...

View Full Version : Help with login script



noneforit
01-27-2010, 04:45 PM
Hello

I used the script below for a login system and it seems to work great


<?php
$host="localhost"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="users_db"; // Database name
$tbl_name="users_tb"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:../index.html");
}
else {
echo "Wrong Username or Password";
}
?>

However, what code do I put at the top of any page that I need to protect...??

Cheers

met
01-27-2010, 06:03 PM
<?php
session_start();

if(!isset($_SESSION['myusername'])) {
echo 'you don\'t have permission to view this page...';
}

Fumigator
01-27-2010, 06:04 PM
Just check your session variables.

BTW, session_register() is deprecated and won't work with PHP 6; you should simply assign values to the $_SESSION array.

See:

http://us.php.net/manual/en/function.session-register.php

mlseim
01-27-2010, 06:07 PM
At the top of every script that uses sessions, you should have this ...
(including the script you've shown above) ...

<?php
session_start();

On pages that need protection ....


<?php
session_start();
if(isset($_SESSION['myusername'])){
//they are logged-in, so do nothing.
}
else{
//they are not logged-in, so kick them back to the main page.
header ("location: index.php");
}
?>

<html>
blah blah
the rest of your page here

noneforit
01-27-2010, 06:34 PM
All seems to be working except:

I go to the protected page which redirects me to the login page as expected.
I then login which is meant to take me back to the protected page but it just redirects back to the login page....!?!?!

I have a checklogin.php page:


<?php
session_start();

$host="localhost"; // Host name
$username="login"; // Mysql username
$password="password"; // Mysql password
$db_name="users_db"; // Database name
$tbl_name="users_tb"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:../index.php");
}
else {
echo "Wrong Username or Password";
}
?>

A login.php page:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Please Login</title>
<link href="CSS/login.css" rel="stylesheet" type="text/css" />
</head>

<body>
<p class="maintext">You must login to access the members area!</p>
<div id="login">
<form action="php/checklogin.php" method="post">
Username: <input name="username" type="text" />
Password: <input name="password" type="text" />
<input name="Login!" type="submit" value="Login!" /></form>
</div>
</body>
</html>


And a protected page index.php:


<?php
session_start();
if(isset($_SESSION['myusername'])){
//they are logged-in, so do nothing.
}
else{
//they are not logged-in, so kick them back to the main page.
header ("location:login.php");
}
?>

<HTML HERE.....>

Fumigator
01-27-2010, 06:44 PM
Add a print_r($_SESSION) along with a die() (so you don't get redirected), see what that gives you.

mlseim
01-27-2010, 08:11 PM
I'm thinking it might be the deprecated code ... but not sure ...Try this ...

Change these two lines:
session_register("myusername");
session_register("mypassword");

To this:
$_SESSION['myusername']=$myusername;
$_SESSION['mypassword']="does_not_matter";

(You're only checking for the existence of "myusername", so you only need that one).

Maybe it has something to do with session arrays.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum