correct username and password doesn't have any effect PHP

Question

I have some problem in php. Here is my code:

if (isset($_POST['submit'])) { // Form has been submitte
echo "Submitted";
$username = trim($_POST['username']);
$password = trim($_POST['password']);

// Check database to see if username/password exist.
$found_user = User::authenticate($username, $password);


if ($found_user) {

$session->login($found_user);

redirect_to("index.php");
} 

} else { // Form has not been submitted.
$username = "";
$password = "";
}

?>
<html>
<head>
<title>Photo Gallery</title>
<link href="../stylesheets/main.css" media="all" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="header">
  <h1>Photo Gallery</h1>
</div>
<div id="main">
    <h2>Staff Login</h2>


    <form action="login.php" method="post">
      <table style="float: left;">
        <tr>
          <td>Username:</td>
          <td>
            <input type="text" name="username" maxlength="30" value="
<?php echo htmlentities($username); ?>" />
          </td>
        </tr>
        <tr>
          <td>Password:</td>
          <td>
            <input type="password" name="password" maxlength="30" value="
<?php echo htmlentities($password); ?>" />
          </td>
        </tr>
        <tr>
          <td colspan="2">
            <input type="submit" name="submit" value="Login" />
          </td>
        </tr>
      </table>
    </form>

</div>
<div id="footer">Copyright <?php echo date("Y", time()); ?>, Gio baramidze</div>
</body>
</html>

My problem is that when i try to log in with incorrect user everything works fine and message "submitted" comes on the screen. But when i write correct username and password and click "Log in" it doesn't even show me the message ("submitted"). It means that "if (isset($_POST['submit']))" this condition isn't true. Despite the fact that I've clicked Submit. Thanks.

Answer 1

My guess is above code is index.php. When a user is found it redirects to the same page (quickly) and thus no $_POST is set since it is reloaded.

if ($found_user) {

$session->login($found_user);

redirect_to("index.php"); //If user found redirect without $_POST information.
} 

You should make use of the $_SESSION array. This is a server side array, you can fill it with a user ID once a user logs in. On every page where you need to check a login you should include a script that checks for the this ID. You can also use this to store a users name or other stuff you need frequent access to:

$_SESSION['USER_ID'] = //Some ID
$_SESSION['USERNAME'] = $username

To make $_SESSION work you need something like this:

<?php
session_start();
//other code...
if ($found_user) {

    $session->login($found_user);
    //give the user an ID
    $_SESSION['USER_ID'] = //some id, usually fetched from a database
    //Let's give a name too
    $_SESSION['USERNAME'] = $username;   
    //Now redirect
    redirect_to("index.php"); //If user found redirect without $_POST information.
    } 
    //Other code...
?>

Now from index.php we start again with session_start(); and we can use php to retrieve his ID and name. Put this on top and you see that $_SESSION gets carried over to other pages on the server.

<?php
session_start();
echo $_SESSION['USER_ID'];
echo $_SESSION['USERNAME'];
//or something nicer
if (isset($_SESSION['USER_ID']))
{
    echo "User ".$_SESSION['USERNAME']." has logged in and has user id [".$_SESSION['USER_ID']."].";
}
else
{
    echo "Not logged on."
}
?>

For testing purpose you can store the above code in whatever.php and redirect to whatever.php inside your login.php. It should pass the if statement if a user is found on login.php and thus show the username and ID.

Answer 2

You might change isset($_POST['submit']) by

if(isset($_POST['username']) && isset($_POST['password'])){
        //do your stuff here
}