...

View Full Version : Login System



martynball
01-21-2010, 08:10 PM
First of all the session ID value is checked, and exploded into two sections. These two parts are then checked with the database to see if they match.

If they do not match then the next if statement is run, which waits until the form fields are valid. Once valid the rest of the code (PROTECTED HTML) should be displayed. At the moment no code is being loaded once login fields are valid.

The problem I am having is with closing the if statements and where to put the "else" statements. What do I do? :(



<?php
// Connect to the database server
$dbCon = mysql_connect('localhost', 'HOSTNAME', 'PASSWORD');
// Select the database
$tbCon = mysql_select_db('DATABASENAME');

// Get data from table
$result = mysql_query("SELECT * from TABLENAME");
while ($row = mysql_fetch_array($result))
{
$uname=$row["username"];
$pass=$row['password'];
$rid=$row['rid'];
}
?>



<?php
session_start();
//Get database data and pull in
include "scripts/php/getData.php";

//Check if session exists
$session = $_SESSION['session'];
$session = explode (".", $session);

//Restart session
if (isset($_POST['logout'])) {
$_SESSION['session'] = "ANONYMOUS";
}
//Detect session
if ($session[1] != $rid && $session[0] != $uname ) {
//Check value of text field
if ($_POST['txtUsername'] != $uname || $_POST['txtPassword'] != $pass) { ?>

*LOGIN FORM*

<?php
}
}
else {
$_SESSION['session'] = $uname.".".$rid;
?>

*PROTECTED HTML*

<?php
}
?>

mlseim
01-21-2010, 09:42 PM
You have three things ...
$rid
$uname
$pass

It's confusing that you check for $rid in one spot, and $uname in another?
What do you really want to check?

martynball
01-21-2010, 09:50 PM
Added the getData.php code which might help.

$rid is an unique ID which will be used with the username to verify is the session is not tampered with, although it really can't, the cookie which I will add will do the same thing though.

mlseim
01-21-2010, 09:55 PM
Without testing anything ... this is what I came up with ....

Your log-out has to either leave the page or re-call the page.
You have to do 1 refresh to write the header. You can't change
the session variable and check it in the same script without a header change,
so decide what to do there, or use a separate script to kill the session.



<?php
session_start();
//Get database data and pull in
include "scripts/php/getData.php";

//Check if session exists
$case=0;
$session = $_SESSION['session'];
$session = explode (".", $session);

//Restart session
if (isset($_POST['logout'])) {
$_SESSION['session'] = "ANONYMOUS";
// return back to main page.
header ("location: index.php");
}

//Detect existing session
if($session[1] == $rid && $session[0] == $uname) {
// user is already logged-in.
$case=1;
}

//Check value of text field
if ($_POST['txtUsername'] == $uname && $_POST['txtPassword'] == $pass) {
// user successfully logged-in.
$_SESSION['session'] = $uname.".".$rid;
$case=1;
}

//Decide what you display
if($case == 1){
//User is allowed to see the page.
?>

*PROTECTED HTML*

<?php
}
else {
//Fall-through to the Log-In Form.
?>

*LOG-IN FORM*

<?php
}
?>


EDIT:
It might be easier to have separate scripts for log-in, log-out, and the protected page.
Messing with sessions will be easier, because redirecting to another script sends a header.


.

martynball
01-21-2010, 10:09 PM
Seems to be working perfectly thanks. Seeming as it is working, do you still suggest that I have separate scripts? (This is only a small personal website btw, nothing big which people would want to screw with).

Also, I am having a problem with the values being pulled in from the database. At the moment, there are only two users (rows) in the database. The last one is working, but the first one is not working (Says invalid username or password). Although I do type it correctly.

mlseim
01-21-2010, 10:29 PM
Oh, I didn't notice that ... you have an array,
so you'll always see the last one, no matter how many you have.

There has to be another loop to check the whole array.
So, try something like this ...



<?php
session_start();

// Connect to the database server
$dbCon = mysql_connect('localhost', 'HOSTNAME', 'PASSWORD');
// Select the database
$tbCon = mysql_select_db('DATABASENAME');

//Check if session exists
$case=0;
$session = $_SESSION['session'];
$session = explode (".", $session);

//Restart session
if (isset($_POST['logout'])) {
$_SESSION['session'] = "ANONYMOUS";
// return back to main page.
header ("location: index.php");
}

// Get data from table
$result = mysql_query("SELECT * from TABLENAME");
while ($row = mysql_fetch_array($result)) {

$uname=$row["username"];
$pass=$row['password'];
$rid=$row['rid'];

//Detect existing session
if($session[1] == $rid && $session[0] == $uname) {
// user is already logged-in.
$case=1;
}

//Check value of text field
if ($_POST['txtUsername'] == $uname && $_POST['txtPassword'] == $pass) {
// user successfully logged-in.
$_SESSION['session'] = $uname.".".$rid;
$case=1;
}
}

//Decide what you display
if($case == 1){
//User is allowed to see the page.
?>

*PROTECTED HTML*

<?php
}
else {
//Fall-through to the Log-In Form.
?>

*LOG-IN FORM*

<?php
}

?>

martynball
01-21-2010, 11:12 PM
I still can't login with one of the users.

Edit:
Just tried to include the top section of the code, but it will not work.. I have changed the file name and location of the file a couple of times... still does not pull in. Other includes are working...And the code works when I put it back in the actual page.



<?php include "scripts/php/checkLogin.php"; ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Project A-2010/1 - Home</title>

martynball
01-21-2010, 11:40 PM
:( Eh ^

mlseim
01-21-2010, 11:59 PM
Repost the code ...
(to see what might be wrong with only 1 user working)
I want to actually see what you have there now.
Get that part working first.

martynball
01-22-2010, 12:11 AM
<?php
session_start();
//Database connect
include "scripts/php/db.connect.php";

//Check if session exists
$case=0;
$session = $_SESSION['session'];
$session = explode (".", $session);

//Restart session
if (isset($_POST['logout'])) {
$_SESSION['session'] = "ANONYMOUS";
// return back to main page.
header ("location: index.php");
}

// Get data from table
$result = mysql_query("SELECT * from users");
while ($row = mysql_fetch_array($result)) {

//Variables
$uname=$row['username'];
$pass=$row['password'];
$rid=$row['rid'];
$fname=$row['fname'];
$lname=$row['lname'];
$email=$row['email'];
}

//Detect existing session
if($session[1] == $rid && $session[0] == $uname) {
// user is already logged-in.
$case=1;
}

//Check value of text field
if ($_POST['txtUsername'] == $uname && $_POST['txtPassword'] == $pass) {
// user successfully logged-in.
$_SESSION['session'] = $uname.".".$rid;
$case=1;
}

//Decide what you display
if($case == 1){
//User is allowed to see the page.
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Project A-2010/1 - Home</title>
<link rel="stylesheet" href="../stokeGTA/css/mainsheet.css"/>
<script type="text/javascript" src="scripts/js/hoverFix.js"></script>
</head>
<body>
<div class="scriptOutput"><p>Output: --//</p></div>
<div class="container">
<?php echo "<div style=\"float:left; padding-left:1em;\"/>Welcome back, <h4> - $fname $lname -</h4></div>
<div style=\"float:right;\"><form method=\"post\">
<input type=\"submit\" name=\"logout\" value=\"-Logout-\" class=\"noStyle\"></form></div> ";?>
<?php include "includes/menu.php"; ?>
<h1>Project A-2010/1</h1>
<p> Content will go in here.</p>
<img src="http://i58.photobucket.com/albums/g268/martynball/UntitledTime0_00_5611.png" width="40%"/>
</div>
</body>
</html>
<?php
}
else {
//Fall-through to the Log-In Form.
?>
<head>
<title>Login</title>
<link rel="stylesheet" href="../stokeGTA/css/mainsheet.css"/>
<script type="text/javascript">
function restartForm()
{
document.form.txtUsername.value= "";
document.form.txtPassword.value= "";
}
</script>
</head>
<body>
<div align="center">
<div class="login">
<div style="float:right;">
<input type="button" onclick="restartForm()" value="Restart" class="noStyle">
</div>
<h1>Login</h1>
<?php
if (isset($_POST['Submit'])) {
if ($_POST['txtUsername'] == "") {
echo "<h3>Username field empty, please complete it!</h3>";
}
elseif ($_POST['txtPassword'] == "") {
echo "<h3>Password field empty, please complete it!</h3>";
}
elseif ($_POST['txtUsername'] != $uname || $_POST['txtPassword'] != $pass) {
echo "<h3>Username/Password incorrect!</h3>";
}
}
?>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p>
<label for="txtusername">Username:</label>
<br />
<input type="text" title="Enter your username!" name="txtUsername" class="field"/>
</p>
<p>
<label for="txtpassword">Password:</label>
<br />
<input type="password" title="Enter your password!" name="txtPassword" class="field"/>
</p>
<p>
<input type="submit" name="Submit" value="-Login-" class="noStyle" />
</p>
</form>
<?php if ($_SESSION['session'] == "ANONYMOUS") { echo "You are not logged in!"; }else{ echo $_SESSION['session']; } ?>
</div>
</div>
</body>
<?php
}
?>

mlseim
01-22-2010, 12:26 AM
OK ... try this script by itself and see if the "only one user" problem is fixed:



<?php
session_start();
//Database connect
include "scripts/php/db.connect.php";

//Check if session exists
$case=0;
$session = $_SESSION['session'];
$session = explode (".", $session);

//Restart session
if (isset($_POST['logout'])) {
$_SESSION['session'] = "ANONYMOUS";
// return back to main page.
header ("location: index.php");
}

// Get data from table
$result = mysql_query("SELECT * from users");
while ($row = mysql_fetch_array($result)) {

//Variables
$uname=$row['username'];
$pass=$row['password'];
$rid=$row['rid'];
$fname=$row['fname'];
$lname=$row['lname'];
$email=$row['email'];

//Detect existing session
if($session[1] == $rid && $session[0] == $uname) {
// user is already logged-in.
$case=1;
}

//Check value of text field
if ($_POST['txtUsername'] == $uname && $_POST['txtPassword'] == $pass) {
// user successfully logged-in.
$_SESSION['session'] = $uname.".".$rid;
$case=1;
}

} // This is the close of the while loop

//Decide what you display
if($case == 1){
//User is allowed to see the page.
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Project A-2010/1 - Home</title>
<link rel="stylesheet" href="../stokeGTA/css/mainsheet.css"/>
<script type="text/javascript" src="scripts/js/hoverFix.js"></script>
</head>
<body>
<div class="scriptOutput"><p>Output: --//</p></div>
<div class="container">
<?php echo "<div style=\"float:left; padding-left:1em;\"/>Welcome back, <h4> - $fname $lname -</h4></div>
<div style=\"float:right;\"><form method=\"post\">
<input type=\"submit\" name=\"logout\" value=\"-Logout-\" class=\"noStyle\"></form></div> ";?>
<?php include "includes/menu.php"; ?>
<h1>Project A-2010/1</h1>
<p> Content will go in here.</p>
<img src="http://i58.photobucket.com/albums/g268/martynball/UntitledTime0_00_5611.png" width="40%"/>
</div>
</body>
</html>
<?php
}
else {
//Fall-through to the Log-In Form.
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Login</title>
<link rel="stylesheet" href="../stokeGTA/css/mainsheet.css"/>
<script type="text/javascript">
function restartForm()
{
document.form.txtUsername.value= "";
document.form.txtPassword.value= "";
}
</script>
</head>
<body>
<div align="center">
<div class="login">
<div style="float:right;">
<input type="button" onclick="restartForm()" value="Restart" class="noStyle">
</div>
<h1>Login</h1>
<?php
if (isset($_POST['Submit'])) {
if ($_POST['txtUsername'] == "") {
echo "<h3>Username field empty, please complete it!</h3>";
}
elseif ($_POST['txtPassword'] == "") {
echo "<h3>Password field empty, please complete it!</h3>";
}
elseif ($_POST['txtUsername'] != $uname || $_POST['txtPassword'] != $pass) {
echo "<h3>Username/Password incorrect!</h3>";
}
}
?>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p>
<label for="txtusername">Username:</label>
<br />
<input type="text" title="Enter your username!" name="txtUsername" class="field"/>
</p>
<p>
<label for="txtpassword">Password:</label>
<br />
<input type="password" title="Enter your password!" name="txtPassword" class="field"/>
</p>
<p>
<input type="submit" name="Submit" value="-Login-" class="noStyle" />
</p>
</form>
<?php if ($_SESSION['session'] == "ANONYMOUS") { echo "You are not logged in!"; }else{ echo $_SESSION['session']; } ?>
</div>
</div>
</body>
</html>
<?php
}
?>

martynball
01-22-2010, 01:02 AM
Okay, other user works now. But, the session ID is saving the values from the other user still (nick3d). Instead of (martynball)...

http://martynleeball.x10hosting.com/stokeGTA/index.php
Here: Login using

username: nick3d
password: password

Then use:
username: martynball
password: password

Up the top left the data from nicks account is still being used... that is due to the rid number being pulled in when logging in.

Also, can multiple users sign in at the same time? Because the session is called "session". I am guessing it would work like this: session[0], session[1], session[2] for each different person?

mlseim
01-22-2010, 02:10 AM
Don't worry about the sessions.
They are cookies stored on the server, and each person is given their own session ID.

The other problem is due to the fact that you can't set the session and read it
without a header (redirect or refresh). I don't know the name of your scripts,
but you should create files for session control.

On each protected page you simply check for a session.
You don't have to call the "check_login.php" script ...
that's only used for the login.php (form page).

If the session exists, they are logged-in.
If the session does not exist, it displays the log-in form.

The whole point is ... once they are logged-in, the "check_login.php" script no longer has to be used.


check_login.php - this checks to see if the form login is correct.
If it is correct, is creates the session variable, otherwise, it returns
back to the login form with some sort of error message.


<?php
session_start();
//Database connect
include "scripts/php/db.connect.php";

$case=0;
// Get data from table
$result = mysql_query("SELECT * from users");
while ($row = mysql_fetch_array($result)) {

//Variables
$uname=$row['username'];
$pass=$row['password'];
$rid=$row['rid'];
$fname=$row['fname'];
$lname=$row['lname'];
$email=$row['email'];

//Check value of text field
if ($_POST['txtUsername'] == $uname && $_POST['txtPassword'] == $pass) {
// user successfully logged-in.
$_SESSION['session'] = $uname.".".$rid;
$case=1;
}

} // This is the close of the while loop

// return to either the main page, or back to "login.php".
// this action supplies the header needed to create the session.

if($case==1){
header ("location: index.php");
}
else{
// login failed, so return back to the form.
// if you want, you can return a failed message.
$mess="Invalid Login";
header ("location: login.php?mess=$mess");
}

?>



logout.php - this destroys the session.
Call it from anyplace ... even a "logout" link, like: <a href="logout.php">logout</a>


<?php
if(session_start()){
session_destroy();}
header ("location: index.php");
?>



Then, on the top of each protected page, you simply check for the session to be set.
If the session is set, that means they must be logged-in.

anypage-you-want.php


<?php
session_start();
if(isset($_SESSION['session'])){
//user is logged-in, so do nothing
}
else{
//user needs to log in.
header ("location: login.php");
}
?>
<html>
* YOUR PROTECTED PAGE *
</html>



login.php - Your login form (notice that the form action is "check_login.php").
You will have to change the validation of this because it will no longer call itself.
You can do the validation on the "check_login.php" script, or just use Javascripting.


<?php
// check for a failure message from login.php
if($_GET['mess'];){
$mess=$_GET['mess'];
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Login</title>
<link rel="stylesheet" href="../stokeGTA/css/mainsheet.css"/>
<script type="text/javascript">
function restartForm()
{
document.form.txtUsername.value= "";
document.form.txtPassword.value= "";
}
</script>
</head>
<body>
<div align="center">
<div class="login">
<div style="float:right;">
<input type="button" onclick="restartForm()" value="Restart" class="noStyle">
</div>
<h1>Login <?=$mess?> </h1>
<?php
if (isset($_POST['Submit'])) {
if ($_POST['txtUsername'] == "") {
echo "<h3>Username field empty, please complete it!</h3>";
}
elseif ($_POST['txtPassword'] == "") {
echo "<h3>Password field empty, please complete it!</h3>";
}
elseif ($_POST['txtUsername'] != $uname || $_POST['txtPassword'] != $pass) {
echo "<h3>Username/Password incorrect!</h3>";
}
}
?>
<form name="form" method="post" action="check_login.php">
<p>
<label for="txtusername">Username:</label>
<br />
<input type="text" title="Enter your username!" name="txtUsername" class="field"/>
</p>
<p>
<label for="txtpassword">Password:</label>
<br />
<input type="password" title="Enter your password!" name="txtPassword" class="field"/>
</p>
<p>
<input type="submit" name="Submit" value="-Login-" class="noStyle" />
</p>
</form>
<?php if ($_SESSION['session'] == "ANONYMOUS") { echo "You are not logged in!"; }else{ echo $_SESSION['session']; } ?>
</div>
</div>
</body>
</html>

martynball
01-22-2010, 12:12 PM
I understand exactly what you have done. I can usually understand code but never write it in the correct order ect Lol.

Thanks, your a legand Lol.

martynball
01-22-2010, 11:48 PM
Problem 2:
The data is not being pulled in from the table, I have had to remove the "while" which most people use so that I cna use the variables when the submitPass button is pressed. Is the while needed?



<?php
include "scripts/php/db.connect.php";

//Get data...
$result = mysql_query("SELECT * from users WHERE rid='$srid'") or die ('Error: '.mysql_error());
$row = mysql_fetch_array($result);

//Variables
$username=$row["username"];
$fname=$row["fname"];
$lname=$row["lname"];
$email=$row["email"];
$pass=$row["password"];

//Get RID
$srid = $_SESSION['session'];
$srid = explode(".", $srid);
$srid = $srid[1];

//Check for button pressed
if (isset($_POST['submitPass'])) {

//Check oPass and aPass not empty
if ($_POST['oPass'] != "" && $_POST['aPass'] != "") {

//Check oPass and aPass are the same
if ($_POST['oPass'] == $_POST['aPass']) {

//Check two passwords match password in database
if ($_POST['aPass'] == "$pass") {
echo "True";
}
}
}
}
?>
</p></div>
<div class="container">
<a href="scripts/php/logout.php" style="float:right;">-Logout-</a>
<?php include "includes/menu.php"; ?>
<h1>User Control Panel</h1>
<h2>Account Information: </h2>
<?php
//Display Data
echo "Username: $username <br />First Name: $fname<br />Last Name: $lname<br />Email: $email<br />";
?>

mlseim
01-23-2010, 03:16 AM
Your query at the top is looking for $srid ... what is $srid, and where is it defined?

Put your // Get rid above the // Get data

martynball
01-23-2010, 08:31 PM
Yey, works :) Thanks.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum