Help with login script

Hello

I used the script below for a login system and it seems to work great

<?php
$host="localhost"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="users_db"; // Database name
$tbl_name="users_tb"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:../index.html");
}
else {
echo "Wrong Username or Password";
}
?>

However, what code do I put at the top of any page that I need to protect...??

Cheers

<?php
session_start();

if(!isset($_SESSION['myusername'])) {
echo 'you don\'t have permission to view this page...';
}

Just check your session variables.

BTW, session_register() is deprecated and won't work with PHP 6; you should simply assign values to the $_SESSION array.

See:

http://us.php.net/manual/en/function.session-register.php

At the top of every script that uses sessions, you should have this ...
(including the script you've shown above) ...

<?php
session_start();

On pages that need protection ....

<?php
session_start();
if(isset($_SESSION['myusername'])){
//they are logged-in, so do nothing.
}
else{
//they are not logged-in, so kick them back to the main page.
header ("location: index.php");
}
?>

<html>
blah blah
the rest of your page here

All seems to be working except:

I go to the protected page which redirects me to the login page as expected.
I then login which is meant to take me back to the protected page but it just redirects back to the login page....!?!?!

I have a checklogin.php page:

<?php
session_start();

$host="localhost"; // Host name
$username="login"; // Mysql username
$password="password"; // Mysql password
$db_name="users_db"; // Database name
$tbl_name="users_tb"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:../index.php");
}
else {
echo "Wrong Username or Password";
}
?>

A login.php page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Please Login</title>
<link href="CSS/login.css" rel="stylesheet" type="text/css" />
</head>

<body>
<p class="maintext">You must login to access the members area!</p>
<div id="login">
<form action="php/checklogin.php" method="post">
Username: <input name="username" type="text" />
Password: <input name="password" type="text" />
<input name="Login!" type="submit" value="Login!" /></form>
</div>
</body>
</html>


And a protected page index.php:

<?php
session_start();
if(isset($_SESSION['myusername'])){
//they are logged-in, so do nothing.
}
else{
//they are not logged-in, so kick them back to the main page.
header ("location:login.php");
}
?>

<HTML HERE.....>

Add a print_r($_SESSION) along with a die() (so you don't get redirected), see what that gives you.

I'm thinking it might be the deprecated code ... but not sure ...Try this ...

Change these two lines:
session_register("myusername");
session_register("mypassword");

To this:
$_SESSION['myusername']=$myusername;
$_SESSION['mypassword']="does_not_matter";

(You're only checking for the existence of "myusername", so you only need that one).

Maybe it has something to do with session arrays.