The latest little ‘challenge’ I’ve made for myself is trying to code a good login screen on a site I’m making for some friends. However, when I input my email and password as they are displayed in my SQL database, the file I use to check it with does not send out anything at all. My code looks as follows:
<?php
session_start();
if (isset($_SESSION['user'])) {
header('Location: mainpage.php');
}
require_once 'config.php';
$error_message = '';
if (isset($_POST['submit'])) {
$db = "epiz_31045019_TCDB";
$response = $db->check_credentials($_POST['email'], $_POST['password']);
if ($response['status'] == 'success') {
$_SESSION['user'] = array('id' => $response['id'], 'nickname' => $response['nickname']);
header('Location: mainpage.php');
}
}
?>
If that might prove to be useful, here are my login form and the config code I’m including as well:
<?php
$hostnaam = "host.com";
$gebruikersnaam = "username";
$wachtwoord = "password";
$db = "database";
$verbinding = mysqli_connect($hostnaam, $gebruikersnaam, $wachtwoord,
$db) or die ("Er kan geen verbinding tot stand worden gebracht:" .
mysqli_connect_error());
?>
<form action="datacheck.php" method="POST">
<div class="form-field">
<input type="email" name="email" id="email" placeholder="E-mailadres" required />
</div> <br>
<div class="form-field">
<input type="password" name="password" id="password" placeholder="Wachtwoord" required />
</div> <br>
<div class="form-field">
<button class="btn" type="submit">Log in</button>
</div>
</form>
Advertisement
Answer
DATA SECURITY:
Your code example:
$hostnaam = "host.com";
$gebruikersnaam = "username";
$wachtwoord = "password";
$db = "database";
$verbinding = mysqli_connect($hostnaam, $gebruikersnaam, $wachtwoord,
$db) or die ("Er kan geen verbinding tot stand worden gebracht:" .
mysqli_connect_error());
Good Practise:
If you are using variables to hold connection/login information you are going to use them once and then not need them, but later on in your code, all of those variables ($wachtwoord, $gebruikersnaam, etc.) still exist.
In the example you give, it would be safer practise to
hardcode the data directly into the connection function:
mysqli_connect(“host.com”, “username”, “password”, “database”);
or Ensure you destroy the data as soon as you’ve finished with it:
$hostnaam = "host.com"; $gebruikersnaam = "username"; $wachtwoord = "password"; $db = "database"; $verbinding = mysqli_connect($hostnaam, $gebruikersnaam, $wachtwoord, $db); unset($hostnaam,$gebruikersnaam, $wachtwoord,$db); // Or alternatively: // $hostnaam = $gebruikersnaam = $wachtwoord = $db = NULL;
Using
diestatements and showing error messages directly to the browser / user is VERY bad practise and should never be done.
Try instead to throw errors to the PHP error log.
if(!mysqli_connect("host.com", "username", "password", "database")){
error_log("There was a failure to connect to MySQL: ".mysqli_connect_error());
header("location: index.php?msg=".urlencode('Sorry there was an error.Can not connect.');
}
- Your
headerfunctions should always be followed by die/exit statements because when a header function is reached, PHP will continue to execute the rest of the script, even while the browser is redirected to a new page.
Bringing it all together:
if(!mysqli_connect("host.com", "username", "password", "database")){
error_log("There was a failure to connect to MySQL: ".mysqli_connect_error());
header("location: index.php?msg=".urlencode('Sorry there was an error.Can not connect.'));
exit;
}
And finally, I would also highly recommend using PDO interface and using object orientated programming.