.php” instead of just “login.php”.

  2. Another issue seems to be it’s important to use exit() or die() after you’ve output the header redirect. So I’d think:


<?php
session_start();
	include("db/configPDO.php");


$Email=$_POST['email'];
$Password=$_POST['password'];

$sql =  "SELECT type FROM Members WHERE email = :Email AND password = :Password";

$STM = $dbh->prepare($sql);

$STM->bindParam(':Email', $Email);
$STM->bindParam(':Password', $Password);
$STM->execute();

$count = $STM->rowCount();

$row  = $STM->fetch();

if(($count==1) && ($row['type']==0))
{
	$_SESSION[type]=$row[0];
	$_SESSION[email]=$Email;
	header( "location: http://www.yoursite.com/Admin/"); 	
                exit();
}
else if (($count==1) && ($row['type']==1))
{
	$_SESSION[type]=$row[0];
	$_SESSION[email]=$Email;
	header( "location: http://www.yoursite.com/index.php"); 	
                exit();
}	
else
{
header("location: http://www.yoursite.com/login.php");
exit();
}


$dbh = null;	
?>
8

thx

9

It would appear that you are storing the passwords plain text. Please do not do that but hash the password instead.

For an example of how to do this in PHP, see http://www.paulund.co.uk/hash-passwords-with-php-5-5

This is for PHP >= 5.5, but there are libraries for older PHP versions, like this one https://github.com/ircmaxell/password_compat

10

I want to make this as efficient as possible and think way is optimal and think enums is way better.
Heres the new table

CREATE TABLE Members(
id SMALLINT NOT NULL AUTO_INCREMENT,
PRIMARY KEY(id),
name VARCHAR(50),
email VARCHAR(50),
password VARCHAR(50),
type ENUM('Admin','User','Guest') DEFAULT 'Guest',
created DATE,
image VARCHAR(150)
);

Heres a couple of insert statements


INSERT INTO Members (id,name,email,password,type,created,image) VALUES (1,"Luke Urtnowski","lurtnowski@gmail.com","test","Admin",2014-07-07,"http://www.almostsavvy.com/wp-content/uploads/2011/04/profile-photo.jpg");
INSERT INTO Members (id,name,email,password,type,created,image) VALUES (2,"Jason Cannon","jason@gmail.com","test","User",2014-07-07,"http://www.almostsavvy.com/wp-content/uploads/2011/04/profile-photo.jpg");
INSERT INTO Members (id,name,email,password,type,created,image) VALUES (3,"Davida Milkes","jason@gmail.com","test","User",2014-07-07,"http://www.almostsavvy.com/wp-content/uploads/2011/04/profile-photo.jpg");

The last step is strange cause Im going to give the logged in user three options (if they are Admin, to go to the Admin section, If they are a User, they would simply go to index.php, lastly if they fail at logging in, they will be taken back to the form

<?phpsession_start();include("db/configPDO.php");
$Email=$_POST['email']; $Password=$_POST['password']; 
$sql =  "SELECT type FROM Members WHERE email = :Email AND password = :Password";
$STM = $dbh->prepare($sql);
$STM->bindParam(':Email', $Email);$STM->bindParam(':Password', $Password);$STM->execute();
$count = $STM->rowCount();
$row  = $STM -> fetch();
if(($count==1) && ($row['type']=='Admin')){	$_SESSION[type]=$row['type'];	$_SESSION[email]=$Email;		header( "location:localhost/shoresrentals/Admin/");	exit();}else if (($count==1) && ($row['type']=='User')){	$_SESSION[type]=$row['type'];	$_SESSION[email]=$Email;		header( "location:localhost/shoresrentals/index.php");	exit();}	else {header("location:localhost/shoresrentals/login.php");exit();}
$dbh = null;	?>

Another question I have is why do I need the type of Guest in the table, cant I just have “welcome Guest” if the user never even logs in?

11

I placed this in the page to try and see where the problem is


var_dump($_POST);echo $Email." ".$Password;var_dump($count);var_dump($row);

And it returns
[B]



array [/B][I](size=2)[/I]
  'email' [COLOR=#888a85]=>[/COLOR] string [COLOR=#cc0000]'lurtnowski@gmail.com'[/COLOR] [I](length=20)[/I]
  'password' [COLOR=#888a85]=>[/COLOR] string [COLOR=#cc0000]'test'[/COLOR] [I](length=4)[/I]
[COLOR=#000000][FONT=Times New Roman]lurtnowski@gmail.com test[/FONT][/COLOR]int [COLOR=#4e9a06]0[/COLOR]
boolean [COLOR=#75507b]false

[/COLOR]

[COLOR=#75507b]

If the vars seem to be passed why is the query not returning 1 row?[/COLOR]

12

Did you put that var_dump line just after the $STM->fetch() line? It should work there.

If you have a look at the database in phpmyadmin does the data look like it should? Also note ScallioXTX’s comment above that you should not store passwords in plaint text. But worth getting it working first of course.

13

when I try to do that var_dump(), like


session_start();include("db/configPDO.php");
$Email=$_POST['email']; $Password=$_POST['password']; 
$sql =  "SELECT type FROM Members WHERE email = :Email AND password = :Password";
$STM = $dbh->prepare($sql);
$STM->bindParam(':Email', $Email);$STM->bindParam(':Password', $Password);$STM->execute();$count = $STM->rowCount();
$row  = $STM -> fetch();var_dump();var_dump($_POST);echo $Email." ".$Password;var_dump($count);var_dump($row);

i get a warning, like
[FONT=Times New Roman][TABLE=“class: xdebug-error xe-warning”]
[TR]
[TH=“bgcolor: #f57900, colspan: 5, align: left”]COLOR=#FCE94F Warning: Wrong parameter count for var_dump() in C:\wamp\www\shoresrentals\CheckLogin.php on line 18[/TH]
[/TR]
[TR]
[TH=“bgcolor: #e9b96e, colspan: 5, align: left”]Call Stack[/TH]
[/TR]
[TR]
[TH=“bgcolor: #eeeeec, align: center”]#[/TH]
[TH=“bgcolor: #eeeeec, align: left”]Time[/TH]
[TH=“bgcolor: #eeeeec, align: left”]Memory[/TH]
[TH=“bgcolor: #eeeeec, align: left”]Function[/TH]
[TH=“bgcolor: #eeeeec, align: left”]Location[/TH]
[/TR]
[TR]
[TD=“bgcolor: #eeeeec, align: center”]1[/TD]
[TD=“bgcolor: #eeeeec, align: center”]0.0350[/TD]
[TD=“bgcolor: #eeeeec, align: right”]248448[/TD]
[TD=“bgcolor: #eeeeec”]{main}( )[/TD]
[TD=“bgcolor: #eeeeec”]…\CheckLogin.php:0[/TD]
[/TR]
[TR]
[TD=“bgcolor: #eeeeec, align: center”]2[/TD]
[TD=“bgcolor: #eeeeec, align: center”]0.3090[/TD]
[TD=“bgcolor: #eeeeec, align: right”]260568[/TD]
[TD=“bgcolor: #eeeeec”]var_dump ( )[/TD]
[TD=“bgcolor: #eeeeec”]…\CheckLogin.php:18[/TD]
[/TR]
[/TABLE]
[/FONT][/COLOR]array I[/I]
‘email’ => string ‘lurtnowski@gmail.com’ I[/I]
‘password’ => string ‘test’ I[/I]
lurtnowski@gmail.com testint 0
boolean false

14

The problem is var_dump();
You can’t call var_dump without any arguments. Just remove that part and you’ll be fine.

15

oh yes, but how do I see what the actual query is?

Thanks…

16

You can’t. All you can do is output the query and the parameters and put them together yourself.

17

I’m trying to figure out what the error is, when i have


$STM->execute() or die(print_r($dbh->errorInfo()));

I get
[COLOR=#000000][FONT=Times New Roman]Array ( [0] => 00000 [1] => [2] => ) 1
but have no idea what that means…
when I put this bit



echo $sql."<br>";echo $Email." ".$Password;var_dump($count);var_dump($row);

I get,
[/FONT][/COLOR]SELECT type FROM Members WHERE email = :Email AND password = :Password
lurtnowski@gmail.com testint 0
boolean falsehow can I output the parameters themselves?

18

You are on the second line, but you can’t output the SQL with the parameters replaced, unless that code I put in post #3 works on your version.

19

Even though you are only grabbing one field, you still need the KEY in the comparison line. I used ‘type’. Also you need a space after location: As was pointed out, don’t store passwords as plain text.

<?php
session_start();
include "db/configPDO.php";

if(isset($_POST['email'],$_POST['password'])):
	$Email = trim($_POST['email']);
	$Password = trim($_POST['password']);


	// We Will prepare SQL Query
	$STM = $dbh->prepare("SELECT type FROM Members WHERE email = :Email AND password = :Password");
	// bind paramenters, Named paramenters alaways start with colon(:)
	$STM->bindParam(':Email', $Email);
	$STM->bindParam(':Password', $Password);
	// For Executing prepared statement we will use below function
	$STM->execute();
	// Count no. of records	
	$count = $STM->rowCount();	
	//just fetch. only gets one row. So no foreach loop needed :D
	$row  = $STM -> fetch();
	// User Redirect Conditions will go here
	
	if(($count == 1) && ($row['type'] == 0))
	{
		$_SESSION['type'] = $row['type'];
		$_SESSION['email'] = $Email;
		header("location: Admin/"); 	
	}
	elseif (($count == 1) && ($row['type'] == 1))
	{
		$_SESSION['type'] = $row['type'];
		$_SESSION['email'] = $Email;
		header("location: index.php"); 	
	}	
	else
	{
		header("location: login.php");
	}

endif;

	// Closing MySQL database connection
    $dbh = null;	
?>
20

the PK in the Members table is id. I’m not really sure where the comparison line is though (is it the if statement?)

And once I get this login working on my server, ill do http://www.paulund.co.uk/hash-passwords-with-php-5-5

And here’s the result of binding the parameters (using #3)

SQL: [78] SELECT type FROM Members WHERE email = :Email AND password = :Password Params: 2 Key: Name: [6] :Email paramno=-1 name=[6] “:Email” is_param=1 param_type=2 Key: Name: [9] :Password paramno=-1 name=[9] “:Password” is_param=1 param_type=2