...

View Full Version : Help with my login



Skippy
09-19-2009, 07:09 PM
I'm making a site so that when a user logs in it displays their username.
So on the homepage it'll say Welcome "Username"! When the username logs in.
I'm creating user pages, eg. mysite.com/users/index.php?username=Test
If I go to the url above but the users username is Hello when that user goes to a different page the Welcome bit on the homepage changes to Welcome Test!

Is there any way I'd be able to stop that from happening?

Here's my login script:

<?php
session_start();
require ("connect.php");
if(isset($_SESSION['username'])){
echo "Welcome <b>$username!</b> | <a href=\"account/index.php?username=$username\">Edit Profile</a> | <a href=\"logout.php\">Logout</a>";
}else{
if(!isset($_POST['login'])){
echo "<a href=\"login.php\">Login</a> | <a href=\"register.php\">Register</a>";
}else{
$password = sha1(mysql_real_escape_string($_POST['password']));
$username = mysql_real_escape_string($_POST['username']);

$result = mysql_query("SELECT * FROM users WHERE password = '$password' AND username = '$username'");
$resulty = mysql_fetch_array($result);

if($resulty['status'] == 3){
die('You have been banned.');
}
$num = mysql_num_rows($result);
if($num == 1){
echo "You're now logged in! You can return to the <a href=\"index.php\">homepage</a>!";
$result = mysql_query("SELECT * FROM users WHERE password = '$password' AND username = '$username'");
$UL = mysql_fetch_array($result);
$status = $UL['status'];
$user = $UL['username'];
$id = $UL['id'];

$_SESSION['status'] = $status;
$_SESSION['username'] = $user;
$_SESSION['id'] = $id;
}else{
echo "Not a user or incorrect pass! Please <a href=\"login.php\">login</a> with the correct info!";
}}}
?>

mlseim
09-19-2009, 07:18 PM
mysite.com/users/index.php?username=Test

You don't have to send the username with the URL.
The username is stored in a PHP SESSION variable and it stays
with the person on all pages until he/she closes their browser.

Instead, just do this:
mysite.com/users/index.php

And read the session variable to see the username:


<?php
session_start();
$username="Guest";
if(isset($_SESSION['username'])){
$username=$_SESSION['username'];
}
?>
<html>
.
.
.
Welcome <?=$username?> ! <br />
.
.
... the rest of your site here ...
.
</html>

Skippy
09-19-2009, 07:26 PM
I'm sending the username with the url because those are the user pages, so if Test goes to another users page, the session changes to the other users page that they are viewing and remains when they go to other pages around the site. I'm trying to stop that from happening.

mlseim
09-19-2009, 10:12 PM
The session does not change. Once a user logs in, it's set the whole time
that their browser is in session (until they close their browser).
Your session is not the same as my session.

Once a person logs in, a session variable is set for THEM ONLY.
Example, I log in as:
Username: mlseim
Password: sesame

Now, wherever I go on your website, on every page, you look at the session variable.
At the top of each page you grab the session variable and only display the data that
is associated with "mlseim" ... from your MySQL database.

session_start();
$username="Guest";
if(isset($_SESSION['username'])){
$username=$_SESSION['username'];
}

$username in this case would be "mlseim".

If you were to visit the page without logging in,
$username would be "Guest".

If you logged in as "skippy",
$username would be "skippy".

So, you (your script knows) what user is viewing the page.

We can BOTH be logged in at the same time, and we only see OUR data.
You can have 500 people logged-in at the same time, and each person
only sees the data for them ... not anyone else.

You won't have a "unique page" for each user.
You'll have 1 page that displays whatever data it needs to display for
whatever user is logged in?

The codingforums page you are now viewing is the same page (script) that I'm viewing.
In fact, there might be 100 of us viewing the same page right now. But look at the top right corner.
For you it says, "Welcome, Skippy". For me it says, "Welcome, mlseim".

We are all using sessions, but they are uniquely assigned to each of us.

Do you see what I mean?
Are you talking about something that I'm just not getting? If so, sorry.



.

Skippy
09-19-2009, 10:31 PM
I see what you're saying however for my site it's not working like that.

Okay, when the user Hello logs in it displays:

http://wowimages.net/files/ethi0p6s024epdw4mkeo.jpg

When the user visits http://mysite.co.uk/users/index.php?username=Test then visits index.php, it becomes:

http://wowimages.net/files/23i15eruazlbj1z9xaj0.jpg

mlseim
09-20-2009, 01:36 AM
I think I see it now ...
You're not using the session variable ... I added line 5 ...

Try this and see what happens:


<?php
session_start();
require ("connect.php");
if(isset($_SESSION['username'])){
$username=$_SESSION['username'];
echo "Welcome <b>$username!</b> | <a href=\"account/index.php?username=$username\">Edit Profile</a> | <a href=\"logout.php\">Logout</a>";
}else{
if(!isset($_POST['login'])){
echo "<a href=\"login.php\">Login</a> | <a href=\"register.php\">Register</a>";
}else{
$password = sha1(mysql_real_escape_string($_POST['password']));
$username = mysql_real_escape_string($_POST['username']);

$result = mysql_query("SELECT * FROM users WHERE password = '$password' AND username = '$username'");
$resulty = mysql_fetch_array($result);

if($resulty['status'] == 3){
die('You have been banned.');
}
$num = mysql_num_rows($result);
if($num == 1){
echo "You're now logged in! You can return to the <a href=\"index.php\">homepage</a>!";
$result = mysql_query("SELECT * FROM users WHERE password = '$password' AND username = '$username'");
$UL = mysql_fetch_array($result);
$status = $UL['status'];
$user = $UL['username'];
$id = $UL['id'];

$_SESSION['status'] = $status;
$_SESSION['username'] = $user;
$_SESSION['id'] = $id;
}else{
echo "Not a user or incorrect pass! Please <a href=\"login.php\">login</a> with the correct info!";
}}}
?>

Skippy
09-20-2009, 02:54 PM
Thanks. I've tested that however the same thing is still happening. :confused:

mlseim
09-20-2009, 05:38 PM
Is the script that we've been using on these posts the one that is actually
showing the problem? Or do you have another script where the "welcome"
problem is occurring?

It seems like the script above is only the login script.
Maybe you have something wrong in a different page (or script).

Skippy
09-20-2009, 09:56 PM
That is the only login script. I suppose something could be wrong on the users page, but I don't see it. :confused:


<?php
session_start();
require ("../connect.php");
require ("../functions.php");
include("../template/userheader.php");
?>
<link rel="stylesheet" type="text/css" href="../template/styles/style.css">
<?php
$username = mysql_real_escape_string($_GET['username']);
$result = mysql_query("SELECT * from users WHERE username='$username'");
while($row = mysql_fetch_array( $result )){
echo "<img id=\"userimage\" align=\"left\" src=\"../images/";
echo $row['image'];
echo "\" width=\"126px\" height=\"168px\">";
echo "<div id=\"username\">";
echo $row['username'];
echo "</div><br/>Name: ";
if(empty($row['name'])){
echo "<i>Private</i>";
}
echo $row['name'];
echo "<br/>Gender: ";
echo $row['gender'];
echo "<br/>Country: ";
if(empty($row['country'])){
echo "<i>Private</i>";
}
echo $row['country'];
echo "<br/>";
if ($row['display'] ==Yes) {
echo "Date of Birth: <i>Private</i>";}
if ($row['display'] !=Yes) {
echo "Date of Birth: ";
echo $row['day'];
echo "-";
echo $row['month'];
echo "-";
echo $row['year'];
}
echo "<br/>Website: ";
if(empty($row['website'])){
echo "<i>This user does not have a website.</i>";
}
echo "<a href=\"";
echo $row['website'];
echo "\">";
echo $row['website'];
echo "</a><br/>";
echo "MSN: ";
echo $row['msn'];
if(empty($row['msn'])){
echo "<i>This user does not have msn.</i>";
}
echo "<br/>Yahoo: ";
echo $row['yahoo'];
if(empty($row['yahoo'])){
echo "<i>This user does not have yahoo.</i>";
}
echo "<br/>AIM: ";
echo $row['aim'];
if(empty($row['aim'])){
echo "<i>This user does not have AIM.</i>";
}
echo "<br/><br/><h3>About Me</h3>";
echo $row['aboutme'];
echo "<br/><br/><h3>Beliefs</h3>";
echo $row['beliefs'];
echo "<br/><br/><h3>Interests</h3>";
echo $row['interests'];
echo "<br/><br/><br/><br/><br/><br/><br/>";
}
include("../template/userfooter.php");
?>

mlseim
09-21-2009, 12:39 AM
This is what I was talking about ...

$username = mysql_real_escape_string($_GET['username']);

You should be getting the $username from the SESSION, not from the URL.

if(isset($_SESSION['username'])){
$username=$_SESSION['username'];
}


You don't want anyone to be able to put their username in the URL (see post #1)
YOUR QUOTE "Is there any way I'd be able to stop that from happening?"
ANSWER: yes, you can stop that from happening ... don't look for any usernames in the URL. period.

Once a person logs in, you don't have to use the URL at all for the username,
in fact, you don't want to use the URL with the username in it.
The script already knows their name: $_SESSION['username']; (they already logged-in).

Script with change:


<?php
session_start();
require ("../connect.php");
require ("../functions.php");

if(isset($_SESSION['username'])){
$username=$_SESSION['username'];
}

// If you happen to be looking for the username in the URL inside the "userheader.php" script,
// you'll also have to use the $_SESSION instead of $_GET in that script (which we can't see).
include("../template/userheader.php");
?>
<link rel="stylesheet" type="text/css" href="../template/styles/style.css">
<?php
// $username = mysql_real_escape_string($_GET['username']); ... comment-out this line, not used.
$result = mysql_query("SELECT * from users WHERE username='$username'");
while($row = mysql_fetch_array( $result )){
echo "<img id=\"userimage\" align=\"left\" src=\"../images/";
echo $row['image'];
echo "\" width=\"126px\" height=\"168px\">";
echo "<div id=\"username\">";
echo $row['username'];
echo "</div><br/>Name: ";
if(empty($row['name'])){
echo "<i>Private</i>";
}
echo $row['name'];
echo "<br/>Gender: ";
echo $row['gender'];
echo "<br/>Country: ";
if(empty($row['country'])){
echo "<i>Private</i>";
}
echo $row['country'];
echo "<br/>";
if ($row['display'] ==Yes) {
echo "Date of Birth: <i>Private</i>";}
if ($row['display'] !=Yes) {
echo "Date of Birth: ";
echo $row['day'];
echo "-";
echo $row['month'];
echo "-";
echo $row['year'];
}
echo "<br/>Website: ";
if(empty($row['website'])){
echo "<i>This user does not have a website.</i>";
}
echo "<a href=\"";
echo $row['website'];
echo "\">";
echo $row['website'];
echo "</a><br/>";
echo "MSN: ";
echo $row['msn'];
if(empty($row['msn'])){
echo "<i>This user does not have msn.</i>";
}
echo "<br/>Yahoo: ";
echo $row['yahoo'];
if(empty($row['yahoo'])){
echo "<i>This user does not have yahoo.</i>";
}
echo "<br/>AIM: ";
echo $row['aim'];
if(empty($row['aim'])){
echo "<i>This user does not have AIM.</i>";
}
echo "<br/><br/><h3>About Me</h3>";
echo $row['aboutme'];
echo "<br/><br/><h3>Beliefs</h3>";
echo $row['beliefs'];
echo "<br/><br/><h3>Interests</h3>";
echo $row['interests'];
echo "<br/><br/><br/><br/><br/><br/><br/>";
}
include("../template/userfooter.php");
?>

Skippy
09-26-2009, 04:43 PM
Ahhh, thanks. I get it now. That's resolved my issue of the users account page however on the actual user pages, if I don't use
$username = mysql_real_escape_string($_GET['username']);
it'll just return the current logged in users page instead other peoples. So I still get the issue I had before.

mlseim
09-26-2009, 09:31 PM
What does that "actual user pages" script look like,
and why do they need to see "other peoples"?
Isn't seeing their own page the whole point of logging in?

kar2905
09-26-2009, 09:55 PM
I think he wants to make a site like social networking site where people could view other people's profiles but not edit them where as they could view and edit their own profile .

Is this what you want to achieve ?

If this is the case , then I suggest using get for other people's profiles .
Set the get only when you want to view someone else's profile ..

BlackDawn
09-27-2009, 05:28 AM
Take a look at my site: http://bndsns.100webspace.net and look how I can show the Currently Logged in User once they login.

If you goto: http://bndsns.100webspace.net\displaymembers.php and click on one of thier names it will take you to profile.php where the selected members information is displayed and still shows you as the person logged in.

If you like this I can explain everything to you in private.

Skippy
09-27-2009, 03:11 PM
Like kar2905 said, I would like to make it so people can see other peoples profiles but not edit them. When I use get though and the user Hello logs in it displays:
http://wowimages.net/files/ethi0p6s024epdw4mkeo.jpg

When the user visits http://mysite.co.uk/users/index.php?username=Test then visits index.php, it becomes:

http://wowimages.net/files/23i15eruazlbj1z9xaj0.jpg

The user script is the one I posted above.

kar2905
09-29-2009, 07:08 AM
Like kar2905 said, I would like to make it so people can see other peoples profiles but not edit them. When I use get though and the user Hello logs in it displays:
http://wowimages.net/files/ethi0p6s024epdw4mkeo.jpg

When the user visits http://mysite.co.uk/users/index.php?username=Test then visits index.php, it becomes:

http://wowimages.net/files/23i15eruazlbj1z9xaj0.jpg

The user script is the one I posted above.

You can use GET only when the get variable is set in the url
At the starting , your script is working perfectly fine as it displays Hello .
But when it goes to the profile of the test user , then it shows welcome test because the variable now stores test .
So , whenever you visit index.php without any get variables in the url , then use only $_SESSION variables

You can check if the get variable is set or not using
if(isset($_GET['variable name']))

Hope , this solves your problem



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum