0

I have a little problem with my php-function. I've spend pretty much time finding the mistake, unsuccessfully. Due to the fact that im pretty new at more "complex" php-programming, i might just miss the mistake.

Short explanation.

I've created a function (which is written in the header.php), to insert user activitys into my database. The code is as follows

function userLog($type, $information){

    include_once 'inc/dbconnect.inc.php';

    $types = array("signup" => "",
                   "login" => "", 
                   "logout_manual" => "", 
                   "password_change" => "",
                   "password_reset_sendMail" => "Sent to: '".isset($information['mail']) ? $information['mail'] : "" ."'",
                   "password_reset_setNew" => "",
                   "mail_change_sendMail" => "Sent to: '".isset($information['mail']) ? $information['mail'] : ""."'",
                   "mail_change_verify" => "Changed from ".isset($information['old_mail']) ? $information['old_mail'] : ""." to ".isset($information['mail']) ? $information['mail'] : "");


    $user_uid = $_SESSION['u_uid'];
    $action = $type;
    $description = $types[$type];
    $date = date("Y-m-d H:i:s");
    $browser  = $_SERVER[HTTP_USER_AGENT]; 

    $sql = "INSERT INTO userlogs (userlog_user_uid, userlog_action, userlog_action_description, userlog_date, userlog_browser) VALUES ('$user_uid', '$action', '$description', '$date', '$browser')";
    mysqli_query($conn, $sql);

}

Now I want to call the function in my login script, if the user is sucessfully logged in. It looks like this:

if (isset($_POST['login_submit'])) {

include_once 'inc/dbconnect.inc.php';

$uid = mysqli_real_escape_string($conn, $_POST['uid']);
$pwd = mysqli_real_escape_string($conn, $_POST['pwd']);

$_SESSION['inputs'] = array("uid" => $_POST['uid']);

//Check if inputs are empty
if (empty($uid) || empty($pwd)) {
    $_SESSION['error'] = array("Bitte alle Felder ausfüllen!");
    header("Location: ".$_SERVER['HTTP_REFERER']);
    exit();
} else {
    $sql = "SELECT * FROM users WHERE user_uid='$uid' OR user_mail='$uid'";
    $result = mysqli_query($conn, $sql);
    $resultCheck = mysqli_num_rows($result);        

    if ($resultCheck < 1) {
        $_SESSION['error'] = array("Benutzername/E-Mail und/oder Passwort sind falsch!");
        header("Location: ".$_SERVER['HTTP_REFERER']);
        exit();
    } else {
        while ($row = mysqli_fetch_assoc($result)) {
            //De-hashing the password
            $hashedPwdCheck = password_verify($pwd, $row['user_pwd']);
            if ($hashedPwdCheck == false) {
                $_SESSION['error'] = array("Benutzername/E-Mail und/oder Passwort sind falsch!");
                header("Location: ".$_SERVER['HTTP_REFERER']);
                exit();
            } elseif ($hashedPwdCheck == true) {
                //Log in the user here
                $_SESSION['u_id'] = $row['user_id'];
                $_SESSION['u_uid'] = $row['user_uid'];
                $_SESSION['u_email'] = $row['user_email'];

                $information = array();
                userLog("login", $information);

                header("Location: ".$root."index/index");
                exit();
            } else {
                $_SESSION['error'] = array("Benutzername/E-Mail und/oder Passwort sind falsch!");
                header("Location: ".$_SERVER['HTTP_REFERER']);
                exit();
            }
        }
    }
}
} else {
header("Location: ".$root."account/login");
exit();
}

Here comes the "weird" thing. My function is working, if i call it in the logout form-action script.

if (isset($_POST['logout_submit'])) {

   $information = array();
   userLog("logout_manual", $information);

   session_unset();
   session_destroy();
   header("Location: ".$root);
   exit();
}

So my function actually works fine. But it just works from the logout script. If I want to call it in my login script and also my signup script, it doesn't work. I also tryed to declare the function in the login script itself, instead of the header.php, but it didnt work either. So i think according to these information, the mistake is somewhere in my login/signup scripts, but i can't find it.

Maybe some of u guys have an idea.

Improve this question
5
  • check if $information exists or not, the best way for debugging in php is var_dump($variable) for example: var_dump($information) Commented Aug 21, 2017 at 19:03
  • I've tried to leave out $information completely. It didn't work either. Commented Aug 21, 2017 at 19:07
  • every time you call userLog() the variable $information is reset right before, so it's always going to be empty. Also your script is vulnerable to SQL injection attacks: consider using prepared statements and read on how to prevent SQL injection Commented Aug 21, 2017 at 19:13
  • In this scripts its's intentional, that $information is empty, because i don't need to store information in this case. I already thought about doing prepared statements, but isn't mysqli_real_espace_string enough to avoid sql-injection? Commented Aug 21, 2017 at 19:19
  • @SebaM unfortunately no, using prepared statements is really the way to go (or maybe even using a full-fledged ORM but that's on a whole other level and probably overkill for the scope of this question) Commented Aug 21, 2017 at 19:44
Related questions
30
How can I execute a PHP function in a form action?
1
PHP function won't execute when called
13
How to run a PHP function from an HTML form?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.