Integrating Login Script into Website.

m7d7g7 · 12-28-2006, 02:59 AM

Hey,

Ok, I'm using the user registration and login script "LoginPHP Pro" from here: http://russcom.net/scripts/

I have it set up and it's working excellent, but the thing is I want to integrate the login, forgotpass, profile and main pages into my current site design. I've tried adding the PHP code from those files into my site design, but it gives me session errors and won't login. Is there an easy way to do this, or isn't this script designed for that? and if not, can anyone else recommend and simple and straight forward members area script with user registration and admin page.

-Mike

whizard · 12-28-2006, 03:08 AM

I haven't looked at the code, but if you're getting session errors, make sure that the absolute first line in your document (after <?php) is this:

session_start();

Otherwise sessions won't work.

HTH
Dan

vegu · 12-28-2006, 06:53 AM

hey,

session_start() does not need to be the first line in your php script however it needs to happen before any output is happening.

okay:

Code:

<? session_start(); ?>

wrong (spaces and linebreaks are output too):

Code:

<html><title>
Hi!
</title>
<? session_start(); ?>

okay:

Code:

<? 
$a = 1;
session_start(); 
?>

wrong:

Code:

<? 
print "test";
session_start(); 
?>

So make sure nothing is being outputted by either your php scripts or the page itself before the session_start() function is called by your login script.

That is all assuming the error you are getting is the headers already sent error

m7d7g7 · 12-28-2006, 03:41 PM

okay, thats where I'm having trouble. this is the login script:

PHP Code:


			
<?php
include("config.php");
echo "<br>";
echo "<form method='post' action='?do=check'><table>";
echo "<center><b>LoginPHP Pro</b></center>";
echo "<tr><td>Username:</td><td><input type='text' class='input_login' name='username'></td></tr>";
echo "<tr><td>Password:</td><td><input type='password' class='input_login' name='password'> <a href='forgotpass.php'>Forgot Password?</a></td> </tr>";
echo "<tr><td><a href='signup.php'>Register</a></td><td> <input type='submit' class='input_login' value='Login'></td></tr>";
echo "</table></form><br>";

if($_GET['do'] == 'check')
{
$_user_name = $_POST['username'];
$_password = $_POST['password'];
//check the login
mysql_connect($host, $user_name, $password)
   or die('Could not connect: ' . mysql_error());

//select database
mysql_select_db($database_name) or die('Could not select database');
$result = mysql_query("SELECT * FROM site_users WHERE username='$_user_name'") or die(mysql_error()); 
$row = mysql_fetch_array( $result );

if($row['username'] == '')
{
echo "<b><font color='red'>Incorrect Login!</font></b><br>";
}
else
{
if($row['password'] == $_password)
{
$_SESSION['logged'] = "agk8gjf38834j2";
$_SESSION['user'] = $_user_name;
$h = "3"; 
$hm = $h * 60; 
$ms = $hm * 60;
$date = gmdate("m/d/Y", time()-($ms)); 
$result = mysql_query("UPDATE site_users SET last_login='$date' WHERE username='$_user_name'") 
or die(mysql_error());  
header("location:" . $redirect_url);
}
else
{
echo "<b><font color='red'>Incorrect Login!</font></b><br>";
}
}

}
if($_GET['do'] == 'logout')
{
echo "You have logged out";
}
?>

In the config.php file is where the session starts:

PHP Code:


			
<?php
//READ 'README.TXT' FIRST
//config file
ob_start();
session_start();
//mysql info
echo "<head><title>LoginPHP Pro</title></head>";
$host = "localhost";         //mysql host
$user_name = "";             //mysql username
$password = "";              //mysql password
$database_name = "";         //mysql database name
$admin_mail = "malchikk@gmail.com"; //admin mail
//redirect page after login
$redirect_url = "main.php";  //main page;where it is redirected after login
//it will be good if u dont touch this!!
$_login_file = "login.php";  //login page, dont change that!!
?>

so if i copy and paste the above login code and put it in my HTML page where i want to login from to be, thats where I get the error. I've tried to "disassemble" the code from the login page and add it into my html page by adding

PHP Code:


			
<?php
include("config.php");

at the very top of the html and the rest starting with "echo "<br>";" where I want the form to be, but that doesn't work either. I'm not sure what else to do? I've never really gone this in-depth with PHP.

Thanks

whizard · 12-29-2006, 04:40 AM

Sorry on the bad info about session_start needing to be first.. I was taught incorrectly..

What does the function ob_start(); do?

Dan

boweninc · 12-29-2006, 10:18 AM

If you want to run PHP code inside a page with a HTML extension you have to explicitly state that.

Heres an idea:
Copy and Paste the HTML code from login.php into your login.html file

Of course if you're getting headers already sent errors, then it's a problem with outputting stuff before you activate the session_start() function like Vegu said.

Oliver

meth · 12-29-2006, 11:38 PM

Firstly, this is an extremely weak logon script. I wouldn't use it as is. There's also no data validation, so you're completely open to sql injection if magic quotes is off on the server.

If the logon form is an on-page include (as you've indicated), the form should have 2 states, one as the form, the other as a welcome message. If the logon form is a separate webpage, then the site links to the logon page should have 2 states, one as 'Login' and the other as 'Logout'.

Here's your script tweaked to make it a little more robust. You just need to put all the files in root and include_once the form_logon.php file into your webpages.

config.php

PHP Code:


			
<?php

//connect to db

$host = "localhost";         //mysql host

$db_user = "";             //mysql username

$db_pass = "";              //mysql password

$db_name = "";         //mysql database name

$admin_mail = "malchikk@gmail.com"; //admin mail

$login_table = 'site_users';

$login_user_column = 'username';

$login_pass_column = 'password';

$login_last_logon_column = 'last_login';



//start session if required

if( !headers_sent() && !isset($_SESSION) ) session_start();



//validation functions

function is_basicchars ($text)

{

    $text = str_replace(' ', '', $text);

    $Bad1 = $this->strip_letters($text);

    $Bad2 = $this->strip_numbers($Bad1);

    $text = $Bad2;

    

    if(empty($text))

    {

        return true;

    }

    return false;

}

function is_allnumbers ($text)

{

    if( (gettype($text)) == "integer")    { return true; }



    $Bad = $this->strip_numbers($text);



    if(empty($Bad))

    {

        return true;

    }

    return false;

}



function strip_numbers ($text)

{

    $Stripped = eregi_replace("([0-9]+)","",$text);

    return ($Stripped);

}



function is_allletters ($text)

{

    $Bad = $this->strip_letters($text);

    if(empty($Bad))

    {

        return true;

    }



    return false;

}



function strip_letters ($text)

{

    $Stripped = eregi_replace("([a-zA-Z]+)","",$text);

    return $Stripped;

}



?>

user_auth.php

PHP Code:


			
<?php

include_once('config.php');



//error messages

$errors = '';

$logged = (isset($_SESSION['logged'])) ? true : false;



//process logon request

if( !empty($_POST['logon']) && !$logged ) {



    //long to short to null if required

    $user_name = (!empty($_POST['username'])) ? $_POST['username'] : NULL;

    $user_pass = (!empty($_POST['password'])) ? $_POST['password'] : NULL;

    

    //check empoty fields

    if ($user_name == NULL) $errors .= 'Username is required.<br />';

    if ($user_pass == NULL) $errors .= 'Password is required.<br />';

    

    //allowed chars a-z A-Z 0-9 and spaces

    if (!is_basicchars($user_name)) $errors .= 'Username contains invalid characters.<br />';

    if (!is_basicchars($user_pass)) $errors .= 'Password contains invalid characters.<br />';

    

    //proceed to process logon if error free

    if ( $errors == '' ) {

    

        //check the login

        mysql_connect($host, $db_user, $db_pass) or die('Could not connect: ' . mysql_error());

        mysql_select_db($db_name) or die('Could not select database');

        $db_username = mysql_real_escape_string($user_name);

        $db_password = mysql_real_escape_string($user_pass);

        $qry_user = mysql_query("SELECT $login_user_column FROM $login_table 

                                WHERE $login_user_column = '$db_username' 

                                AND $login_pass_column = '$db_password'") or die(mysql_error()); 

        $row_user = mysql_fetch_assoc($qry_user);

        

        if( $row_user ){

        

            $_SESSION['logged'] = true;

            $_SESSION['user'] = $user_name;

        

            //update last_login

            $h = "3"; 

            $hm = $h * 60; 

            $ms = $hm * 60;

            $date = gmdate("m/d/Y", time()-($ms)); 

            $result = mysql_query("UPDATE $login_table SET $login_last_logon_column = '$date' WHERE $login_user_column = '$db_username'") 

            or die(mysql_error());

             

        } else {

        

            $errors .= 'Invalid Username/Password combination, try again.<br />';

        

        }

        

    }//end error free processing

    

} //end logon request



//logout

$logout = ( isset($_GET['logout']) ) ? true : false;



if ($logout){



    $_SESSION['user'] = NULL;

    $_SESSION['logged'] = NULL;

    unset($_SESSION['user']);

    unset($_SESSION['logged']);

    session_destroy();

    $logged = false;

    

}



?>

form_logon.php

PHP Code:


			
<?php

include_once('user_auth.php');

$url_frm_action = $_SERVER['PHP_SELF'];

$url_logout = $url_frm_action.'?logout=true';



if ( $logged ) { 

$username = $_SESSION['user']; ?>

<br />

<table>

    <tr>

        <td>Welcome Back <?php echo $username; ?>!</td>

    </tr>

    <tr>

        <td><a href="<?php echo $url_logout; ?>">Click Here to log out</a></td>

    </tr>

</table>

<br />

<?php } else { ?>

<br />

<form method='post' action=''>

<table>

    <tr>

        <td>Username:</td>

        <td><input type='text' class='input_login' name='username'></td>

    </tr>

    <tr>

        <td>Password:</td>

        <td><input type='password' class='input_login' name='password'> <a href='forgotpass.php'>Forgot Password?</a></td>

    </tr>

    <tr>

        <td><a href='signup.php'>Register</a></td>

        <td> <input name="logon" type='submit' class='input_login' id="logon" value='Login'></td>

    </tr>

<?php if ($errors != '') { ?>

    <tr>

      <td>ERROR</td>

      <td><?php echo $errors; ?></td>

    </tr>

<?php } //end error display ?>

</table>

</form>

<br/>

  <?php }//end $logged if else ?>

These scripts are untested but the logic, syntax and security are sound.

m7d7g7 · 12-30-2006, 05:33 AM

thanks meth, i'll give them a shot!