I'm creating a login script in PHP and JS. I would like to have a different error messages in my form but unfortunately not everything works fine. For example checking whether there is such a user is working well but if I type a properly email and incorrect password I will be redirected to profile.php?u=%3Cbr%20/%3E%3Cb%3ENotice%3C/(...). Where I made a mistake?
login.php
if(isset($_POST["e_l"])){
include_once("db/db_fns.php");
$e = mysqli_real_escape_string($db_conx, $_POST['e_l']);
$p = $_POST['p_l'];
$ip = preg_replace('#[^0-9.]#', '', getenv('REMOTE_ADDR'));
if($e == "" || $p == ""){
$message = preg_replace('/[\/_| -]+/', '', 'loginfailed');
echo $message;
exit();
} else {
$sql = "SELECT id, username, password, activated FROM users WHERE email='$e' LIMIT 1";
$query = mysqli_query($db_conx, $sql);
$row = mysqli_fetch_row($query);
$activated = $row['activated'];
$number = mysqli_num_rows($query);
if ($number <=0){
$message = preg_replace('/[\/_| -]+/', '', 'nouser');
echo $message;
exit();
} else {
if ($activated = '0') {
$message = preg_replace('/[\/_| -]+/', '', 'noactiv');
echo $message;
exit ();
} else {
$db_id = $row[0];
$db_username = $row[1];
$db_pass_str = $row[2];
if (password_verify ($p, $db_pass_str)) {
$_SESSION['userid'] = $db_id;
$_SESSION['username'] = $db_username;
$_SESSION['password'] = $db_pass_str;
setcookie("id", $db_id, strtotime( '+30 days' ), "/", "", "", TRUE);
setcookie("user", $db_username, strtotime( '+30 days' ), "/", "", "", TRUE);
setcookie("pass", $db_pass_str, strtotime( '+30 days' ), "/", "", "", TRUE);
$sql = "UPDATE users SET ip='$ip', lastlogin=now() WHERE username='$db_username' LIMIT 1";
$query = mysqli_query($db_conx, $sql);
echo $db_username;
exit();
} else{
$message = preg_replace('/[\/_| -]+/', '', 'loginfailed');
echo $message;
exit();
}
}
}
}
exit();
}
login.js
function login(){
var e_l = _("email_l").value;
var p_l = _("password_l").value;
if(e_l == "" || p_l == ""){
_("status_l").innerHTML = '<div class="message_b"><img src="images/error.gif"/> Fill out all of the form data</div>';
} else {
_("loginbtn").style.display = "none";
_("status_l").innerHTML = '<img src="images/wait.gif"/>';
var ajax = ajaxObj("POST", "login.php");
ajax.onreadystatechange = function() {
if(ajaxReturn(ajax) == true) {
if (ajax.responseText.trim() == "nouser"){
_("status_l").innerHTML = '<div class="message_b"><img src="images/error.gif"/> Wrong username</div>';
_("loginbtn").style.display = "block";
} else if (ajax.responseText.trim() == "noactiv"){
_("status_l").innerHTML = '<div class="message_b"><img src="images/error.gif"/> Your account is no active</div>';
_("loginbtn").style.display = "block";
} else if (ajax.responseText.trim() == "loginfailed"){
_("status_l").innerHTML = '<div class="message_b"><img src="images/error.gif"/> Login unsuccessful, please try again</div>';
_("loginbtn").style.display = "block";
} else {
window.location = "profile.php?u="+ajax.responseText;
}
}
}
ajax.send("e_l="+e_l+"&p_l="+p_l);
}
}