having trouble in php ajax login system

Question

i have a login system with ajax and php but after a sucessfull login my profile page still throw me out to main page.

php code

 if($_POST) 
  {
      $user_name     = strip_tags($_POST['user_name']);

      $password = ($_POST['password']);

      $user_name     = mysqli_real_escape_string($conn, $user_name);
      $password = mysqli_real_escape_string($conn, $password);
      $password=md5($password);


        $lselect_sql= "SELECT * FROM users WHERE user_name='{$user_name}'";

         $lselect_query = mysqli_query($conn, $lselect_sql);

        $lrow = mysqli_fetch_assoc($lselect_query);


        if($lrow['password']==$password){

    $_SESSION['user'] = $lrow['id'];
    echo "true";
    exit();
      }
      else
      {

         echo 'invalid credentials';
         }
      }

ajax code

$.ajax({

                type : 'POST',
                url  : 'login/login-fn.php',
                data : $('#login-form').serialize(),
                success : function(data)
                          {
                            if(data=='true')    {

                    window.location="/projectif/profile/home.php";

                            }else{
                             $("#login-result").html(data);

                            }
                          }
                });
                return false;

        }
        else
        {
            $("#login-result").html('');
        }
    });

profile page code

ob_start();
    session_start();
    require_once '../components/connectdb.php';

    // if session is not set this will redirect to login page
    if( !isset($_SESSION['user']) ) {
        header("Location: ../index.php");
        exit;
    }
    // select loggedin users detail
    $res=mysql_query("SELECT * FROM users WHERE id=".$_SESSION['user']);
    $userRow=mysql_fetch_array($res);

i think its all right bt dont know why this is happning.

Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Jun 23 '17 at 21:04
MD5 is considered broken for security purposes and is not sufficient for password hashing. Use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. If you're using a version of PHP prior to 5.5, you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). — Alex Howansky, Jun 23 '17 at 21:04
You're mixing `mysql_*` and `mysqli_*` functions. Don't use the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). — Alex Howansky, Jun 23 '17 at 21:05
For every instance where `$_SESSION['user']` is used in the three pages can you put `var_dump($_SESSION['user']);`? This should let you know where it's going wrong. — Julian Koster, Jun 23 '17 at 21:05
It aint that hard. No `session_start();` on the page where the session is created. And `session_start();` should be at the top of the code. — icecub, Jun 23 '17 at 21:06

having trouble in php ajax login system

0 Answers0