Login Script doesn't work (because I don't know how)

[rnintulsa]

Hello, I am new to PHP and don't really know programming except for xhtml and css.

I am having a problem and so I will explain as best I can.

If the code is messed up it is because I really don't know what

I am doing.

 

There is a client entrance page with a list of the company names.

 

I set up a mysql schema for each company with individual names,

and different usernames and passwords for each company person to log in as.

This is the table:

create table users (
  id int not null auto_increment,
  username varchar( 50 ) not null,
  password varchar( 100 ) not null,
  authority varchar( 10 ) not null default 'user',
  primary key(id)
)

When they click on their company name they are taken to their login page

which has the form and logs them in, and will not let them log in unless they enter

the correct name and pw for that db. ( they can't log in to anyone elses company)

This is the php for one of the login pages:

<?php
    session_start( );
   
    // if username and password are set and not empty then proceed with the rest of the process
    if( isset( $_POST[ 'username' ] ) && isset( $_POST[ 'password' ] ) && $_POST[ 'username' ] != '' && $_POST[ 'password' ] != '' )
    {
        $username = $_POST['username'];
        $password = $_POST['password'];
       
        @ $db = new mysqli( 'localhost', 'root', 'rn2846', 'kdesBarrister' );
        if( mysqli_connect_errno( ) )
        {
            echo"Connection to the database failed. Please try again later." ;         
            exit;
        }
       
        //checks for username and password in db table.
        $results = $db->query( "select * from users where username='" . $username . "' and password = '" . $password . "'" );
       
        //greater than zero    
        if( $results->num_rows > 0 )
        {
            $_SESSION['username'] = $username;  
            //redirect
             header('Location:barrister.php');
        }
        else
        {
            echo 'You must be registered before you may log in.';
        }
    }
?>

And this is what is in the body of that login page:

<?php
                            include( 'sessions.php' );
                            show_statement( );

                            if (isset($_SESSION['username']))
                            {
                                echo '<br />';
                                echo 'You are now logged in '.$_SESSION['username'].'';    
                                echo '<br /><br />';
                            }
                            else
                            {
                                echo 'You are not logged in.<br />';
                            }
                        ?>
                       
                        <form action="login_barrister.php" method="post">
                            <p>
                                Name:              
                                    <input type="text" name="username"/>
                            </p>
                            <p>
                                Password:              
                                    <input type="password" name="password"/>
                            </p>
                            <p>
                                <input type="submit" value="Log In"/>
                            </p>


                    </form>

When they log in they go to a page with company files on it.

Here is the php on that page:

<?php session_start( ); ?>

<?php
                        if (isset($_SESSION['username']))
                        {
                        echo '<p>You are logged in as '.$_SESSION['username'].'</p>';
                        }
                        else
                        {
                        echo '<p>You are not logged in.</p>';
                        echo '<p>Only logged in members may visit these pages.</p>';
                        echo '<p><a href="clients.htm">Return to Client Entrance</a><br /><br /></p>';
                        }
                       
                        ?>

This is the sessions file:

<?php

    function set_statement( $statement )
    {
        $_SESSION[ 'show_statement' ] = $statement;
    }

    function show_statement( )
    {
        if( isset( $_SESSION[ 'show_statement' ] ) && $_SESSION[ 'show_statement' ] != '' )
        {
            echo '<p id="statement">' . $_SESSION[ 'show_statement' ] . '</p>';
           
            unset( $_SESSION[ 'show_statement' ] );
        }
    }
?>

The problem is when they log in and have not yet logged out, and they go

back to the main page with the list of companies. They can click onto

another company and it automatically says they are logged in as _____, and lets them

go into the other companies files!!!!

 

What do I need to do? This is really the extent of my php understanding, ( and I don't undertstand it very well at that ) so to do things differently would require a lot of explaining? I tried to get advice on another forum and I just didn't understand what they were trying to tell me. 

 

I appreciate any advice.

 

Renee

 

[revraz]

You need to think of a way to protect each companies page.  Either use the Authority field or another new field and check it before you let them in.

[rnintulsa]

Which would you suggest using, authority field or new field?

 

Thanks.

[rnintulsa]

I googled Authority field, and couldn't get any info. 

Can you explain it to me?

[rnintulsa]

Can someone offer me a simple solve to this problem?

[discomatt]

Create another table called 'access'

 

Set it up with 3 columns... 'id', 'user_id', and 'company_id'

 

When you want user x to be able to view company y, add a row into the 'access' table with user x's id in the user_id column and company y's id in the company_id column. When viewing company y's page, have a check like this

 

SELECT `id` FROM `access` WHERE `company_id` = $currentCompanyPage AND `user_id` = $currentUser

 

If mysql_num_rows returns 0, deny the user access

[rnintulsa]

Thank you, you are my life line right now.

 

Ok, will the table look like this?

create table users (
  id int not null auto_increment,
  username varchar( 50 ) not null,
  company varchar( 100 ) not null,  
  primary key(id)
)

I am going to take this step by step if that is ok?

Will this replace the existing users table that I have in the db?

 

 

[discomatt]

Well, are you ever going to want to allow a user to view more than 1 company file?

[rnintulsa]

Yes, but the way I had it was that when they passed validation it takes them

to their own project page, and that has the sessions in it.

 

 

[revraz]

If you look at your table structure,  used your "authority" fieldname, since you had it there but wasn't using it.

 

 

 

 

I googled Authority field, and couldn't get any info. 

Can you explain it to me?