I am going from vulnerable SQL codes into secure one, and I am trying to update my login to this:
if(isset($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
if($username != '' && $password!=''){
session_start();
$sql = "SELECT * FROM login WHERE username=? and password =?";
$stmt = $con->prepare($sql);
$stmt=bind_param("ss", $username, $password);
$stmt->execute();
$stmt->store_result();
$num->$stmt->num_rows;
$stmt->close();
if($num>0){
$_SESSION["username"] = $username;
header("Location:homepage.php");
die();
} else {
$message = "Invalid Username or Password!";
}
}
}
When I am launching my login page I got this message:
This webpage has a redirect loop Any help is appreciated.
EDIT homepage code:
<?php
require_once ('/include/global.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Clinic Form</title>
<link href="css/1140.css" rel="stylesheet" type="text/css" />
<link href="css/style.css" rel="stylesheet" type="text/css" />
<link href="http://fonts.googleapis.com/css?family=Source+Sans+Pro:300" rel="stylesheet" type="text/css" />
</head>
<body>
<div class="container12">
<header>
<div class="row" align="center">
<div class="column12"> <a href="homepage.php"><img src="images/logo.png"/></a> </div>
</div>
<div class="row" align="center">
<div class="row" align="center"><a href="logout.php">Logout</a></div>
</div>
</header>
<h1 id="home" align="center"> </h1>
<div class="alert"></div>
<div class="column12" align="center">
<div class="row"><a href="patients.php">
<input type="image" value="Patient" src="images/patient.png" width="widthInPixels" height="heightInPixels" onmouseover="this.src='images/patient_roll.png';" onmouseout="this.src='images/patient.png';">
</a> </div>
<div class="row"><a href="/clinic form/appoint/appoint.php">
<input type="image" value="Appointments" src="images/appointments.png" width="widthInPixels" height="heightInPixels" onmouseover="this.src='images/appointments_roll.png';" onmouseout="this.src='images/appointments.png';">
</a> </div>
<div class="row"><a href="/clinic form/med/med.php">
<input type="image" value="Medicaments" src="images/med.png" width="widthInPixels" height="heightInPixels" onmouseover="this.src='images/med_roll.png';" onmouseout="this.src='images/med.png';">
</a> </div>
<div class="row"><a href="">
<input type="image" value="Statistics" src="images/stat.png" width="widthInPixels" height="heightInPixels" onmouseover="this.src='images/stat_roll.png';" onmouseout="this.src='images/stat.png';">
</a> </div>
</div>
</div>
</body>
</html>
EDIT 2
global.php file:
<?php
session_start();
$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name
$tbl_name=""; // Table name
//if(!session_is_registered(myusername)){
//header("location:index.html");
if(isset($_SESSION['username'])) {
echo "Page seen only by " . $_SESSION['username']."<br>";
$con=mysqli_connect($host,$username,$password,$db_name);
}
else{
session_destroy();
header("location:index.php");
}
?>
EDIT 3
The entire index.php code:
<?php
require_once('/include/global.php');
/*if(isset($_POST['login'])){
if($_POST['username'] != '' && $_POST['password']!=''){
if(!isset($_SESSION))
{
session_start();
session_register('username');
}
$result = mysql_query("SELECT * FROM login WHERE username='" . $_POST["username"] . "' and password = '". $_POST["password"]."'");
$row = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["username"] = $row[$_POST["username"]];
$_SESSION['username'] = $_POST["username"];
header("Location:homepage.php");
} else {
$message = "Invalid Username or Password!";
}
}else{
$error_msg="Please fill all the fields";
}
}*/
if(isset($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
if($username != '' && $password!=''){
session_start();
$sql = "SELECT * FROM login WHERE username=? and password =?";
$stmt = $con->prepare($sql);
$stmt=bind_param("ss", $username, $password);
$stmt->execute();
$stmt->store_result();
$num->$stmt->num_rows;
$stmt->close();
if($num>0){
$_SESSION['username'] = $username;
header("Location: homepage.php") ; die();
} else {
$message = "Invalid Username or Password!";
}
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Clinic Form</title>
<link href="css/1140.css" rel="stylesheet" type="text/css" />
<link href="css/style.css" rel="stylesheet" type="text/css" />
<link href="http://fonts.googleapis.com/css?family=Source+Sans+Pro:300" rel="stylesheet" type="text/css" />
</head>
<body>
<div class="container12">
<header>
<div class="row" align="center">
<div class="column12"> <a href="index.php"><img src="images/logo.png"/></a> </div>
</div>
</header>
<h1 id="home" align="center">Login</h1>
<form action="" method="POST">
<?php if(isset($message)) echo "<script type='text/javascript'>alert('$message');</script>" ?>
<div class="alert">
<?php if(isset($error_msg)) echo "<script type='text/javascript'>alert('$error_msg');</script>" ?>
</div>
<div class="column12" align="center">
<div class="row">
<input type="text" class="large-fld" name="username" value="" placeholder="Username" />
</div>
<div class="row">
<input type="password" class="large-fld" name="password" value="" placeholder="*****" />
</div>
<div class="row">
<input type="image" name="login" value="Login" src="images/btn.png" width="widthInPixels" height="heightInPixels" onMouseOver="this.src='images/rollOverBtn.png';" onMouseOut="this.src='images/btn.png';">
</div>
</div>
</form>
</div>
</body>
</html>