Help with path in script

[flashmaster]

Hi, i need some help with a login script that im trying to implement under PW. When im enter the protectedpage.php it goes to login.php and then i fill in username/password and press login it just refreshes the login.php again and the input fields are empty. It should go to protectedpage.php after that but its not working. I think that there is a path och paths in the script that its wrong. All files are in the root of the template folder and i have a database table that im trying to fetch. I have also added the pages as templates in admin.

If you see anything wrong with this please help. /thanks

 

protectedpage.php

<?php
	session_start();
	require_once('config.php');
	//phpinfo();

	if(isset($_SESSION['id'])){ 
?>

<!doctype html>
<html lang="sv-se">
<head>	
	
</head>
<body>
	
	Lorem ipsum sit dolor amet.
 	
</body>
</html>

<?php 

 }
	else{ 
		header( "Location:../protectedpage");
	 }
?>

 

login.php

<?php
session_start();
require_once( 'config.php' );
if ( isset( $_SESSION[ 'id' ] ) ) {
	header( "Location:protectedpage.php" );
} else {
	?>

	<!DOCTYPE html>
	<html>

	<head>
		<title>Logga in</title>
		<link rel="stylesheet" href="<?=$config->urls->templates;?>css/login.css">
		<script type="text/javascript" src="<?=$config->urls->templates;?>js/login.js"></script>
	</head>

	<body style="background-color:#bdc3c7">
		<div id="main-wrapper">
			<center>
				<h2>Logga in</h2>
			</center>

			<form action="../login" method="post" onsubmit="return validate(this);">

				<div class="inner_container">
					<div class="formgroup"><label class="lable-side"><b>Epost</b></label> <input type="text" class="text-side" name="email" id="email" value="<?php if(isset($_POST['login'])) { echo $_POST['email']; } else{ }  ?>" autofocus>
					</div>

					<div class="formgroup"><label class="lable-side"><b>Lösenord</b></label>
						<input type="password" id="password" class="text-side" name="password">
					</div>
					<div class="btngrp"><button class="login_button" name="login" type="submit">Login</button>
						<button type="reset" class="reset_btn">Återställ</button>
					</div>
					<div class="register_div"><a href="../register" class="register_link"><span>Registrera ny användare</span></a>
					</div>
				</div>
			</form>

			<?php
			if ( isset( $_POST[ 'login' ] ) ) {
				$email = $_POST[ 'email' ];
				$password = $_POST[ 'password' ];

				$query = $con->prepare( "select * from users where email=?" );
				$query->bind_param( 's', $email );

				$query->execute();
				$result = $query->get_result();
				$row = $result->fetch_assoc();

				$hash_pwd = $row[ 'password' ];
				$hash = password_verify( $password, $hash_pwd );

				if ( $hash == 0 ) {
					echo '<script type="text/javascript">alert("Invalid Credentials")</script>';
				} else {

					$query = $con->prepare( "select * from users where email='$email' and password=? " );
					$query->bind_param( 's', $hash_pwd );
					$query->execute();
					$query_run = $query->get_result();
					//echo mysql_num_rows($query_run);
					if ( $query_run ) {
						if ( mysqli_num_rows( $query_run ) > 0 ) {
							$row = mysqli_fetch_array( $query_run, MYSQLI_ASSOC );
							$_SESSION[ 'email' ] = $row[ 'email' ];
							$_SESSION[ 'id' ] = $row[ 'id' ];



							header( "Location:../protectedpage" );
						} else {
							echo '<script type="text/javascript">alert("No such Email exists. Invalid Credentials")</script>';
						}
					} else {
						echo '<script type="text/javascript">alert("Database Error")</script>';
					}

				}

			} else {}
			?>

		</div>
	</body>

	</html>

	<?php  } ?>

 

config.php

<?php
$con = mysqli_connect( "localhost", "root", "htf43434" )or die( 'Database connect ' . mysql_error() );
mysqli_select_db( $con, 'ksf' );
?>

 

 

 

[rick]

Hello @flashmaster,

First thing that caught my eye, you should edit your post to remove the database password. 

This appears to be a stand-alone php script designed to restrict access to specific pages, and not one normally associated with ProcessWire.

ProcessWire has it's own built-in functions and supporting modules for governing access to pages or by certain roles, etc. Have a look:

https://processwire.com/talk/topic/15261-best-method-for-restricting-page-access/

Or Adrian's excellent module

https://processwire.com/talk/topic/11499-admin-restrict-branch/

The point is that you don't need to spend time converting a script to work with ProcessWire, when ProcessWire has the features either built-in or readily available. And should you have any questions the support forum is the place to be.

 

[flashmaster]

Hi and thanks for the reply. Ok just to be clear, i dont need to manage the script in the admin/backend. I just want it to connect to the database. I dont want users to be able to login to the admin area just a general password that i have set in the database. It works with the database outside the template folder just to be clear. Im a total beginner at php and this script is from github. The database file is just an example not the correct one Dont have the experience to build something from scratch, just want this script to work right now. 

I have tested the module "page protector" but i dont want the user to have access to the admin with its password. And also there is no "Log out" function. Also i want to style the login page.

[adrian]

11 hours ago, flashmaster said:

I have tested the module "page protector" but i dont want the user to have access to the admin with its password. And also there is no "Log out" function. Also i want to style the login page.

Page Protector doesn't require access to the admin to work. It's easy to create your own logout link (https://processwire.com/talk/topic/684-client-logout-page/). Page Protector lets you style the login page however you want