cant proceed to home page after login

[delapazh]

hi can ask for some help.. i already uploaded my site but my page stuck at login

here is my dbconnection code:

<?php
$lochost="localhost";
$username="root";
$password="";
$database="dbdelapaz";


mysql_connect($lochost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
?>

here is my log in code:
<?php
error_reporting(0);
session_start();
include("../include/dbConn.inc");




$userid = $_POST['txtUserID'];
$password2 = $_POST['txtPass'];


$sql = "SELECT * FROM tbluser WHERE UserID = '".$userid."' AND Password = '".$password2."' AND UserLevel='Administrator' OR UserLevel='PRINCIPAL'";
$result=mysql_query($sql);
$num=mysql_numrows($result);

$i1=0;

while ($i1 < $num)
{
$lname=mysql_result($result,$i1,"LastName");
$fname=mysql_result($result,$i1,"FirstName");
$mname=mysql_result($result,$i1,"MiddleName");
$picpath=mysql_result($result,$i1,"PicPath");
$i1++;
}

if($num == 1)
{
$_SESSION['authFac'] = 1;
$_SESSION['userid'] = $userid;
$_SESSION['uname'] = $fname." ".$lname;
$_SESSION['picpath1'] = $picpath;
header("Location: home.php");
}
else
{
header("location: invalid.html");
}


?>



can help me figure this out thanks...

 

[descalzo]

Try using:

header("Location: http:yoursitenamehere.com/home.php");

with, of course, your actual site name. ie, use a complete URI.

 

[misson]

Please use

, [html] or [code] tags (as appropriate) to separate and format code.

"stuck at login" is a woefully inadequate description; it's about as bad as "doesn't work". Follow the advice in my sig.

The sample code is vulnerable to [url=http://unixwiz.net/techtips/sql-injection.html]SQL injection[/url], which is a very serious [url=http://bobby-tables.com/]security risk[/url]. To fix this hole, switch from the outdated [URL="http://x10hosting.com/forums/programming-help/162529-php-begin-deprecation-ext-mysql-start-moving-your-development-pdo-now.html"]mysql extension[/URL] to [URL=http://php.net/PDO]PDO[/URL] and use [URL=http://www.php.net/PDO.prepared-statements]prepared statements[/URL]. If you need a PDO tutorial, try "[URL=http://www.kitebird.com/articles/php-pdo.html]Writing MySQL Scripts with PHP and PDO[/URL]". The site you save may just be your own.

Never store plaintext passwords. If someone cracks the server, they have all your users' passwords. Since most people use the same password with every account they have, you've just compromised other sites. At a minimum, [url=http://us.php.net/manual/en/ref.hash.php]hash[/url] a random value + the password (in that order; don't put the password first) using whirlpool or sha512 (though using [URL="http://en.wikipedia.org/wiki/PBKDF2"]PBKDF2[/URL] with a merely decent hash function would be stronger); store both the hashed password and the random value. Since you're using the random value for just one thing, it's also called a "nonce". A random value added to a value that you hash is called "salt". Salt doesn't have to be kept secret. When a user attempts to log in, hash the purported password before comparing to the stored hashed password. Read "[url=http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html]Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes[/url]" for an introduction to the issues and "[url=http://phpsec.org/articles/2005/password-hashing.html]Password Hashing[/url]" for info on implementing a password storage scheme. See also "[url=http://x10hosting.com/forums/programming-help/177621-problem-encrypting-passwords.html#post880241]Problem with encrypting passwords.[/url]"

[URL=http://www.phpfreaks.com/blog/or-die-must-die]Don't use [c]die[/c][/URL] when outputting HTML. You'll get invalid HTML. At least you're not outputting database error messages to non-admin users.

[URL="http://stackoverflow.com/questions/321299/"]Don't use [FONT="Courier New"]SELECT *[/FONT][/URL] unless you're writing a DB administration program; select only the columns you need.

For the syntax of the "Location" header, read the [URL="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30"]HTTP spec[/URL] and the [URL="http://en.wikipedia.org/wiki/HTTP_location"]Wikipedia article[/URL]. While you're at it, read the [URL="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3"]spec[/URL] and [URL="http://en.wikipedia.org/wiki/URL_redirection#HTTP_status_codes_3xx"]Wikipedia articles[/URL] on the 3XX HTTP responses.

User IDs should be unique; more than that, they should be the primary key for the users table. This should be enforced by the database itself. As a consequence, your query should return at most one result. You should use an "if" statement, not a while loop, to fetch the result, as this more clearly indicates the intent.

Prefixing tables with "tbl" is redundant; it adds no information. "txt" on user input fields similarly looks to be redundant, especially given PHP's type juggling.

[php]try {
    $userQuery = $db->prepare('SELECT LastName, FirstName, PicPath, salt, password FROM users WHERE id=:id');
    $userQuery->execute(array(':id' => $_POST['userID']));
    if (($userData = $userQuery->fetch())) {
        $password = hash_password($userData['salt'], $_POST['password']);
        if ($password === $userData['password']) {
            # login successful
            ...
        } else {
            # password doesn't match
            ...
        }
    } else {
        # no such user
        ...
    }
} catch (PDOException $exc) {
    # log error, inform user
    ...
}

Even this (as the sig says) isn't what should appear in production code, as it mixes concerns (database access, authentication logic). Each should be handled by separate modules.

All of these points have come up before on this forum; browse for more information.