...

View Full Version : problems with sessions and login fields :(



Armondo
03-10-2007, 12:32 AM
ok the problem is here: http://flashanims.com
press login...put in a random username and password. even though you havent registered or anything it takes you into the getin page and doesn't say anything, so click go to the homepage. now it says your logged in as the username you entered even your not in the database >:(!!!

ok, so my logic: if you successfully get into the getinpage with the little welcome message and all...it will add your $username and $email (which if you are registered...you have to put that in and it takes it from the database) and add it to your session. put the problem i am having is...it isn't secure at all and not to mention it doesn't even add the $email to your session :(! ok, so here is my code:

the login page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Login :: your flashanims.com passport</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
<link href="/scripts/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="cbmaincontainer">
<div id="commentwrapper">
<div id="cbtitlecolumn">
<span>Login</span>
</div>
<div id="commentcolumn">
<form action="getin.php" method="post">
<table>
<tr>
<td>Username:</td><td><input type="text" name="username" size="25" /></td>
<tr>
<td>Password:</td><td><input type="password" name="password" size="25" /></td>
<tr>
<td><input type="submit" value="submit" name="submit" /></td>
</tr>
</table>
</form>
<br/><br/>
<a href="/index.php" title="go back to the homepage">Back To The Homepage</a>
</div>
</div>
</div>
</body>
</html>


getin:

<?
session_start();
header("Cache-control: private");
$_SESSION["loggedin_user"] = "$username";
$_SESSION["user_email"] = "$email";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Logged In! :: your flashanims.com passport</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
<link href="/scripts/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="cbmaincontainer">
<div id="commentwrapper">
<div id="cbtitlecolumn">
<span>Logged In</span>
</div>
<div id="commentcolumn">
<br/>
<?
$conn = mysql_connect("****","****","****");
$db = mysql_select_db("****");

$username = $_POST["username"];
$password = $_POST["password"];

$result = MYSQL_QUERY("SELECT * from users WHERE username='$username'and password='$password'")
or die ("Name and password not found or not matched");

$worked = mysql_fetch_array($result);

$username = $worked[username];
$password = $worked[password];
$email = $worked[email];

if($worked) {
echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>";
}
?>
<br/><br/>
<a href="/index.php" title="go back to the homepage">Back To The Homepage</a>
</div>
</div>
</div>
</body>
</html>


and if you need it...register.php:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Register :: your flashanims.com passport</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
<link href="/scripts/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="cbmaincontainer">
<div id="commentwrapper">
<div id="cbtitlecolumn">
<span>Register</span>
</div>
<div id="commentcolumn">
<form action="sendit.php" method="post">
<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="149">Username Desired:</td>
<td width="481"><input type="text" name="username" size="25" /></td>
</tr>
<tr>
<td>Password Desired:</td>
<td><input type="password" name="password" size="25" /></td>
</tr>
<tr>
<td>Email:</td>
<td><input type="text" name="email" size="25" /></td>
</tr>
<tr>
<td colspan="2">
By submitting this information and using this website you agree to these terms of service:<br/>
<ul>
<li>You will not use your account to post meaningless and or spam comments or information on this website</li>
<li>You will be respectful and kind to the other users on this website</li>
<li>I reserve the right to delete your account and or anything you contributed or posted</li>
<li>I reserve the right to contact your internet service provider</li>
<li>You will not copy, redistribute, or steal any content found on this website</li>
<li>You will comply to these terms of service or legal action may be taken</li>
</ul>
</td>
</tr>
<tr>
<td>
<input type="submit" value="submit" name="submit" />
</td>
</tr>
</table>
</form>
<br/><br/>
<a href="/index.php" title="go back to the homepage">Back To The Homepage</a>
</div>
</div>
</div>
</body>
</html>


sendit.php:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Information Submitted</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
<link href="/scripts/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="cbmaincontainer">
<div id="commentwrapper">
<div id="cbtitlecolumn">
<span>Submitted</span>
</div>
<div id="commentcolumn">
<?
//replace username and password with your mysql name and password
$conn = mysql_connect("*","*","*");

//select the database
$db = mysql_select_db("*");

$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];

//insert the values
$result= MYSQL_QUERY("INSERT INTO users (id, username, password, email)".
"VALUES ('NULL', '$username', '$password', '$email')");

echo "<span>Your name and password have been submitted into our database! <a href=\"/comboard/login.php\">Click Here To Login</a>";
?>
</div>
</div>
</div>
</body>
</html>



only pay attention to the php really...so...any help...please...i am starting to have thoughts of suicide :)

timgolding
03-10-2007, 12:49 AM
You have to actually test the username and password submitted in the log in form against the SQL then you set a $_SESSION variable to logged in

Armondo
03-10-2007, 01:05 AM
:0....how do i do that? lol i have an idea of how to do that...but i really don't know.

timgolding
03-10-2007, 01:07 AM
Never fear Timmy is here

timgolding
03-10-2007, 01:19 AM
You need to get the username and password infromation that was entered by the user. So in getin.php you need to first get the submitted data from the form. The script that sent the from uses a post method to send the information so we use the $_post (http://uk.php.net/manual/en/reserved.variables.php) variable in php. It is an associative array where the index is the name of the field used in the form and the element of the array is the value entered for that field by the user.

$entered_password=$_POST["password"]
$entered_username=$_POST["username"]

Now we can use these variables to test against the SQL

timgolding
03-10-2007, 01:22 AM
Sorry I just noticed you have done that duh

Armondo
03-10-2007, 01:27 AM
its ok, we all make mistakes :). and i am working on this too, i still can't figure it out. thanks for helping me btw :D!

Inigoesdr
03-10-2007, 01:28 AM
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

$result = mysql_result(mysql_query("SELECT COUNT(*) from users WHERE username='$username' and password='$password'") or die ("Name and password not found or not matched"), 0);
if(!empty($result))
{
echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>";
}

You should be doing something more like this ^. Add your session data in the if() switch. You should -not- store any personal information in sessions. Use a hash or something else to reference the user's information in the database.

Armondo
03-10-2007, 01:31 AM
thanks alot i will try it out, but why not? sessions are a way more viable solution than cookies to me. you have any suggestions?

any where is this code supposed to go? my code looks like this now:

<?
session_start();
header("Cache-control: private");
$_SESSION["loggedin_user"] = "$username";
$_SESSION["user_email"] = "$email";
$_SESSION["facelol"] = "$face";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Logged In! :: your flashanims.com passport</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
<link href="/scripts/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="cbmaincontainer">
<div id="commentwrapper">
<div id="cbtitlecolumn">
<span>Logged In</span>
</div>
<div id="commentcolumn">
<br/>
<?
$conn = mysql_connect("*,"*","*");
$db = mysql_select_db("*");

$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

$result = mysql_result(mysql_query("SELECT COUNT(*) from users WHERE username='$username' and password='$password'") or die ("Name and password not found or not matched"), 0);
if(!empty($result))
{
echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>";
}
?>
<br/><br/>
<a href="/index.php" title="go back to the homepage">Back To The Homepage</a>
</div>
</div>
</div>
</body>
</html>


Warning: mysql_result(): supplied argument is not a valid MySQL-Link resource in /home/content/A/r/m/Armondo13/html/comboard/getin.php on line 31

Inigoesdr
03-10-2007, 01:48 AM
Oops, remove the or die():


$result = mysql_result(mysql_query("SELECT COUNT(*) FROM `users` WHERE `username`= '$username' and `password` = '$password'"), 0);

If that doesn't work separate the mysql functions and add or die(mysql_error()); after them.

thanks alot i will try it out, but why not? sessions are a way more viable solution than cookies to me. you have any suggestions?
Cookies store the information on the user's computer and can be stolen by other sites or spyware on their computer. Sessions store the data on the server, and use either the URL or a cookie with a unique ID so PHP knows which session file on the server contains that user's settings. The problem is that by default PHP stores session data in the /tmp/ folder which is readable by any user on the server usually. So you should only store a unique hash in the session variable and in a field in the database and just request whatever user information you need on your logged in pages.


$hash = sha1(uniqid(microtime(), 1));

That should generate a random enough hash for you^.

Armondo
03-10-2007, 02:43 AM
thanks, but what is hashing? i have read a bunch of php books and stuff, but i have scarecly heard of it :D. i know it has something to do with security or something. how would i use it? and i will try that fix out right now.

Inigoesdr
03-10-2007, 02:52 AM
The manual has a short explanation along with a sample output: sha1() (http://www.php.net/sha1) and a link to further information about the method that it uses.

Armondo
03-10-2007, 02:57 AM
:(!
Parse error: parse error, unexpected T_IF in /home/content/A/r/m/Armondo13/html/comboard/getin.php on line 29
code around there:

$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

$result = mysql_result(mysql_query("SELECT COUNT(*) from users WHERE username='$username' and password='$password'"))
if(!empty($result))
{
$_SESSION["loggedin_user"] = "$username";
$_SESSION["user_email"] = "$email";
echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>";
}

i can't figure it out...

Inigoesdr
03-10-2007, 03:14 AM
You're missing the colon(and 0) at the end of this line:

$result = mysql_result(mysql_query("SELECT COUNT(*) from users WHERE username='$username' and password='$password'"), 0);

Armondo
03-10-2007, 04:00 AM
grr stupid mistake, and this doesn't solve my problem because what i need is to have it to where they login with thier username and password and then it fetches thier username and email...not, they enter a user name and password and regardless of if it complies with the database's stored info, it still logs them in with the username they entered at the form and no email address is added to the session. i am getting pretty frustrated, it just overrides whatever is in the database and uses whatever they put in! and it wont even say "your email address is soandso@gmail.com" it just says "your email address is !" and i know why, because i dont define that varibale, but i can't because i don't know what is up anymore in this script. here is my code lol:

$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

$result = mysql_result(mysql_query("SELECT COUNT(*) from users WHERE username='$username' and password='$password'"), 0);
if(!empty($result))
{
echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>";
}
?>

Inigoesdr
03-10-2007, 07:11 AM
This is just an example, you need to adapt it for your code:

$user = mysql_fetch_assoc(mysql_query("SELECT `id`,`email` FROM `users` WHERE `username` = '$username' AND `password` = '$password'"));
if(!empty($user))
{
$_SESSION['hash'] = sha1(uniqid(microtime(), 1));
$result = mysql_query('UPDATE `users` SET `hash` = \'' . $_SESSION['hash'] . '\' WHERE `id` = \'' . $user['id'] . '\'');
echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>";
}
Then on the next page you can use something like this:

session_start();
if(!empty($_SESSION['hash']))
{
$user = mysql_fetch_assoc(mysql_query('SELECT `username`,`email` FROM `users` WHERE `hash` = \'' . $_SESSION['hash'] . '\''));
}
else
{
header('Location: login.php');
}

Armondo
03-10-2007, 10:20 PM
that still doesn't grab the email from the database, but i will try it out regardless. thanks!

Armondo
03-11-2007, 01:41 AM
it doesn't work at all. i have no idea what you want me to do. where do i put it? am i supposed to connect to mysql? wtf? help...somebody...i am so lost. thanks for the code but i have no idea what to do with it.

my code-
getin.php:

<?
session_start();
header("Cache-control: private");
$_SESSION["loggedin_user"] = "$username";
$_SESSION["user_email"] = "$email";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Logged In! :: your flashanims.com passport</title>
<link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
<link href="/scripts/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="cbmaincontainer">
<div id="commentwrapper">
<div id="cbtitlecolumn">
<span>Logged In</span>
</div>
<div id="commentcolumn">
<br/>
<?
$conn = mysql_connect("*","*","*");
$db = mysql_select_db("flashanims_db");

$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

$user = mysql_fetch_assoc(mysql_query("SELECT `id`,`email` FROM `users` WHERE `username` = '$username' AND `password` = '$password'"));
if(!empty($user))
{
$_SESSION['hash'] = sha1(uniqid(microtime(), 1));
$result = mysql_query('UPDATE `users` SET `hash` = \'' . $_SESSION['hash'] . '\' WHERE `id` = \'' . $user['id'] . '\'');
echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>";
}

if(!empty($result))
{
echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>";
}
?>
<br/><br/>
<a href="/index.php" title="go back to the homepage">Back To The Homepage</a>
</div>
</div>
</div>
</body>
</html>


index session thing at the very top of the page:

<?
session_start();
header("Cache-control: private");
?>

Armondo
03-12-2007, 03:19 AM
bump?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum