Search the Community

I wanted to create a simpe secured login form. after hours of googling i found tat using these will help 1.PDO statements. 2.session_hijackin soultions 3.password protection with salt My questions... 1.what else more should i add?? 2.i want to know if i want to use ajax here, will that make my site less-secured? if so, how do i use send data to check to db via ajax in a secured way?? Help plssss........... huge, loads of thanks in advances...

hello all, first post here. im fairly new to php and am still trying to really get a hold of what im doing. right now im just trying to build a simple login function for my site and am completely stuck. here is what i have so far. in function authuser im trying to create a query, return the result, compare it with those that were posted on index.php and if it matches the database i would like the login function. to start the session. i hope that makes sense. and if there is a better way to do this or something im missing please let me know index.php if($_SERVER['REQUEST_METHOD'] === 'POST') { $username = $_POST['username']; $password = md5($_POST['password']); if(empty($username) || empty($password)){ $data['status'] = 'Please fill out both inputs'; } else { // login authuser($username,$password); } } functions.php function login($username,$password) { session_start(); } function authuser($username,$password) { $sql = "SELECT * FROM users WHERE username='$username' and password='$password'"; $results = mysql_query($sql); $rows = mysql_num_rows($results); if($rows==1) { session_register("admin"); } else { echo "Wrong Username or Password"; } }

Hello. I was wondering whether I could request some help about adding a change pass function to my login / register script on PHP/JQuery/MySQL. I have started the change pass function a little (the form is fully done and checks whether the required fields are filled in) but the rest is way above my current knowledge that involves PHP, I am more of a HTML person. Also, I would highly appreciate it if you could let me know whether this is vulnerable to SQL injection, I doubt it is because I've added some extra "mysql_real_escape_string();" to the script but all comments would help. I am useless at PHP <.< I have marked in the code where I have started the change pass function to make it a little easier to find. Here is the code: <?php error_reporting(E_ALL ^ E_NOTICE); define('INCLUDE_CHECK',true); require 'connect.php'; require 'functions.php'; // Those two files can be included only if INCLUDE_CHECK is defined session_name('tzLogin'); // Starting the session session_set_cookie_params(2*7*24*60*60); // Making the cookie live for 2 weeks session_start(); if($_SESSION['id'] && !isset($_COOKIE['tzRemember']) && !$_SESSION['rememberMe']) { // If you are logged in, but you don't have the tzRemember cookie (browser restart) // and you have not checked the rememberMe checkbox: $_SESSION = array(); session_destroy(); // Destroy the session } if(isset($_GET['logoff'])) { $_SESSION = array(); session_destroy(); header("Location: http://127.0.0.1/"); exit; } if($_POST['submit']=='Login') { // Checking whether the Login form has been submitted $err = array(); // Will hold our errors if(!$_POST['logusername'] || !$_POST['password']) $err[] = 'All fields are required.'; if(!count($err)) { $_POST['logusername'] = mysql_real_escape_string($_POST['logusername']); $_POST['password'] = mysql_real_escape_string($_POST['password']); $_POST['rememberMe'] = (int)$_POST['rememberMe']; // Escaping all input data $row = mysql_fetch_assoc(mysql_query("SELECT * FROM playerdata WHERE user='{$_POST['logusername']}' AND password='".sha1($_POST['password'])."'")); if($row['user']) { // If everything is OK login $_SESSION['user'] = $row['user']; $_SESSION['id'] = $row['id']; $_SESSION['rememberMe'] = $_POST['rememberMe']; // Store some data in the session setcookie('tzRemember',$_POST['rememberMe']); } else $err[]='You have entered an invalid username or password.'; } if($err) $_SESSION['msg']['login-err'] = implode('<br />',$err); // Save the error messages in the session header("Location: http://127.0.0.1/"); exit; } else if($_POST['submit']=='Register') { // If the Register form has been submitted $err = array(); if (!preg_match('/^[A-Za-z]{4,9}_{1}[A-Za-z]{4,9}$/', $_POST['username'])) { $err[] = 'Your username must be in the format of "John_Smith" (include the underscore) with a maximum of 19 characters and a minimum of 9. No other special characters are allowed.'; } $email = $_POST['email']; $query = sprintf("SELECT * FROM playerdata WHERE email='%s'", mysql_real_escape_string($email)); $result = mysql_query($query); if(!$result) { $err[]='There has been an error with your connection, please refresh the page and try again.'; } else { if(mysql_num_rows($result) > 0) { $err[]='That email address already exists.'; } } if(!checkEmail($_POST['email'])) { $err[]='Your email address is not valid.'; } if(!count($err)) { // If there are no errors $pass = substr(sha1($_SERVER['REMOTE_ADDR'].microtime().rand(1,100000).rand(170000,200000)),0,6); // Generate a random password $_POST['email'] = mysql_real_escape_string($_POST['email']); $_POST['username'] = mysql_real_escape_string($_POST['username']); // Escape the input data mysql_query(" INSERT INTO playerdata(user,password,level,money,email,ip,datetime) VALUES( '".$_POST['username']."', '".sha1($pass)."', '1', '20', '".$_POST['email']."', '".$_SERVER['REMOTE_ADDR']."', NOW() )"); if(mysql_affected_rows($link)== 1) { send_mail( 'bugsyccfc@googlemail.com', $_POST['email'], 'Welcome to Domination Roleplay.', 'Your password is: '.$pass); $_SESSION['msg']['reg-success']='An email has been sent containing your password. '.$pass; } else $err[]='That username has already been taken.'; } if(count($err)) { $_SESSION['msg']['reg-err'] = implode('<br />',$err); } header("Location: http://127.0.0.1/"); exit; } else if($_POST['submit']=='Confirm') // [size=4][b]Change Pass Starts Here[/b][/size] { $err = array(); // Will hold our errors if(!$_POST['password2'] || !$_POST['password3']) $err[] = 'All fields are required.'; header("Location: http://127.0.0.1/"); exit; } // [size=4][b]Change Pass Ends Here[/b][/size] (No idea what to do now) [b]Change pass form is below[/b] $script = ''; if($_SESSION['msg']) { // The script below shows the sliding panel on page load $script = ' <script type="text/javascript"> $(function(){ $("div#panel").show(); $("#toggle a").toggle(); }); </script>'; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>Domination Roleplay UCP - Home</title> <!-- CCS Links --> <link rel="stylesheet" type="text/css" href="data/css/register.css" media="screen" /> <link rel="stylesheet" type="text/css" href="data/css/slide.css" media="screen" /> <!-- End of CCS Links --> <!-- Javascript Links --> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script> <!-- PNG FIX for IE6 --> <!-- http://24ways.org/2007/supersleight-transparent-png-in-ie6 --> <!--[if lte IE 6]> <script type="text/javascript" src="http://127.0.0.1/data/js/supersleight-min.js"></script> <![endif]--> <script src="data/js/slide.js" type="text/javascript"></script> <?php echo $script; ?> <!-- End of Javascript Links --> </head> <!-- Login/Register UCP --> <div id="toppanel"> <div id="panel"> <div class="content clearfix"> <div class="left"> <h1>The Sliding jQuery Panel</h1> <h2>A register/login solution</h2> <p class="grey">You are free to use this login and registration system in you sites!</p> <h2>A Big Thanks</h2> <p class="grey">This tutorial was built on top of <a href="http://web-kreation.com/index.php/tutorials/nice-clean-sliding-login-panel-built-with-jquery" title="Go to site">Web-Kreation</a>'s amazing sliding panel.</p> </div> <?php if(!$_SESSION['id']): ?> <div class="left"> <!-- Login Form --> <form class="clearfix" action="" method="post"> <h1>Member Login</h1> <?php if($_SESSION['msg']['login-err']) { echo '<div class="err">'.$_SESSION['msg']['login-err'].'</div>'; unset($_SESSION['msg']['login-err']); } ?> <label class="grey" for="username">Username:</label> <input class="field" type="text" name="logusername" id="logusername" value="" size="23" maxlength="19" /> <label class="grey" for="password">Password:</label> <input class="field" type="password" name="password" id="password" size="23" maxlength="13" /> <label><input name="rememberMe" id="rememberMe" type="checkbox" checked="checked" value="1" /> Remember me</label> <div class="clear"></div> <input type="submit" name="submit" value="Login" class="bt_login" /> </form> </div> <div class="left right"> <!-- Register Form --> <form action="" method="post"> <h1>Not a member yet? Sign Up!</h1> <?php if($_SESSION['msg']['reg-err']) { echo '<div class="err">'.$_SESSION['msg']['reg-err'].'</div>'; unset($_SESSION['msg']['reg-err']); } if($_SESSION['msg']['reg-success']) { echo '<div class="success">'.$_SESSION['msg']['reg-success'].'</div>'; unset($_SESSION['msg']['reg-success']); } ?> <label class="grey" for="username">Username:</label> <input class="field" type="text" name="username" id="username" value="" size="23"maxlength="19" /> <label class="grey" for="email">Email:</label> <input class="field" type="text" name="email" id="email" size="23" /> <label>A password will be sent to your email address provided.</label> <input type="submit" name="submit" value="Register" class="bt_register" /> </form> </div> <?php else: ?> <div class="left"> <?php $query = sprintf("SELECT * FROM `playerdata` WHERE `user` = '%s'", mysql_real_escape_string($_SESSION['user'])); $result = mysql_query($query)or die(mysql_error()); echo '<h1><b><font color="#FFFFFF">'.$_SESSION['user'].'s User Control Panel</font></h1></b>'; echo '<p><b><font color="#FF0000">IP Address</font>: <font color="#FFFFFF">'.$_SERVER['REMOTE_ADDR'].'</font></p></b>'; while($row = mysql_fetch_array($result)) { echo '<p><b><font color="#FF0000">Registered</font>: <font color="#FFFFFF">'.$row['datetime'].'</font></p></b>'; echo '<p><b><font color="#FF0000">Cash</font>: <font color="#009933">$'.$row['money'].'</font></p></b>'; echo '<p><b><font color="#FF0000">Level</font>: <font color="#FFFFFF">'.$row['level'].'</font></p></b>'; } ?> <a href="?logoff">Log Out</a> </div> <div class="left right"> <h1>Your Account Settings</h1> <?php echo '<h2><font color="#FFFFFF">Change Password</font></h2>' [b][size=4]// Change Pass Form[/size][/b] ?> <form action="" method="post"><br /> <label class="grey" for="password">Existing Password:</label> <input class="field" type="password" name="password2" id="password2" size="23" maxlength="13" /> <label class="grey" for="password">New Password:</label> <input class="field" type="password" name="password3" id="password3" size="23" maxlength="13" /> <label class="grey" for="password">Confirm Password:</label> <input class="field" type="password" name="password4" id="password4" size="23" maxlength="13" /> <input type="submit" name="submit" value="Confirm" class="bt_changepass" /> </div> <?php endif; ?> </div> </div> <!-- /login --> <!-- The tab on top --> <div class="tab"> <ul class="login"> <li class="left"> </li> <li>Welcome <?php echo $_SESSION['user'] ? $_SESSION['user'] : 'Guest';?>!</li> <li class="sep">|</li> <li id="toggle"> <a id="open" class="open" href="#"><?php echo $_SESSION['id']?'Open Panel':'Log In | Register';?></a> <a id="close" style="display: none;" class="close" href="#">Close Panel</a> </li> <li class="right"> </li> </ul> </div> <!-- / top --> </div> <!--Login/Register UCP --> </body> </html> Thanks a lot for taking your time to help!

Hello. Recently, I've been learning about registration forms in PHP, and I'm wandering how I could improve the one I've already written(this is only an excerpt, obviously): if(!empty($username) && !empty($password) && !empty($re_password) && !empty($firstname) && !empty($lastname)){ if($password === $re_password){ $query_run = mysql_query("SELECT username FROM users WHERE username = '$username'"); if(mysql_num_rows($query_run)==1){ echo 'User '."<strong>".$username."</strong>".' Already Exists!'; }else{ mysql_query("INSERT INTO users VALUES ('','".mysql_real_escape_string($username)."','".mysql_real_escape_string($hashed_password)."','".mysql_real_escape_string($firstname)."','".mysql_real_escape_string($lastname)."')"); header('Location: my119file.php?pass_username='.$username); } }else{ echo 'The Re-Entered Password Doesn\'t Match'; } }else{ echo 'Please Fill Out All The Fields'; } } }else{ echo 'You\'re already logged in'; } I'm mainly concerned about the fact that, if the user inputs invalid information into the fields, he will only be notified of the first error encountered; if there happen to be multiple errors with the filled-out information, the user will not know until the first error is solved. For instance, if the user omits one of the required fields, AND the "confirm password" does't match, only the "Please Fill Out All The Fields" error will be displayed, and the "Password Don't Match" error will be ignored until the first issue is resolved. I would much rather prefer if the form recognized all errors in a single run, but I'm not sure how to do that... Any ideas? Thanks.

Hey, I am trying to make a website with a back-end section for admin to updat the site without having to use html code. I have used this tutorial for the login portion: http://www.phpeasystep.com/phptu/6.html On my localhost everything works perfectly but when I upload this on my webspace there is an issue. Normally (localhost) when you want to go to admin.php (in the tutorial login_succesfull.php) and you have not logged in it will rederict you to the login page, but now it doesn't. If you go directly to the login.php and you enter the username and password it 'logs you in' and directs you to login_succesfull.php. I have updated all the info in checklogin.php to match the info from the webspace. I have no clue why it will work locally but not on a webspace, do you? ps: sorry for the bad english

So last week our company decided to migrate our website to a new server and after doing so we noticed one key element has stopped working- our login! php.5.3 apache 2.3.3 The files are the exact same- the SQL database is the exact same- but once the correct login information is input the page just loads to: http://198.154.221.208/login.php?accesscheck=%2Fsubscribers%2Fgetting-started.php instead of http://198.154.221.208/subscribers/getting-started.php We know that it correctly recognizes that the user has permissions because if we enter the incorrect password or just bogus information period- it brings us to the failed login page: http://198.154.221.208/login.php?access=failed So without further adieu, here's the code: <?php require_once('Connections/dbconnec.php'); ?> <?php // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['email'])) { $loginUsername=$_POST['email']; $password=$_POST['password']; $MM_fldUserAuthorization = "prilevel_id"; $MM_redirectLoginSuccess = "/subscribers/getting-started.php"; $MM_redirectLoginFailed = "login.php?access=failed"; $MM_redirecttoReferrer = false; mysql_select_db($database_dbconnec, $dbconnec); $LoginRS__query=sprintf("SELECT cust_email, cust_password, prilevel_id, acctexp_date FROM customers WHERE cust_email='%s' AND cust_password='%s' AND acctexp_date >= CURDATE()", get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); $LoginRS = mysql_query($LoginRS__query, $dbconnec) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = mysql_result($LoginRS,0,'prilevel_id'); //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } ?> I'm not really very familiar with PHP or SQL so much as HTML and CSS so this is all still kind of foreign to me- SO I bring it before the community....

Hi, Been using this script for a while - http://angry-frog.com/downloads-page/ - seems pretty good and it attempts to be secure. It uses prepared statements using PDO and other checks are made on user submitted data. The passwords are hashed and salted, etc. But would apprecaite your opinon on it. I think where it goes slightly wrong is not quite sure if it is object orientated or preocedural, sort of half and half. Would like to be sure it is secure now I have it on my site and if neccessary make some changes to make it more secure. Thanks

Hello everyone, I have this idea for a website that I can't seem to solve. I created an intro page where there's a username and a password to type and two buttons, a login button and a register button. What I wanted to do is when the login button is pressed it compares the username and the password with database entries, if they're available, it would redirect the client to homepage. If not, the lightbox would appear for registration. The code to my intro page is: <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title> RYNC - Rent Your Car Now</title> <style type="text/css"> @import "Dialog/DescriptionDialog.css"; @import "Dialog/styles.css"; </style> <style> body { background: url(../Images/Bgcolor.jpg); background-size: 100%; background-position: top center; background-repeat: no-repeat; } </style> </script> <script type="text/javascript" src="JQuery.js"></script> <script type="text/javascript" src="Dialog/jquery.lightbox_me.js"></script> <?php function ShowLogin(){ $f_usr = $_POST["username"]; $f_pswd = $_POST["password"]; $con=mysql_connect("localhost","root",""); if(! $con){ die('Connection Failed'.mysql_error()); } mysql_select_db("projet",$con); $result = mysql_query("SELECT * FROM client WHERE username= '" .$f_usr. "' AND password= '" .$f_pswd. "' "); $numrows=mysql_num_rows($result); if ($numrows != 0){ header("Location: Homepage.php");} else{ ShowRegistration();} } ?> <script type="text/javascript"> function ShowRegistration(){ .get("Registration.php", function(data){ $("#descDialog").empty(); $("#descDialog").append(data); $("#descDialog").lightbox_me({ centered:true }); }) } </script> </head> <body> <form name="frm" action="Registration.php" method="post"> <center> <OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" WIDTH="640" HEIGHT="480" id="RYNC" ALIGN=""> <PARAM NAME=movie VALUE="RYNC.swf"> <PARAM NAME=quality VALUE=high> <PARAM NAME=bgcolor VALUE=#FFFFFF> <EMBED src="../Flash/RYNC.swf" quality=high bgcolor=#FFFFFF WIDTH="640" HEIGHT="480" NAME="RYNC" ALIGN="" TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED> </OBJECT> <br> Username <input type="text" value="" name="username"> <br> Password <input type="password" value="" name="password"> <br> </form> <input type="button" value="Log In" name="Login" onclick="<? ShowLogin(); ?>"> <input type="button" value="Register now" name="Register" onclick="ShowRegistration();"> <div id="descDialog"></div> </body> </html> Thanks in advance Regards, Chris

my login system is awesome, i added one small thing and BAM it broke, i cant see the problem but i hope to have it fixed here, here is my code for my login page <?PHP include_once("sql.php"); if (isset($_POST["user"])) { if (isset($_POST["pass"])) { if ($_POST["user"] == "") { login("u"); } else { $loggedIn = false; $result = mysql_query("select * from users;"); while($row = mysql_fetch_assoc($result)) { if ($_POST["user"] == $row["user"]) { if ($_POST["pass"] == $row["password"]) { $loggedIn = true; setCookie("user",$row["user"], time()+3600); setCookie("password",$row["password"],time()+3600); setCookie("team",$row["team"], time()+3600); \\ added this (a new colium in the table) break; } } } if ($loggedIn) { print " <a href=\"index.php\">Login</a> "; } else { login("up"); } } } else { if ($_POST["user"] == "") { login("up"); } else { login("p"); } } } else { login(""); } function login($error) { $user = ""; $pass = ""; if ($error == "u") { $user = "<br />Username is incorrect"; } if ($error == "p") { $pass = "<br />Password is incorrect"; } if ($error == "up") { $user = "<br />Username not used"; $pass = "<br />Password is incorrect"; } // form here just simple "username" and "password" fields } ?> note: my website is only small thanks

Hi everyone. I'm having a bit of trouble with my registration script. When I go to my action.php file, I get these error: Notice: Undefined index: uname1 in C:\xampp\htdocs\series\action.php on line 2 Notice: Undefined index: pword1 in C:\xampp\htdocs\series\action.php on line 3 But, When I test my script, Everything works fine. I don't understand what's going on. These are my two files: index.php: <html> <body> <form action="action.php" method="post"> Username: <input type="text" name="uname1" /> Password: <input type="password" name="pword1" /> <input type="submit" value="Login" /> </form> </body> </html> action.php: <?php $username_1 = $_POST['uname1']; $password_1 = $_POST['pword1']; $con = mysql_connect("localhost", "root", ""); if (!$con) { die('Could not connect: '. mysql_error()); } mysql_select_db("user1", $con); mysql_query("INSERT INTO userlogin (username, password) VALUES ('$username_1', '$password_1')"); mysql_close($con); ?>

I made a login/logout page, but now I i'll like to separate the admin from regular users as they login. What I am trying to do is to have **regular users** just view available files, and the **admins** well of course they will be able to view and edit those files. Now my set up: **Login**.php <?php session_start(); include("password.php"); require_once "config.php"; /* Constants */ $TITLE = "Formation - User Login"; $CSS = array("assets/css/formation.css"); $Javascript = array(); $mode = $_GET["mode"]; /* Template */ require_once $TEMPLATE_PATH."header.php"; if ($mode == "login") { /// do after login form is submitted if ($USERS[$_POST["username"]]==$_POST["password"]) { /// check if submitted username and password exist in $USERS array $_SESSION["login"]=$_POST["username"]; header("location:index.php"); } else { echo "Incorrect username/password. Please, try again."; }; } else if ($mode == "logout") { session_start(); unset($_SESSION["login"],$USERS); header("location: login.php"); exit(0); }; echo <<< XHTML <h1>$TITLE</h1> <form id="form" method="post" action="{$LOGIN_URL}?mode=login"> <label id="username_label" for="username" class="normal">Username</label> :<br /> <input id="username" name="username" type="text" value="" class="half" /><br /> <label id="password_label" for="password" class="normal">Password</label> :<br /> <input id="password" name="password" type="password" value="" class="half" /><br /> <input id="submits" type="submit" value="Login" /> </form> XHTML; require_once $TEMPLATE_PATH . "footer.php"; ?> **Password**.php (verifies users and passwords) <?php $USERS["drodrig1"] = "pwd1"; $USERS["jsutta"] = "pwd2"; $USERS["username3"] = "pwd3"; function check_logged(){ global $_SESSION, $USERS; if (!array_key_exists($_SESSION["login"],$USERS)) { header("Location: login.php"); exit(0); }; }; ?> **Config**.php <?php $ASSETS_URL = "[url="https://url-link/formationXX/assets/%22;"]https://url-link/for...ionXX/assets/";[/url] $ASSETS_PATH = "serverpath/formationXX/assets/"; $TEMPLATE_URL = "[url="https://url-link/formationXX/assets/template/%22;"]https://url-link/for...ets/template/";[/url] $TEMPLATE_PATH = "serverpath/formationXX/assets/template/"; $LOGIN_URL = "[url="https://url-link/formationXX/login.php%22;"]https://url-link/for...nXX/login.php";[/url] $LOGIN_PATH = "serverpath/formationXX/login.php"; ?> **Index**.php (After login, this is where I want to see admin differentiate from regular user. The admin should be able so see and edit the following: CSS, JS, Email, PDF and Spread Sheet. Meanwhile user can **only view** all except: CSS, JS) <?php require_once "config.php"; session_start(); /// initialize session include("password.php"); check_logged(); /// function checks if visitor is logged. /* Constants */ $TITLE = "Formation - User Login"; $CSS = array("assets/css/formation.css"); $Javascript = array(); /* Template */ require_once $TEMPLATE_PATH."header.php"; echo <<< XHTML <form id="form" method="post" action="{$LOGIN_URL}?mode=login"> <div class="full row column"> <h1>{$TITLE}</h1> </div> <div class="full row column"> <div class="half column small"> <p>Logged in as: <strong>{$_SESSION["login"]}</strong> | <a href="{$LOGIN_URL}?mode=logout" class="small">Logout</a></p><br /> Add Form | Delete Selected Form(s) </div> </div> <div class="full row column"> <table id="formslist" cellpadding="0" cellspacing="0"> <th> <tr> <td class="form_select"> <input id="selectallforms" name="selectallforms" type="checkbox" value="Select All Forms" /> </td> <td class="form_id"> ID </td> <td class="form_url"> URL </td> <td class="form_dates"> Launch Date </td> <td class="form_dates"> Expiration Date </td> <td class="form_autofill"> Autofill </td> <td class="form_save"> **CSS** </td> <td class="form_save"> **JS** </td> <td class="form_save"> Email </td> <td class="form_save"> PDF </td> <td class="form_dates"> Spread sheet </td> </tr> </th> </table> </div> </form> XHTML; require_once $TEMPLATE_PATH . "footer.php"; ?>

Hi, I am writing some code to check logins to a mySQL database(WANIP) of remotes sites against usernames in wanipusers database. I have the login.php checking to see if there is a valid session, if not they are prompted to login, if there is a valid session, they are passed to login_success.php. Below is my login.php and the checklogin.php that checks for a valid session and the usernames against the wanipusers database. The login_success.php just gives them a choice to either update the database or add a new site. Currently, once they hit login.php, they are automatically sent to checklogin.php and the incorrect username message is displayed, once they click the return link to enter proper credentials, they are automatically sent to login_success.php, and that's not the way it's supposed to work. Any help would be appreciated, Thanks, Leonard **** login.php <?php session_start(); // Set timeout and kill session if necessary $inactive = 600; if (isset($_SESSION["timeout"])) { // calculate sessions TTL $sessionTTL = time() - $_SESSION["timeout"]; if ($sessionTTL > $inactive) { session_destroy(); header("Location: logout.php"); } } echo "<title>WANIP Login</title>"; if ($_SESSION["authorized"] = true) { header( 'Location: login_success.php' ) ; } else { $_SESSION["authorized"] = false; echo "<table width=300 border=0 align=center cellpadding=0 cellspacing=1 bgcolor=#CCCCCC><tr><form method=post action=checklogin.php><td><table width=100% border=0 cellpadding=3 cellspacing=1 bgcolor=#FFFFFF>"; echo "<tr>"; echo "<td colspan=3><strong>Login </strong></td></tr>"; echo "<tr><td width=78>Username</td><td width=6>:</td><td width=294><input name=myusername type=text id=myusername></td></tr><tr><td>Password</td><td>:</td><td><input name=mypassword type=password id=mypassword></td></tr><tr><td> </td><td> </td><td><input type=submit value=Login></td></tr></table></td></form></tr></table>"; echo "</center>"; echo "<center><a href=index.html>Return</a>"; } ?> **** checklogin.php <?php // Connect to server and select databse. mysql_connect("localhost", "user", "password")or die("cannot connect"); mysql_select_db("wanipusers")or die("cannot select DB"); // Define $myusername and $mypassword $username=$_POST['myusername']; $password=$_POST['mypassword']; echo "$username - $password"; // To protect MySQL injection (more detail about MySQL injection) $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $sql="SELECT * FROM users WHERE username='$username' and password='$password'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count==1){ // Register $username, $password and redirect to file "login_success.php" session_register("username"); session_register("password"); header("location:login_success.php"); $_SESSION["authorized"] = true; } else { echo "<center>Incorrect Username and/or Password</center>"; echo "<center><a href=login.php>Return</a> and enter proper credetials</center>"; } ?>

I have a login page and at the top of my members page I have another script that checks first if the user is logged in and then checks if the user is premium. Both need to be true for the user to see the members page but instead it keeps going to the activate page when logged in as a premium member. login page <? ob_start();session_start();include_once"config.php"; if(isset($_SESSION['username']) || isset($_SESSION['password'])){ header("Location: videos_main.php"); }else{ if(isset($_POST['login'])){ $username= trim($_POST['username']); $password = trim($_POST['password']); if($username == NULL OR $password == NULL){ $final_report.="Please complete all the fields below.."; }else{ $check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error()); if(mysql_num_rows($check_user_data) == 0){ $final_report.="This username does not exist.."; }else{ $get_user_data = mysql_fetch_array($check_user_data); if($get_user_data['password'] != $password){ $final_report.="Your password is incorrect!"; }else{ $start_idsess = $_SESSION['username'] = "".$get_user_data['username'].""; $start_passsess = $_SESSION['password'] = "".$get_user_data['password'].""; $final_report.="You are about to be logged in, please wait a few moments.. <meta http-equiv='Refresh' content='2; URL=videos_main.php'/>"; }}}}} ?> Page with videos on it (Premium) page. <? ob_start(); session_start();include_once"config.php"; if(!isset($_SESSION['username']) || !isset($_SESSION['password'])){ header("Location: login.php"); }else{ $premium_query = mysql_query("SELECT 'premium' FROM 'members' WHERE 'username'='".$_SESSION['username']."'"); $premium = mysql_result($premium_query, 0, 'premium'); if($premium == 0){ header("Location: activate.php"); }else{ $user_data = "".$_SESSION['username'].""; $fetch_users_data = mysql_fetch_object(mysql_query("SELECT * FROM `members` WHERE `username`='".$user_data."'")); } ?> ...//Premium content It's supposed to just show the page content if the $premium returns a value of 1. But it just keeps shooting me to the activate page. Premium is an INT in the database and it defaults to 0 when the user registers, then is changed to 1 when the user activates the account for premium membership. Any ideas?

I am using the php-login script. Everything has been working fine but suddenly now when I try logging in with an account (called user1) that has always worked previously, it simply redirects me to the login page. It does not error, it just redirects. Although if I try another account (user 2), I login normally but this one account (user 1) just does not seem to not want to login and just keeps redirecting me back when I try logging in. Also, the script only works if I have the "Remember Me" box checked. I have a feeling that it is an issue with cookies, I have taken a code snippet here: session_start(); session_regenerate_id (true); //prevent against session fixation attacks. // this sets variables in the session $_SESSION['user_id']= $id; $_SESSION['user_name'] = $full_name; $_SESSION['user_level'] = $user_level; $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']); //update the timestamp and key for cookie $stamp = time(); $ckey = GenKey(); mysql_query("update users set `ctime`='$stamp', `ckey` = '$ckey' where id='$id'") or die(mysql_error()); //set a cookie if(isset($_POST['remember'])){ setcookie("user_id", $_SESSION['user_id'], time()+60*60*24*365, "/"); setcookie("user_key", sha1($ckey), time()+60*60*24*365, "/"); setcookie("user_name",$_SESSION['user_name'], time()+60*60*24*365, "/"); } header("Location: myaccount.php"); Although, it may be other things. For further reference, the script I am using is from here: http://php-login-script.com Thanks!

I have this code: <?php // template.php code function horizontal_login_block($form) { $form['#action'] = url($_GET['q'], array('query' => drupal_get_destination())); $form['#id'] = 'horizontal-login-block'; $form['#validate'] = user_login_default_validators(); $form['#submit'][] = 'user_login_submit'; $form['#prefix'] = ''; $form['#suffix'] = ''; $form['name'] = array ( '#type' => 'textfield', '#prefix' => '', '#suffix' => '', '#maxlength' => USERNAME_MAX_LENGTH, '#size' => 15, '#required' => TRUE, '#default_value' => 'Username', '#attributes' => array('onblur' => "if (this.value == '') {this.value = 'Username';}", 'onfocus' => "if (this.value == 'Username') {this.value = '';}" ), ); $form['pass'] = array ( '#type' => 'password', '#maxlength' => 60, '#size' => 15, '#required' => TRUE, '#prefix' => '', '#suffix' => '', ); $form['actions'] = array('#type' => 'actions'); $form['actions']['submit'] = array('#type' => 'submit', '#value' => 'Login'); return $form; } ?> Right now the Username and Password and Login button are vertical but I want to make them horizontal. Any idea how to accomplish this? I have this calling it to the page: <?php print login_bar(); function login_bar() { global $user; if ($user->uid == 0) { $form = drupal_get_form('horizontal_login_block'); // Drupal 7 uses a new function 'render'. return render($form); } else { return t('Welcome back ') . ucwords($user->name); } } ?>

Hi , i'm new to php. i'm creating a signup form with email verification (PHPmailer) everything seems to work except when the user confirm the email, their information does not save to the database , so they can't login their account. the error is with the INSERT INTO customer part. can someone help me? thanks <?php if (isset($_GET["passkey"])) { $confirm = $_GET["passkey"]; $con = mysql_connect("localhost","root"); if (!$con) echo(mysql_error()); else { mysql_select_db("dbhotel",$con); $sql = "SELECT * FROM temp WHERE ConfirmCode = '" . $confirm . "'"; $rs = mysql_query($sql,$con); if (mysql_num_rows($rs) == 1) { $rows = mysql_fetch_assoc($rs); $sql = "INSERT INTO customers(FName,LName,Title,Address,Phone,Email,Password) VALUES ('". $rows["FName"] . "','" . $rows["LName"] . "','" . $rows["Title"] . "','" . $rows["Address"] . "','" . $rows["Phone"] . "','" . $rows["Email"] . "','" . $rows["Password"]."')"; mysql_query($sql,$con); $sql = "DELETE FROM temp WHERE ConfirmCode = '" . $confirm . "'"; mysql_query($sql,$con); echo "Congratulations " . $rows["Title"] ." ". $rows["FName"] ." ". $rows["LName"] . ", you are now a member!"; } else { echo "Sorry, we are unable to process your request at this moment. Please try again later."; } } mysql_close($con); } else { echo "You do not have enough permissions to access this page."; } ?>

else if(mysql_num_rows($result)==1) // <-- If ONE row is returned { $my_session = mysql_result ($result, 0, 'u_id'); // <-- then user is Authentic & Start session $_SESSION['clans'] = $my_session; header('location:../FINAL/index.php'); } As you can see the above, it is a script for a log-in page, basically saying that if row is returned from my MySQL then take user to index page. Unfortunately, I am having a header already sent error. For two days, I have tried to figure out this problem but no hope.

As long as it's SQL injection proof, would it be alright for me to let non-members add comments to a post and give the Author the ability to delete them?