Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    Regular Coder Armondo's Avatar
    Join Date
    Feb 2007
    Posts
    144
    Thanks
    3
    Thanked 0 Times in 0 Posts

    problems with sessions and login fields :(

    ok the problem is here: http://flashanims.com
    press login...put in a random username and password. even though you havent registered or anything it takes you into the getin page and doesn't say anything, so click go to the homepage. now it says your logged in as the username you entered even your not in the database >!!!

    ok, so my logic: if you successfully get into the getinpage with the little welcome message and all...it will add your $username and $email (which if you are registered...you have to put that in and it takes it from the database) and add it to your session. put the problem i am having is...it isn't secure at all and not to mention it doesn't even add the $email to your session ! ok, so here is my code:

    the login page:
    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>Login :: your flashanims.com passport</title>
    <link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
    <link href="/scripts/style.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div id="cbmaincontainer">
    	<div id="commentwrapper">
    		<div id="cbtitlecolumn">
    			<span>Login</span>
    		</div>
    		<div id="commentcolumn">
    			<form action="getin.php" method="post">
    			<table>
    			<tr>
    			<td>Username:</td><td><input type="text" name="username" size="25" /></td>
    			<tr>
    			<td>Password:</td><td><input type="password" name="password" size="25" /></td>
    			<tr>
    			<td><input type="submit" value="submit" name="submit" /></td>
    			</tr>
    			</table>
    			</form>
    			<br/><br/>
    			<a href="/index.php" title="go back to the homepage">Back To The Homepage</a>
    		</div>
    	</div>
    </div>
    </body>
    </html>
    getin:
    Code:
    <?
    session_start();  
    header("Cache-control: private"); 
    $_SESSION["loggedin_user"] = "$username";
    $_SESSION["user_email"] = "$email";
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>Logged In! :: your flashanims.com passport</title>
    <link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
    <link href="/scripts/style.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div id="cbmaincontainer">
    	<div id="commentwrapper">
    		<div id="cbtitlecolumn">
    			<span>Logged In</span>
    		</div>
    		<div id="commentcolumn">
    			<br/>
    			<?
    			$conn = mysql_connect("****","****","****");
    			$db = mysql_select_db("****");
    			
    			$username = $_POST["username"];
    			$password = $_POST["password"];
    			
    			$result = MYSQL_QUERY("SELECT * from users WHERE username='$username'and password='$password'")
    			   or die ("Name and password not found or not matched");
    			
    			$worked = mysql_fetch_array($result);
    			
    			$username = $worked[username];
    			$password = $worked[password];
    			$email = $worked[email];
    			
    			if($worked) {
    				echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>"; 
    				}
    			?>
    			<br/><br/>
    			<a href="/index.php" title="go back to the homepage">Back To The Homepage</a>
    		</div>
    	</div>
    </div>
    </body>
    </html>
    and if you need it...register.php:
    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>Register :: your flashanims.com passport</title>
    <link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
    <link href="/scripts/style.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div id="cbmaincontainer">
    	<div id="commentwrapper">
    		<div id="cbtitlecolumn">
    			<span>Register</span>
    		</div>
    		<div id="commentcolumn">
    			<form action="sendit.php" method="post">
    			<table border="0" cellspacing="0" cellpadding="0">
    				<tr>
    				  <td width="149">Username Desired:</td>
    				  <td width="481"><input type="text" name="username" size="25" /></td>
    				</tr>
    				<tr>
    				  <td>Password Desired:</td>
    				  <td><input type="password" name="password" size="25" /></td>
    				</tr>
    				<tr>
    				  <td>Email:</td>
    				  <td><input type="text" name="email" size="25" /></td>
    				</tr>
    				<tr>
    				  <td colspan="2">
    					By submitting this information and using this website you agree to these terms of service:<br/>
    					<ul>
    						<li>You will not use your account to post meaningless and or spam comments or information on this website</li>
    						<li>You will be respectful and kind to the other users on this website</li>
    						<li>I reserve the right to delete your account and or anything you contributed or posted</li>
    						<li>I reserve the right to contact your internet service provider</li>
    						<li>You will not copy, redistribute, or steal any content found on this website</li>
    						<li>You will comply to these terms of service or legal action may be taken</li>
    					</ul>
    				  </td>
    				</tr>
    				<tr>
    				<td>
    				<input type="submit" value="submit" name="submit" />
    				</td>
    				</tr>
    		  </table>
    		  </form>
    			<br/><br/>
    			<a href="/index.php" title="go back to the homepage">Back To The Homepage</a>
    		</div>
    	</div>
    </div>
    </body>
    </html>
    sendit.php:
    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>Information Submitted</title>
    <link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
    <link href="/scripts/style.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div id="cbmaincontainer">
    	<div id="commentwrapper">
    		<div id="cbtitlecolumn">
    			<span>Submitted</span>
    		</div>
    		<div id="commentcolumn">
    			<?
    			//replace username and password with your mysql name and password
    			$conn = mysql_connect("*","*","*");
    			
    			//select the database
    			$db = mysql_select_db("*");
    			
    			$username = $_POST["username"];
    			$password = $_POST["password"];
    			$email = $_POST["email"];
    			
    			//insert the values
    			$result= MYSQL_QUERY("INSERT INTO users (id, username, password, email)".
    			   "VALUES ('NULL', '$username', '$password', '$email')");
    			   
    			echo "<span>Your name and password have been submitted into our database! <a href=\"/comboard/login.php\">Click Here To Login</a>";
    			?>
    		</div>
    	</div>
    </div>
    </body>
    </html>
    only pay attention to the php really...so...any help...please...i am starting to have thoughts of suicide
    ..
    ▲ ▲

  • #2
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    You have to actually test the username and password submitted in the log in form against the SQL then you set a $_SESSION variable to logged in
    You can not say you know how to do something, until you can teach it to someone else.

  • #3
    Regular Coder Armondo's Avatar
    Join Date
    Feb 2007
    Posts
    144
    Thanks
    3
    Thanked 0 Times in 0 Posts
    :0....how do i do that? lol i have an idea of how to do that...but i really don't know.
    ..
    ▲ ▲

  • #4
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    Never fear Timmy is here
    You can not say you know how to do something, until you can teach it to someone else.

  • #5
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    You need to get the username and password infromation that was entered by the user. So in getin.php you need to first get the submitted data from the form. The script that sent the from uses a post method to send the information so we use the $_post variable in php. It is an associative array where the index is the name of the field used in the form and the element of the array is the value entered for that field by the user.

    $entered_password=$_POST["password"]
    $entered_username=$_POST["username"]

    Now we can use these variables to test against the SQL
    You can not say you know how to do something, until you can teach it to someone else.

  • #6
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    Sorry I just noticed you have done that duh
    You can not say you know how to do something, until you can teach it to someone else.

  • #7
    Regular Coder Armondo's Avatar
    Join Date
    Feb 2007
    Posts
    144
    Thanks
    3
    Thanked 0 Times in 0 Posts
    its ok, we all make mistakes . and i am working on this too, i still can't figure it out. thanks for helping me btw !
    ..
    ▲ ▲

  • #8
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    PHP Code:
    $username mysql_real_escape_string($_POST["username"]);
    $password mysql_real_escape_string($_POST["password"]);
                
    $result mysql_result(mysql_query("SELECT COUNT(*) from users WHERE username='$username' and password='$password'") or die ("Name and password not found or not matched"), 0);
    if(!empty(
    $result)) 
    {
        echo 
    "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>"

    You should be doing something more like this ^. Add your session data in the if() switch. You should -not- store any personal information in sessions. Use a hash or something else to reference the user's information in the database.

  • #9
    Regular Coder Armondo's Avatar
    Join Date
    Feb 2007
    Posts
    144
    Thanks
    3
    Thanked 0 Times in 0 Posts
    thanks alot i will try it out, but why not? sessions are a way more viable solution than cookies to me. you have any suggestions?

    any where is this code supposed to go? my code looks like this now:
    Code:
    <?
    session_start();  
    header("Cache-control: private"); 
    $_SESSION["loggedin_user"] = "$username";
    $_SESSION["user_email"] = "$email";
    $_SESSION["facelol"] = "$face";
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>Logged In! :: your flashanims.com passport</title>
    <link rel="shortcut icon" href="/favicon.ico" type="image/ico" />
    <link href="/scripts/style.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div id="cbmaincontainer">
    	<div id="commentwrapper">
    		<div id="cbtitlecolumn">
    			<span>Logged In</span>
    		</div>
    		<div id="commentcolumn">
    			<br/>
    			<?
    			$conn = mysql_connect("*,"*","*");
    			$db = mysql_select_db("*");
    			
    			$username = mysql_real_escape_string($_POST["username"]);
    			$password = mysql_real_escape_string($_POST["password"]);
    						
    			$result = mysql_result(mysql_query("SELECT COUNT(*) from users WHERE username='$username' and password='$password'") or die ("Name and password not found or not matched"), 0);
    			if(!empty($result)) 
    			{
    				echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>"; 
    			}  
    			?>
    			<br/><br/>
    			<a href="/index.php" title="go back to the homepage">Back To The Homepage</a>
    		</div>
    	</div>
    </div>
    </body>
    </html>
    Warning: mysql_result(): supplied argument is not a valid MySQL-Link resource in /home/content/A/r/m/Armondo13/html/comboard/getin.php on line 31
    Last edited by Armondo; 03-10-2007 at 01:44 AM.
    ..
    ▲ ▲

  • #10
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    Oops, remove the or die():
    PHP Code:
    $result mysql_result(mysql_query("SELECT COUNT(*) FROM `users` WHERE `username`= '$username' and `password` = '$password'"), 0); 
    If that doesn't work separate the mysql functions and add or die(mysql_error()); after them.
    Quote Originally Posted by Armondo View Post
    thanks alot i will try it out, but why not? sessions are a way more viable solution than cookies to me. you have any suggestions?
    Cookies store the information on the user's computer and can be stolen by other sites or spyware on their computer. Sessions store the data on the server, and use either the URL or a cookie with a unique ID so PHP knows which session file on the server contains that user's settings. The problem is that by default PHP stores session data in the /tmp/ folder which is readable by any user on the server usually. So you should only store a unique hash in the session variable and in a field in the database and just request whatever user information you need on your logged in pages.
    PHP Code:
    $hash sha1(uniqid(microtime(), 1)); 
    That should generate a random enough hash for you^.

  • #11
    Regular Coder Armondo's Avatar
    Join Date
    Feb 2007
    Posts
    144
    Thanks
    3
    Thanked 0 Times in 0 Posts
    thanks, but what is hashing? i have read a bunch of php books and stuff, but i have scarecly heard of it . i know it has something to do with security or something. how would i use it? and i will try that fix out right now.
    Last edited by Armondo; 03-10-2007 at 02:53 AM.
    ..
    ▲ ▲

  • #12
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    The manual has a short explanation along with a sample output: sha1() and a link to further information about the method that it uses.

  • #13
    Regular Coder Armondo's Avatar
    Join Date
    Feb 2007
    Posts
    144
    Thanks
    3
    Thanked 0 Times in 0 Posts
    !
    Parse error: parse error, unexpected T_IF in /home/content/A/r/m/Armondo13/html/comboard/getin.php on line 29
    code around there:
    Code:
    			$username = mysql_real_escape_string($_POST["username"]);
    			$password = mysql_real_escape_string($_POST["password"]);
    						
    			$result = mysql_result(mysql_query("SELECT COUNT(*) from users WHERE username='$username' and password='$password'"))
    			if(!empty($result)) 
    			{
    				$_SESSION["loggedin_user"] = "$username";
    				$_SESSION["user_email"] = "$email";
    				echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>"; 
    			}
    i can't figure it out...
    Last edited by Armondo; 03-10-2007 at 03:05 AM.
    ..
    ▲ ▲

  • #14
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    You're missing the colon(and 0) at the end of this line:
    PHP Code:
    $result mysql_result(mysql_query("SELECT COUNT(*) from users WHERE username='$username' and password='$password'"), 0); 

  • #15
    Regular Coder Armondo's Avatar
    Join Date
    Feb 2007
    Posts
    144
    Thanks
    3
    Thanked 0 Times in 0 Posts
    grr stupid mistake, and this doesn't solve my problem because what i need is to have it to where they login with thier username and password and then it fetches thier username and email...not, they enter a user name and password and regardless of if it complies with the database's stored info, it still logs them in with the username they entered at the form and no email address is added to the session. i am getting pretty frustrated, it just overrides whatever is in the database and uses whatever they put in! and it wont even say "your email address is soandso@gmail.com" it just says "your email address is !" and i know why, because i dont define that varibale, but i can't because i don't know what is up anymore in this script. here is my code lol:
    Code:
    			$username = mysql_real_escape_string($_POST["username"]);
    			$password = mysql_real_escape_string($_POST["password"]);
    						
    			$result = mysql_result(mysql_query("SELECT COUNT(*) from users WHERE username='$username' and password='$password'"), 0);  
    			if(!empty($result)) 
    			{
    				echo "Welcome $username! Your e-mail address is $email. You are now logged in. <a href=\"/index.php\">Go To The Homepage</a>"; 
    			}  
    			?>
    ..
    ▲ ▲


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •