Pet Site Scripting Help needed.

[timecatcher]

Hey I thought I would make the topic quite open as I seem to be hitting quite a few problems. I decided I would create a Virtual pet site and try and commit myself to something (PHP) however Im finding that PHP can sometimes be quite confusing so I decided to join an actual PHP forum so that I could speak with professionals! So urm here is my problem at the moment.

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login</title>
<link rel='stylesheet' href='includes/layoutstylesheet.css' type='text/css'>
</head>
<body>
<? require('includes/connect.inc.php');
require ("includes/loggedoutnavbar.inc.php") ;
?>
<div id="content">
<?

if (isset($_COOKIE['username']) && ($_COOKIE['password']) != "") 
{
	echo'You are logged in.' ;
} 
else 
{
echo 'Please login using the form below.' ;


	echo '<div id="signinupboxes">' ;
	echo '<form method="post" action="login.php">' ;
	echo '<br />' ;

	echo 'Username:' ;

	echo '<input type="text" name="username"  />' ;
	echo '<br />' ;

	echo 'Password:' ;

	echo '<input type="password" name="password"  />' ;
	echo '<br />' ;

	echo '<input type="submit" name="submit" value="Login"  />' ;
	echo '<br />' ;
	echo '</form>' ;
	echo '</div>' ;
}
if (isset($_POST['username']) && isset($_POST['password'])) {

if (empty($_POST['username'])) {
	echo'Please enter a username.'  ;
}
elseif (empty($_POST['password'])) {
	echo'Please enter a password.' ;
}
else
{
$username = mysql_real_escape_string($_POST['username']) ;
$username = stripslashes($username) ;
$password = md5($_POST['password']) ;
$password = stripslashes($password) ;
$query = mysql_query("SELECT * FROM user ") ;
$user_row = mysql_num_rows($query) ;
if ($user_row['username'] && $user_row['password'] != $username && $password)
{
	echo'Invalid Password/Username.' ;
}
else
{
$timestamp = time()+60*60*24*90 ; //3 Months
setcookie('username',$username,$timestamp) ;
setcookie('password',$password,$timestamp) ;
	echo'Welcome '. $username.', to Kuruklands.' ;
}
}
}
?>
</div>
</body>
</html>

 

 

 

My problem is I want the login form ONLY to show when a user isn't logged in. The database and register system works fine. Also I want to know if the script will be safe against MYSQL injects is it..? Because I don't want my site being hacked if I can help it.

 

Anyway I look forward to at least one reply . Thanks.

 

Timecatcher.

[ronnie88]

First off welcome to PHPFreaks!

 

function displayLogin(){
   global $logged_in;
   if($logged_in){
      echo "<h1>Logged In!</h1>";
      echo "Welcome <b>$_SESSION[username]</b>, you are logged in. <a href=\"logout.php\">Logout</a>";
   }
   else{
?>

<h1>Login</h1>
<form action="" method="post">
<table align="left" border="0" cellspacing="0" cellpadding="3">
<tr><td>Username:</td><td><input type="text" name="user" maxlength="30"></td></tr>
<tr><td>Password:</td><td><input type="password" name="pass" maxlength="30"></td></tr>
<tr><td colspan="2" align="left"><input type="checkbox" name="remember">
<font size="2">Remember me next time</td></tr>
<tr><td colspan="2" align="right"><input type="submit" name="sublogin" value="Login to my account"></td></tr>
<tr><td colspan="2" align="left"><b><a href="register.php">Join</a></b></td></tr>
</table>
</form>

<?
   }
}
?>

 

function checkLogin(){
   /* Check if user has been remembered */
   if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
      $_SESSION['username'] = $_COOKIE['cookname'];
      $_SESSION['password'] = $_COOKIE['cookpass'];
   }

   /* Username and password have been set */
   if(isset($_SESSION['username']) && isset($_SESSION['password'])){
      /* Confirm that username and password are valid */
      if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){
         /* Variables are incorrect, user not logged in */
         unset($_SESSION['username']);
         unset($_SESSION['password']);
         return false;
      }
      return true;
   }
   /* User not logged in */
   else{
      return false;
   }
}
$logged_in = checkLogin();

 

and not hacker so I don't know lol

[timecatcher]

Hey thanks, but I set everything up using cookies so shouldn't it be $_COOKIE['username']? Thanks.

 

EDIT: Oh the code in your post changed xD, im stil pretty new to PHP don't know if I said so whats the login function about and global $login part please? Sorry to ask probably obvious questions.

 

Timecatcher.

[ronnie88]

forgot another code check it again also don't forget to start your session

 

EDIT: if you look at the bottom of the second code $logged_in = checkLogin(); when it asks for $logged_in it will run the function checklogin checklogin then checks if the cookies are set

[marklarah]

Variable names are set up by whomever, and so just change them accordingly to your variable names.

[timecatcher]

Ok well im slightly confused about the script you posted, could you come on IRC chat if you can it might be easier to explain what I don't understand there as im quite new at PHP I didn't know sessions were any different from cookies or that you HAD to use the..or use the in conjunction with cookies anyway .

Sorry.

 

Time.C