First of all the session ID value is checked, and exploded into two sections. These two parts are then checked with the database to see if they match.
If they do not match then the next if statement is run, which waits until the form fields are valid. Once valid the rest of the code (PROTECTED HTML) should be displayed. At the moment no code is being loaded once login fields are valid.
The problem I am having is with closing the if statements and where to put the "else" statements. What do I do?
PHP Code:
<?php // Connect to the database server $dbCon = mysql_connect('localhost', 'HOSTNAME', 'PASSWORD'); // Select the database $tbCon = mysql_select_db('DATABASENAME');
// Get data from table $result = mysql_query("SELECT * from TABLENAME"); while ($row = mysql_fetch_array($result)) { $uname=$row["username"]; $pass=$row['password']; $rid=$row['rid']; } ?>
PHP Code:
<?php session_start(); //Get database data and pull in include "scripts/php/getData.php";
$rid is an unique ID which will be used with the username to verify is the session is not tampered with, although it really can't, the cookie which I will add will do the same thing though.
Without testing anything ... this is what I came up with ....
Your log-out has to either leave the page or re-call the page.
You have to do 1 refresh to write the header. You can't change
the session variable and check it in the same script without a header change,
so decide what to do there, or use a separate script to kill the session.
PHP Code:
<?php
session_start();
//Get database data and pull in
include "scripts/php/getData.php";
//Restart session
if (isset($_POST['logout'])) {
$_SESSION['session'] = "ANONYMOUS";
// return back to main page.
header ("location: index.php");
}
//Detect existing session
if($session[1] == $rid && $session[0] == $uname) {
// user is already logged-in.
$case=1;
}
//Check value of text field
if ($_POST['txtUsername'] == $uname && $_POST['txtPassword'] == $pass) {
// user successfully logged-in.
$_SESSION['session'] = $uname.".".$rid;
$case=1;
}
//Decide what you display
if($case == 1){
//User is allowed to see the page.
?>
*PROTECTED HTML*
<?php
}
else {
//Fall-through to the Log-In Form.
?>
*LOG-IN FORM*
<?php
}
?>
EDIT:
It might be easier to have separate scripts for log-in, log-out, and the protected page.
Messing with sessions will be easier, because redirecting to another script sends a header.
Seems to be working perfectly thanks. Seeming as it is working, do you still suggest that I have separate scripts? (This is only a small personal website btw, nothing big which people would want to screw with).
Also, I am having a problem with the values being pulled in from the database. At the moment, there are only two users (rows) in the database. The last one is working, but the first one is not working (Says invalid username or password). Although I do type it correctly.
Oh, I didn't notice that ... you have an array,
so you'll always see the last one, no matter how many you have.
There has to be another loop to check the whole array.
So, try something like this ...
PHP Code:
<?php
session_start();
// Connect to the database server
$dbCon = mysql_connect('localhost', 'HOSTNAME', 'PASSWORD');
// Select the database
$tbCon = mysql_select_db('DATABASENAME');
//Detect existing session
if($session[1] == $rid && $session[0] == $uname) {
// user is already logged-in.
$case=1;
}
//Check value of text field
if ($_POST['txtUsername'] == $uname && $_POST['txtPassword'] == $pass) {
// user successfully logged-in.
$_SESSION['session'] = $uname.".".$rid;
$case=1;
}
}
//Decide what you display
if($case == 1){
//User is allowed to see the page.
?>
*PROTECTED HTML*
<?php
}
else {
//Fall-through to the Log-In Form.
?>
Edit:
Just tried to include the top section of the code, but it will not work.. I have changed the file name and location of the file a couple of times... still does not pull in. Other includes are working...And the code works when I put it back in the actual page.
PHP Code:
<?php include "scripts/php/checkLogin.php"; ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Project A-2010/1 - Home</title>
Last edited by martynball; 01-21-2010 at 11:40 PM..
//Detect existing session if($session[1] == $rid && $session[0] == $uname) { // user is already logged-in. $case=1; }
//Check value of text field if ($_POST['txtUsername'] == $uname && $_POST['txtPassword'] == $pass) { // user successfully logged-in. $_SESSION['session'] = $uname.".".$rid; $case=1; }
//Decide what you display if($case == 1){ //User is allowed to see the page. ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Project A-2010/1 - Home</title> <link rel="stylesheet" href="../stokeGTA/css/mainsheet.css"/> <script type="text/javascript" src="scripts/js/hoverFix.js"></script> </head> <body> <div class="scriptOutput"><p>Output: --//</p></div> <div class="container"> <?php echo "<div style=\"float:left; padding-left:1em;\"/>Welcome back, <h4> - $fname $lname -</h4></div> <div style=\"float:right;\"><form method=\"post\"> <input type=\"submit\" name=\"logout\" value=\"-Logout-\" class=\"noStyle\"></form></div> ";?> <?php include "includes/menu.php"; ?> <h1>Project A-2010/1</h1> <p> Content will go in here.</p> <img src="http://i58.photobucket.com/albums/g268/martynball/UntitledTime0_00_5611.png" width="40%"/> </div> </body> </html> <?php } else { //Fall-through to the Log-In Form. ?> <head> <title>Login</title> <link rel="stylesheet" href="../stokeGTA/css/mainsheet.css"/> <script type="text/javascript"> function restartForm() { document.form.txtUsername.value= ""; document.form.txtPassword.value= ""; } </script> </head> <body> <div align="center"> <div class="login"> <div style="float:right;"> <input type="button" onclick="restartForm()" value="Restart" class="noStyle"> </div> <h1>Login</h1> <?php if (isset($_POST['Submit'])) { if ($_POST['txtUsername'] == "") { echo "<h3>Username field empty, please complete it!</h3>"; } elseif ($_POST['txtPassword'] == "") { echo "<h3>Password field empty, please complete it!</h3>"; } elseif ($_POST['txtUsername'] != $uname || $_POST['txtPassword'] != $pass) { echo "<h3>Username/Password incorrect!</h3>"; } } ?> <form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <p> <label for="txtusername">Username:</label> <br /> <input type="text" title="Enter your username!" name="txtUsername" class="field"/> </p> <p> <label for="txtpassword">Password:</label> <br /> <input type="password" title="Enter your password!" name="txtPassword" class="field"/> </p> <p> <input type="submit" name="Submit" value="-Login-" class="noStyle" /> </p> </form> <?php if ($_SESSION['session'] == "ANONYMOUS") { echo "You are not logged in!"; }else{ echo $_SESSION['session']; } ?> </div> </div> </body> <?php } ?>
//Detect existing session
if($session[1] == $rid && $session[0] == $uname) {
// user is already logged-in.
$case=1;
}
//Check value of text field
if ($_POST['txtUsername'] == $uname && $_POST['txtPassword'] == $pass) {
// user successfully logged-in.
$_SESSION['session'] = $uname.".".$rid;
$case=1;
}
} // This is the close of the while loop
//Decide what you display
if($case == 1){
//User is allowed to see the page.
?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Project A-2010/1 - Home</title>
<link rel="stylesheet" href="../stokeGTA/css/mainsheet.css"/>
<script type="text/javascript" src="scripts/js/hoverFix.js"></script>
</head>
<body>
<div class="scriptOutput"><p>Output: --//</p></div>
<div class="container">
<?php echo "<div style=\"float:left; padding-left:1em;\"/>Welcome back, <h4> - $fname $lname -</h4></div>
<div style=\"float:right;\"><form method=\"post\">
<input type=\"submit\" name=\"logout\" value=\"-Logout-\" class=\"noStyle\"></form></div> ";?>
<?php include "includes/menu.php"; ?>
<h1>Project A-2010/1</h1>
<p> Content will go in here.</p>
<img src="http://i58.photobucket.com/albums/g268/martynball/UntitledTime0_00_5611.png" width="40%"/>
</div>
</body>
</html>
<?php
}
else {
//Fall-through to the Log-In Form.
?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Login</title>
<link rel="stylesheet" href="../stokeGTA/css/mainsheet.css"/>
<script type="text/javascript">
function restartForm()
{
document.form.txtUsername.value= "";
document.form.txtPassword.value= "";
}
</script>
</head>
<body>
<div align="center">
<div class="login">
<div style="float:right;">
<input type="button" onclick="restartForm()" value="Restart" class="noStyle">
</div>
<h1>Login</h1>
<?php
if (isset($_POST['Submit'])) {
if ($_POST['txtUsername'] == "") {
echo "<h3>Username field empty, please complete it!</h3>";
}
elseif ($_POST['txtPassword'] == "") {
echo "<h3>Password field empty, please complete it!</h3>";
}
elseif ($_POST['txtUsername'] != $uname || $_POST['txtPassword'] != $pass) {
echo "<h3>Username/Password incorrect!</h3>";
}
}
?>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p>
<label for="txtusername">Username:</label>
<br />
<input type="text" title="Enter your username!" name="txtUsername" class="field"/>
</p>
<p>
<label for="txtpassword">Password:</label>
<br />
<input type="password" title="Enter your password!" name="txtPassword" class="field"/>
</p>
<p>
<input type="submit" name="Submit" value="-Login-" class="noStyle" />
</p>
</form>
<?php if ($_SESSION['session'] == "ANONYMOUS") { echo "You are not logged in!"; }else{ echo $_SESSION['session']; } ?>
</div>
</div>
</body>
</html>
<?php
}
?>
Up the top left the data from nicks account is still being used... that is due to the rid number being pulled in when logging in.
Also, can multiple users sign in at the same time? Because the session is called "session". I am guessing it would work like this: session[0], session[1], session[2] for each different person?
Last edited by martynball; 01-22-2010 at 01:05 AM..
Don't worry about the sessions.
They are cookies stored on the server, and each person is given their own session ID.
The other problem is due to the fact that you can't set the session and read it
without a header (redirect or refresh). I don't know the name of your scripts,
but you should create files for session control.
On each protected page you simply check for a session.
You don't have to call the "check_login.php" script ...
that's only used for the login.php (form page).
If the session exists, they are logged-in.
If the session does not exist, it displays the log-in form.
The whole point is ... once they are logged-in, the "check_login.php" script no longer has to be used.
check_login.php - this checks to see if the form login is correct.
If it is correct, is creates the session variable, otherwise, it returns
back to the login form with some sort of error message.
PHP Code:
<?php
session_start();
//Database connect
include "scripts/php/db.connect.php";
$case=0;
// Get data from table
$result = mysql_query("SELECT * from users");
while ($row = mysql_fetch_array($result)) {
//Check value of text field
if ($_POST['txtUsername'] == $uname && $_POST['txtPassword'] == $pass) {
// user successfully logged-in.
$_SESSION['session'] = $uname.".".$rid;
$case=1;
}
} // This is the close of the while loop
// return to either the main page, or back to "login.php".
// this action supplies the header needed to create the session.
if($case==1){
header ("location: index.php");
}
else{
// login failed, so return back to the form.
// if you want, you can return a failed message.
$mess="Invalid Login";
header ("location: login.php?mess=$mess");
}
?>
logout.php - this destroys the session.
Call it from anyplace ... even a "logout" link, like: <a href="logout.php">logout</a>
Then, on the top of each protected page, you simply check for the session to be set.
If the session is set, that means they must be logged-in.
anypage-you-want.php
PHP Code:
<?php
session_start();
if(isset($_SESSION['session'])){
//user is logged-in, so do nothing
}
else{
//user needs to log in.
header ("location: login.php");
}
?>
<html>
* YOUR PROTECTED PAGE *
</html>
login.php - Your login form (notice that the form action is "check_login.php").
You will have to change the validation of this because it will no longer call itself.
You can do the validation on the "check_login.php" script, or just use Javascripting.
PHP Code:
<?php
// check for a failure message from login.php
if($_GET['mess'];){
$mess=$_GET['mess'];
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Login</title>
<link rel="stylesheet" href="../stokeGTA/css/mainsheet.css"/>
<script type="text/javascript">
function restartForm()
{
document.form.txtUsername.value= "";
document.form.txtPassword.value= "";
}
</script>
</head>
<body>
<div align="center">
<div class="login">
<div style="float:right;">
<input type="button" onclick="restartForm()" value="Restart" class="noStyle">
</div>
<h1>Login <?=$mess?> </h1>
<?php
if (isset($_POST['Submit'])) {
if ($_POST['txtUsername'] == "") {
echo "<h3>Username field empty, please complete it!</h3>";
}
elseif ($_POST['txtPassword'] == "") {
echo "<h3>Password field empty, please complete it!</h3>";
}
elseif ($_POST['txtUsername'] != $uname || $_POST['txtPassword'] != $pass) {
echo "<h3>Username/Password incorrect!</h3>";
}
}
?> <form name="form" method="post" action="check_login.php">
<p>
<label for="txtusername">Username:</label>
<br />
<input type="text" title="Enter your username!" name="txtUsername" class="field"/>
</p>
<p>
<label for="txtpassword">Password:</label>
<br />
<input type="password" title="Enter your password!" name="txtPassword" class="field"/>
</p>
<p>
<input type="submit" name="Submit" value="-Login-" class="noStyle" />
</p>
</form>
<?php if ($_SESSION['session'] == "ANONYMOUS") { echo "You are not logged in!"; }else{ echo $_SESSION['session']; } ?> </div>
</div>
</body>
</html>
Problem 2:
The data is not being pulled in from the table, I have had to remove the "while" which most people use so that I cna use the variables when the submitPass button is pressed. Is the while needed?
PHP Code:
<?php include "scripts/php/db.connect.php";
//Get data... $result = mysql_query("SELECT * from users WHERE rid='$srid'") or die ('Error: '.mysql_error()); $row = mysql_fetch_array($result);
Before you post, read our: 
Login System
