Kudosarian

Done!! Thanks for your help redarrow. But my hat is off to presimo. Thanks bud for all your time and effort in helping me. I have found this forum extremly usful and hope that I can return the favour someday. I will develop my script further one day by adding a change password option and other such things, but for now, I am more than happy with what I have got. Thanks again to all that chipped in, but big thanks to presimo. Kudosarian

ok, 1 more thing and then I can leave a happy man. I would like to ensure that no-one can access restricted pages on the site. I have used the following script for that: <? session_start(); if(!session_is_registered("username")){ header("location: login.php"); } ?> But I have noticed that If I go straight to a restricted page, say from google, I am still "logged" in as the last username I tested. Is there an easy way of clearing the session variable?? Thanks for all your help so far Presimo Kudosarian

wow - I added MD5 to the DB and re-added it to my login page caode and it seems to be working fine. It take it that helps keep it safe or is there anything else I need to check?

Ok, I checked the table and got it working. The problem seemed to occur with my settings for the password field in my DB. I had set the function to password which encrypts the password so no-one can see it. The login works as long as I do not have that function selected. My question now would be, is it safe? Is there anyway to help the security of it? Thanks Kudos

I wish I has better news. The login worked, for all of 5 mins. I tried updating the DB, and then nothing. Back to the Invalid username and password screen. As I said in my last post, it worked by removing the md5() for the password. See code below (don't think I have deleted anything else!!) Kudosarian <?php session_start(); if (isset($_POST['Login'])) { $server = "*****"; $db_username = "*****"; $db_password = "*****"; $db_name = "*****"; $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!"); mysql_select_db($db_name,$db) or die("Database name not available !!"); // lets filter the post data: array_walk_recursive($_POST, 'mysql_real_escape_string'); $username=$_POST['username']; $md5_password=$_POST['password']; // Encrypt password with md5() function. // Construct and run query. $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1"); $result=mysql_num_rows($result); if($result > 0){ $_SESSION['username'] = $_POST['username']; // session_register is depreciated header("location: index.php"); // Re-direct to main.php }else { // else is just fine here $message="--- Incorrect Username or Password ---"; echo"$message"; } } ?>

THAT's IT!!! Presimo, your are a genius. I thought that I had md5() the password for the DB, but when I changed the coding on the login to reflect that I hadn't, it worked. So, now I will try making the password field in my DB md5(). I will report back. Kudosarian

ok, I changed the capital L and also noticed a typo in one of the "username" words. Sorry to say that I am now getting the Invalid Username and password message after login is pressed. As I said in an earlier post, with the username and password that I have set up for testing purposes, I cannot get them wrong. I have tried creating another table with the same data but still no joy. This really has me stumped!!! Kudosarian

No, my login page is called "login.php". On login, I want the visiter to be redirected to "index.php" which will allow them access to restricted sections of the site. Kudosarian

ok, I have tried both blmg911 an d presimo codes and both have different results, but neither work correctly. blmg911 - yours kicks back the invalid username and password message after the login button is pressed. I know that the username and password are right as they are hard to get wrong, so I think it must be the coding. Presimo - your code doesn't redirect on login, just echoes the login page again, but no invalid username or password message. Sorry if this is taking up your time, but it is much appreciated. Thanks Kudosarian

No no, you misunderstand. There is data in the table for me to test. But with your code you provided, when I navigate to the login page, the error message is already on the screen. Therefore if a visiter goes to the login page to enter his/her username and password, they are faced with the error message that they have entered an invalid username or password before they have even pressed a key. Does that make sense?? K

I'm not 100% sure that I follow you Premiso. The message appears when I load the login page. How can the username and password be incorrect when I have yet to enter them? I checked the DB and revised the password field to varchar(32). When you say check that I am using , silly question, but how do I do this? Kudos (the newbie )

Hi Premiso, and welcome to the chat I tried out your code, and I seem to get the "Incorrect Username or Password" message at the top of my page before I try and login. Kudosarian

ok, I tested your new code blmg911 and I get the same result, the page merely refreshes. for reference, here is the current code including suggested changes: Kudosarian <?php ///////////////////////// Security coding Supplied by blmg911 mysql_real_escape_string($_GET); mysql_real_escape_string($_POST); /////////////////////////////////////////////////////////////////////////////////////// session_start(); $server = "*****"; $db_username = "*****"; $db_password = ""*****; $db_name = "*****"; $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!"); mysql_select_db($db_name,$db) or die("Database name not available !!"); //// Login Section. if($_POST['Login']){ // If clicked on Login button. $username=$_POST['username']; $md5_password=md5($_POST['password']); // Encrypt password with md5() function. } // Construct and run query. $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password'"); $result=mysql_num_rows($result); if($result!=='0'){ // If match. session_register("username"); // Craete session username. header("location: index.php"); // Re-direct to main.php }elseif($result=='0'){ // If not match. $message="--- Incorrect Username or Password ---"; echo"$message"; } ?> <h1>login</h1> <p>please enter the your username and password to login....</p> <form id="form1" name="form1" method="post" action="<?php $_SERVER['PHP_SELF']; ?>"> <table> <tr> <td>Username : </td> <td><input name="username" type="text" id="username" /></td> </tr> <tr> <td>Password : </td> <td><input name="password" type="password" id="password" /></td> </tr> </table> <input name="Login" type="submit" id="Login" value="Login" /> </form>

Thanks blmg911. I've added your code to my page. K

Thanks for the comments Snart and Chicken Little and blmg911. I have made the changes you have suggested Chicken, but the page continues to refresh on "login". Oh, yes the users table does indeed exist. No sure if it matters, but I am accessing a database from an online server. I have tried and tested my connection and it is working fine. Not sure why username and password would not be valid Snart - perhaps you could explain? blmg911 - could you explain the escape string to me and point out where to put it? Thanks Appreciate any other help Kudosarian