Jump to content

Signing in under a specific user

hansman

By hansman
in PHP Coding Help

 Share

Recommended Posts

hansman Member

hansman

Posted
Posted

Hello, i currently have a sign in form which eventually goes into profile.php. I cannot figure out how i can have a user sign in, and so no one else can get into his section. Its trick to explain but i would like to have each specific user, sign into their own area. and this currently dosenrt work..

 

Here is my code for the login.php script

mysql_connect("$host", "$username", "$password")or die("noooope");
mysql_select_db("$db_name")or die("cannot select DB");
$user=$_POST['usr_name'];
$pass=$_POST['usr_pass'];
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$sql="SELECT * FROM users WHERE usr_name='$user' and usr_pass='$pass'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
session_register("usr_name");
session_register("usr_pass");
header("location:profile.php");
}
else {
echo "SORRY WRONG DATA!";
}
?>

 

Link to comment
Share on other sites
JD* Member

JD*

Posted
Posted

You'd probably better off storing less unique data in your session. Take a look at my login script:

 

if(check_required2("user_name, password")) { $_SESSION['error'] = "required_missing"; unset($_POST); redirect("http://admin.mysite.com"); exit(); }

$result = mysql_query("SELECT * FROM permissions WHERE userName = '".addslashes($_POST['user_name'])."'") or die(mysql_error());			

if(mysql_num_rows($result) != 1) { $_SESSION['error'] = "nosuchuser"; unset($_POST);  display_login(); exit(); }
		if(md5($_POST['password']) == mysql_result($result, 0, "userPassword"))
		{
			$_SESSION['id'] = mysql_result($result, 0, "ID");
			$_SESSION['logged_in'] = 1;
			unset($_POST); 
			redirect("?action=home"); 
			exit();
		} else {
			unset($_POST); 
			$_SESSION['error'] = "badcombo";
			display_login();
		}

 

So in here, I do check their name and password, but then I store their unique user_id into a session. Then, on each page, I can query that ID so that they only see their own information.

 

Also, I have a custom function for my error reporting and login, so you can ignore those.

 

session_register, by the way, is depricated, so you'll want to steer away from it in the future.

 

Link to comment
Share on other sites
hansman Member

hansman

Posted
  • Author
Posted

i dont exactly understand your code, i wish to sign in (the form is on index.php) the have a user login, and direct to profile.php. profile.php will show the user that logged in and possible to edit their info. People that dont login will be able to see their profile, and they wont be able to edit.  It similar to facebook, the link will be like www.mysite.com/profile_####.php or something like that. thanks for your help

Link to comment
Share on other sites
JD* Member

JD*

Posted
Posted

The code I posted simply sets the $_SESSION variable to the user's ID without putting their name or password into a $_SESSION.

 

Once you're on the profile page, you can do a check to see if the page ID equals the $_SESSION['id'] and if so, place editing links on the page.

 

I'll step you through my code, though, so you can see how it differs from yours:

 

if(check_required2("user_name, password")) { $_SESSION['error'] = "required_missing"; unset($_POST); redirect("http://admin.mysite.com"); exit(); }

 

This is a custom function that checks to see if required fields have been filled out. If they haven't, it sets an error and returns them to the main login page. You can put in your own error checking for this part.

 

$result = mysql_query("SELECT * FROM permissions WHERE userName = '".addslashes($_POST['user_name'])."'") or die(mysql_error());

 

O.k., we have a name and password, so lets just try to select * from the permissions database (says what a user can and can't access in my case) just by their name alone.

 

if(mysql_num_rows($result) != 1) { $_SESSION['error'] = "nosuchuser"; unset($_POST);  display_login(); exit(); }

 

We only expect one user to be returned. If that isn't the case (either no users, or more than one), we put another error message up and redirect them back to the login page. Not perfect, but it works in the cases necessary, and the error message contains instructions to contact the webmaster if they think there's been a mistake.

 

if(md5($_POST['password']) == mysql_result($result, 0, "userPassword"))

 

O.k., so if the user exists, now we take their posted password, apply the md5 encryption to it, and then compare it to what's in the database. Again, not a perfect solution (as the original password gets submitted in plain text) but it helps against SQL injection attacks to have two separate checks instead of one generic that can be escaped.

 

{
$_SESSION['id'] = mysql_result($result, 0, "ID");
$_SESSION['logged_in'] = 1;
unset($_POST); 
redirect("?action=home"); 
exit();

 

So we've been assured that their name and password is correct, now we set two sessions. One is that they're logged in (in case they come back to the login page later, this is checked to auto log them in) and we also set their ID, so we can check what permissions they have later without comparing names and passwords again. In my case, I have it redirect them with a custom function and also remove any current $_POST content, and also exit out of the script, just as an added precaution ( the redirect is javascript, so if they have it disabled and were able to get this far, I don't want it to error out);

 

} else {
unset($_POST); 
$_SESSION['error'] = "badcombo";
display_login();
}

 

This was in case the password they submitted does not match against the user account. Again, I remove the $_POST information, server them an error and redirect them back to the login page.

Link to comment
Share on other sites
xyn Advanced Member

xyn

Posted
Posted

Looking at your code, and theres a seriouse SQL Injection vulnrability.

 

your code:

$sql="SELECT * FROM users WHERE usr_name='$user' and usr_pass='$pass'";

 

if i put a username of Admin (if your user was admin, with every power) and added ' -- i will get the following result:

 

Anything in red, will NOT appear in your query,

SELECT * FROM users WHERE usr_name='Admin' [color=red]--' and usr_pass='$pass'[/color]

which will execute as...

SELECT * FROM users WHERE usr_name='Admin' --

meaning a password can be avoided, giving access to anyone. As for the session problem:

http://php.net/session_start

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.