wordpress/ shortcode/ PHP duplicating code

[lflynnlrf]

Hello- I have this custom code for a login for our WordPress site and there is a short code calling in on the page; a few days ago I noticed the code was duplicating on the page, not sure why. result of page attached. Thank you for your help.

ob_start();
function member_login_form() {
	global $wpdb;

	
if(isset($_POST['btn_login'])){
	$userEmail = $_POST['user_email'];
	$userPass = $_POST['user_pass'];
	
	
	//matching with the new record
	$resultNew = $wpdb->get_results( "SELECT * FROM  `wp_custom_members` WHERE  `user_ID` =  '$userEmail' AND `password` =  '$userPass'");
	
	if($resultNew){
		//start a session if not started yet
// 		if (session_status() == PHP_SESSION_NONE) {
// 				session_start();
// 		}
		// 	start a session...	code added 27-sep-2021 by galib
		foreach($resultNew as $userData){
			$compName = $userData->company_name;
			$compType = $userData->company_type;
			$accessLvl = $userData->access_level;
			$accessCode = $userData->access_code;
			$newUserId = $userData->user_ID;
			$newPass = $userData->password;
			$compId = $userData->company_id;
			$firstName = $userData->first_name;
			$lastName = $userData->last_name;
			
			if($accessLvl == 'E'){
				$levelTxt = 'Employee';
				
				if (session_status() == PHP_SESSION_NONE) {
					session_start();
				}
				
				$_SESSION["authKey"] = $newUserId;
				$_SESSION["authLevel"] = $accessLvl;
				$_SESSION["comp_name"] = $compName;
				$_SESSION["comp_type"] = $compType;
				$_SESSION["comp_id"] = $compId;
				$_SESSION["first_name"] = $firstName;
				$_SESSION["last_name"] = $lastName;
				$_SESSION["acc_code"] = $accessCode;
				
				
				header('Location: /welcome-employees?aid='.$accessCode); //changed
				exit();
			}
			else if($accessLvl == 'S' && $compType == 'M'){
				$levelTxt = 'Stock Holder';
				
				if (session_status() == PHP_SESSION_NONE) {
					session_start();
				}
				
				$_SESSION["authKey"] = $newUserId;
				$_SESSION["authLevel"] = $accessLvl;
				$_SESSION["comp_name"] = $compName;
				$_SESSION["comp_type"] = $compType;
				$_SESSION["comp_id"] = $compId;
				$_SESSION["first_name"] = $firstName;
				$_SESSION["last_name"] = $lastName;
				$_SESSION["acc_code"] = $accessCode;
				
				header('Location: /members-shareholders?aid='.$accessCode);
				exit();
			}
			else if($accessLvl == 'G' && $compType == 'M' ){
				$levelTxt = 'Generic';
				
				if (session_status() == PHP_SESSION_NONE) {
					session_start();
				}
				
				$_SESSION["authKey"] = $newUserId;
				$_SESSION["authLevel"] = $accessLvl;
				$_SESSION["comp_name"] = $compName;
				$_SESSION["comp_type"] = $compType;
				$_SESSION["comp_id"] = $compId;
				$_SESSION["first_name"] = $firstName;
				$_SESSION["last_name"] = $lastName;
				$_SESSION["acc_code"] = $accessCode;
				
				header('Location: /member-general?aid='.$accessCode); //changed
				exit();
			}
			else if($accessLvl == 'G' && $compType == 'V' ){
				$levelTxt = 'Generic';
				
				if (session_status() == PHP_SESSION_NONE) {
					session_start();
				}
				
				$_SESSION["authKey"] = $newUserId;
				$_SESSION["authLevel"] = $accessLvl;
				$_SESSION["comp_name"] = $compName;
				$_SESSION["comp_type"] = $compType;
				$_SESSION["comp_id"] = $compId;
				$_SESSION["first_name"] = $firstName;
				$_SESSION["last_name"] = $lastName;
				$_SESSION["acc_code"] = $accessCode;
				
				header('Location: /vendor-general?aid='. $accessCode); //changed
				exit();
			}
			else if($accessLvl == 'A' && $compType == 'M'){
				$levelTxt = 'Accounting';
				
				if (session_status() == PHP_SESSION_NONE) {
					session_start();
				}
				
				$_SESSION["authKey"] = $newUserId;
				$_SESSION["authLevel"] = $accessLvl;
				$_SESSION["comp_name"] = $compName;
				$_SESSION["comp_type"] = $compType;
				$_SESSION["comp_id"] = $compId;
				$_SESSION["first_name"] = $firstName;
				$_SESSION["last_name"] = $lastName;
				$_SESSION["acc_code"] = $accessCode;
				
				header('Location: /accounting?aid=' . $accessCode); //changed
				exit();
			}
			else if($accessLvl == 'A' && $compType == 'V'){
				$levelTxt = 'Accounting';
				
				if (session_status() == PHP_SESSION_NONE) {
        			session_start();				
				}
				
				$_SESSION["authKey"] = $newUserId;
				$_SESSION["authLevel"] = $accessLvl;
				$_SESSION["comp_name"] = $compName;
				$_SESSION["comp_type"] = $compType;
				$_SESSION["comp_id"] = $compId;
				$_SESSION["first_name"] = $firstName;
				$_SESSION["last_name"] = $lastName;
				$_SESSION["acc_code"] = $accessCode;
				
				header('Location: /vendor-accounting?aid='.$accessCode); //changed
				//header('Location: /session.php');
				//header('Location: /vendor-accounting-backup-copy');
				exit();
			}
		}
		
	}




	else{
		
		//matching with the old record
		$resultOld = $wpdb->get_results( "SELECT * FROM  `wp_custom_members` WHERE  `old_userid` =  '$userEmail' AND `old_password` =  '$userPass'");
		
		if($resultOld){
			foreach($resultOld as $userData){
				
				$compName = $userData->company_name;
				$accessLvl = $userData->access_level;
				$newUserId = $userData->user_ID;
				$newPass = $userData->password;
				$resid = $userData->ID;
				
			}
			//checking if the user have new id or password
			if(!empty($resid)){
				header('Location: /member-registration/?recid=' . $resid);
				exit();
				
			}
			
		}
		else{
			
			$errorMessage = "Incorrect user name or password!... Please try again.";
			
		}
	}	
}

	
?>



<form action ="" method ="post">

	<div class="form-group">
		<label class="lblTxt" for name="comp_name"> User ID / Email ID <span style="color: red;">*</span></label><br />
		<input type="text" class="regInput" name="user_email" id="comp_name" placeholder="Enter your email or user id" ><br />
	</div>
	
	<div class="form-group">
		<label class="lblTxt" for name="comp_name"> Password <span style="color: red;">*</span></label><br />
		<input type="password" class="regInput" name="user_pass" id="comp_name" placeholder="Enter your password" ><br />
	</div>
	
	<?php if(!empty($errorMessage)){?>
	<div class="form-group">
		<label><span style="color: red;"><?php echo $errorMessage; ?></span></label><br />
	</div>
	<?php } ?>
	
	<div class="form-group">	
		<input class="regBtn" type = "submit" name = "btn_login" id="updateBtn" value = "Log In">
	</div>	
	
	<div class="form-group">
		<label><span><a href="/forgot-password" class="fpass"> Forgot Password? </a></span></label><br />
	</div>

</form>


<style>
	.form-group{
		padding: 20px 20px 20px 0px;
		text-align: center;
	}
	
	.lblTxt{
		float: left;
		padding-left: 20%;
		font-weight: bold;
	}
	
	.regInput{
		width: 60% !important;
	}
	
	.regBtn{
		background-color: #3ba1da !important;
		border: none;
		width: 15%;
		border-radius: 5px !important;
		vertical-align: middle !important;
		height: auto !important;
		font-size: 15px !important;
		cursor: pointer !important;
		box-shadow: none !important;
		text-shadow: none !important;
		font-family: inherit;
		outline: none !important;
		margin: 0 !important;
		opacity: 1 !important;
		-webkit-appearance: none;
	}
	
	.regBtn:hover{
		background-color: #387090;
	}
	
	.fpass{
		color: #bebebe;
	}
	
	.fpass:hover{
		color: #3ba1da !important;
	}
</style>

 <?php


}
//adding short code
add_shortcode('display_login_form', 'member_login_form');



?>

 

[spamjim]

I don't use WP much but embedding PHP in CMS content is always risky. There could be quirks caused by the WYSIWYG editor that mangles the text between edits. Do you have previous versions of this page to compare for recent changes?

https://wordpress.com/support/editors/page-post-revisions/

The following raises a concern:

$userEmail = $_POST['user_email'];
$userPass = $_POST['user_pass'];

//matching with the new record
$resultNew = $wpdb->get_results( "SELECT * FROM  `wp_custom_members` WHERE  `user_ID` =  '$userEmail' AND `password` =  '$userPass'");

This suggests that passwords are not deliciously salted and hashed in the database. You're likely better off setting up user accounts and permissions within the WP system, rather than rolling your own authentication.