hansman Posted June 27, 2008 Share Posted June 27, 2008 Hello, i currently have a sign in form which eventually goes into profile.php. I cannot figure out how i can have a user sign in, and so no one else can get into his section. Its trick to explain but i would like to have each specific user, sign into their own area. and this currently dosenrt work.. Here is my code for the login.php script mysql_connect("$host", "$username", "$password")or die("noooope"); mysql_select_db("$db_name")or die("cannot select DB"); $user=$_POST['usr_name']; $pass=$_POST['usr_pass']; $user = stripslashes($user); $pass = stripslashes($pass); $user = mysql_real_escape_string($user); $pass = mysql_real_escape_string($pass); $sql="SELECT * FROM users WHERE usr_name='$user' and usr_pass='$pass'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1){ session_register("usr_name"); session_register("usr_pass"); header("location:profile.php"); } else { echo "SORRY WRONG DATA!"; } ?> Quote Link to comment Share on other sites More sharing options...
JD* Posted June 27, 2008 Share Posted June 27, 2008 You'd probably better off storing less unique data in your session. Take a look at my login script: if(check_required2("user_name, password")) { $_SESSION['error'] = "required_missing"; unset($_POST); redirect("http://admin.mysite.com"); exit(); } $result = mysql_query("SELECT * FROM permissions WHERE userName = '".addslashes($_POST['user_name'])."'") or die(mysql_error()); if(mysql_num_rows($result) != 1) { $_SESSION['error'] = "nosuchuser"; unset($_POST); display_login(); exit(); } if(md5($_POST['password']) == mysql_result($result, 0, "userPassword")) { $_SESSION['id'] = mysql_result($result, 0, "ID"); $_SESSION['logged_in'] = 1; unset($_POST); redirect("?action=home"); exit(); } else { unset($_POST); $_SESSION['error'] = "badcombo"; display_login(); } So in here, I do check their name and password, but then I store their unique user_id into a session. Then, on each page, I can query that ID so that they only see their own information. Also, I have a custom function for my error reporting and login, so you can ignore those. session_register, by the way, is depricated, so you'll want to steer away from it in the future. Quote Link to comment Share on other sites More sharing options...
hansman Posted June 27, 2008 Author Share Posted June 27, 2008 i dont exactly understand your code, i wish to sign in (the form is on index.php) the have a user login, and direct to profile.php. profile.php will show the user that logged in and possible to edit their info. People that dont login will be able to see their profile, and they wont be able to edit. It similar to facebook, the link will be like www.mysite.com/profile_####.php or something like that. thanks for your help Quote Link to comment Share on other sites More sharing options...
JD* Posted June 27, 2008 Share Posted June 27, 2008 The code I posted simply sets the $_SESSION variable to the user's ID without putting their name or password into a $_SESSION. Once you're on the profile page, you can do a check to see if the page ID equals the $_SESSION['id'] and if so, place editing links on the page. I'll step you through my code, though, so you can see how it differs from yours: if(check_required2("user_name, password")) { $_SESSION['error'] = "required_missing"; unset($_POST); redirect("http://admin.mysite.com"); exit(); } This is a custom function that checks to see if required fields have been filled out. If they haven't, it sets an error and returns them to the main login page. You can put in your own error checking for this part. $result = mysql_query("SELECT * FROM permissions WHERE userName = '".addslashes($_POST['user_name'])."'") or die(mysql_error()); O.k., we have a name and password, so lets just try to select * from the permissions database (says what a user can and can't access in my case) just by their name alone. if(mysql_num_rows($result) != 1) { $_SESSION['error'] = "nosuchuser"; unset($_POST); display_login(); exit(); } We only expect one user to be returned. If that isn't the case (either no users, or more than one), we put another error message up and redirect them back to the login page. Not perfect, but it works in the cases necessary, and the error message contains instructions to contact the webmaster if they think there's been a mistake. if(md5($_POST['password']) == mysql_result($result, 0, "userPassword")) O.k., so if the user exists, now we take their posted password, apply the md5 encryption to it, and then compare it to what's in the database. Again, not a perfect solution (as the original password gets submitted in plain text) but it helps against SQL injection attacks to have two separate checks instead of one generic that can be escaped. { $_SESSION['id'] = mysql_result($result, 0, "ID"); $_SESSION['logged_in'] = 1; unset($_POST); redirect("?action=home"); exit(); So we've been assured that their name and password is correct, now we set two sessions. One is that they're logged in (in case they come back to the login page later, this is checked to auto log them in) and we also set their ID, so we can check what permissions they have later without comparing names and passwords again. In my case, I have it redirect them with a custom function and also remove any current $_POST content, and also exit out of the script, just as an added precaution ( the redirect is javascript, so if they have it disabled and were able to get this far, I don't want it to error out); } else { unset($_POST); $_SESSION['error'] = "badcombo"; display_login(); } This was in case the password they submitted does not match against the user account. Again, I remove the $_POST information, server them an error and redirect them back to the login page. Quote Link to comment Share on other sites More sharing options...
xyn Posted June 27, 2008 Share Posted June 27, 2008 Looking at your code, and theres a seriouse SQL Injection vulnrability. your code: $sql="SELECT * FROM users WHERE usr_name='$user' and usr_pass='$pass'"; if i put a username of Admin (if your user was admin, with every power) and added ' -- i will get the following result: Anything in red, will NOT appear in your query, SELECT * FROM users WHERE usr_name='Admin' [color=red]--' and usr_pass='$pass'[/color] which will execute as... SELECT * FROM users WHERE usr_name='Admin' -- meaning a password can be avoided, giving access to anyone. As for the session problem: http://php.net/session_start Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.