0

The following is the PHP code to my login script: 

   <?php

session_start();
if(isset($_POST['submitted']))
{

$username = $_POST['username'];
$password = $_POST['password'];



            $connect = mysqli_connect("localhost", "root", "root", "test");
            if (mysqli_connect_errno()){
                echo mysqli_connect_error();
            } 

            $query = "SELECT * FROM members where username = '$username'";

            $result = mysqli_query($connect, $query);

        $log = mysqli_fetch_array($result);
        $dbusername=$log['username'];
        $dbpassword=$log['password'];
        //echo "<h1> ". $log['username']." ".$log['password']."</h1>";
        if($username == $dbusername && $password == $dbpassword)
        {
            $_SESSION['username'] = $dbusername;
            $_SESSION['password'] = $dbpassword;
            header("Location: Correct.html {$_POST["redirect"]}"); 
        }else
        {
            header("Location: Incorrect.html {$_POST["redirect"]}"); 
        }

} else {
    echo "boo";
}

    ?>

As you can see, the user is redirected to the 'Correct.html' page should they enter an existing username and password combination. The problem is passing information onto the 'Correct.html' page. I would like the 'username' variable to be passed-on so that the page will show a "Welcome 'username'" message. Now from all my attempts I am aware that I need the following piece of code on the 'Correct.html' page for this variable to be successfully passed through:

    <?php
session_start();
if(isset($_SESSION['username'])){
    echo "Your session is running " . $_SESSION['username'];
}
?>

I have also found out that for this to work, I need to change the extension of my page from .HTML to .PHP. Now the problem is that if I change the extension, my 'Correct.php' page will no longer load, and I am shown a blank screen. I have tried online HTML to PHP converters (which seem to echo every line of my code), but this still does not work.

Would anyone be able to help me on one of two things:

  1. Provide me a solution to passing through a PHP variable in a HTML script (easier, but not sure if possible?)
  2. Correctly convert my HTML code to PHP (longer, but would ensure that variables can easily be passed through)

Please bear in mind that I already have a MySQL database and table setup (you probably already figured that from the code).

Improve this question
10
  • 1
    When using mysqli you should be using parameterized queries and bind_param to add user data to your query. DO NOT use string interpolation to accomplish this because you will probably create severe SQL injection bugs. NEVER use string interpolation with $_POST parameters. Commented Apr 1, 2014 at 20:32
  • don't you get errors here -> "{$_POST["redirect"]}" ? Commented Apr 1, 2014 at 20:32
  • Have you tried javascript to intercept the value? That way you wouldn't need the PHP. There is an example here: stackoverflow.com/questions/10609511/… Commented Apr 1, 2014 at 20:33
  • @tadman I am not sure what you mean at all. Would you be able to provide me with a written example please? Commented Apr 1, 2014 at 20:38
  • @vp_arth I do not. At the moment I am redirected to the page I want (however this also works if {$_POST["redirect"]} is removed). Should I remove this? Commented Apr 1, 2014 at 20:39

2 Answers 2

Reset to default
0

The extension of the file names don't matter if you set your web server correctly. If it's Apache HTTP: AddType application/x-httpd-php .php .htm .html, or something like it.

header() expects a full URI. So pass in the domain name and path along with the file name. And get rid of the {$_POST["redirect"]} stuff in the header calls (not sure what you were trying to do with that).

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hi, I've seen this 'AddType' line before and tried inserting it into my code. Apologies, I am not very experienced with this and am not too sure if my web server is Apache HTTP. How do I find out? Would telling you that I use phpmyadmin help at all? What would you advise?
0

I'll just provide it as an answer with an explanation...

Here is the example answer I cited. What it does is looks at the URL that was sent to the browser, searches for a "?", which would imply there is a parameter being passed. It then grabs everything after the "?" and splits it at the "&"s to provide for all the parameters that were passed. It then loops through what it finds, and creates a list of what was passed in. Like, "username=bob", "thissite=spiffy".

You can use this in any HTML file to handle parameters passed in. There is no need for the server side scripting like PHP.

Improve this answer

1 Comment

Thanks for your reply. Really sorry, I've had a look through and can't seem to identify what applies to my code. What Javasript do I need for intercepting the value?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.