MechanicsPal Posted August 2, 2008 Share Posted August 2, 2008 I am by no means new to PHP (been working with it for about 5 years or so), however, this is only my second attempt at a login system. I normally use cookies, because the sites I have worked on did not require much in the way of security. However, when approaching this project, I decided to give sessions a go around. This hasn't worked out well for me, and after pouring over the code for many hours, I fail to see my mistakes. I know they are there, but am unable to see them (aren't we all sometimes?). Anyways. To the point: <?php session_start(); $cmd = $_POST['command']; if ($cmd == "login") { // convert username and password from _POST or _SESSION $uname = $_POST['username']; $pword = md5($_POST['password']); // query for a user/pass match $result = mysql_query("select * from table where username='$uname' and password='$pword')"); // retrieve number of rows resulted $num=mysql_num_rows($result); if($num === 1) { $_authUname = $uname; $_authPword = $pword; $getmpID = mysql_query("select mpID from table where username='$uname' and password='$pword')"); $_SESSION['mpID'] = $getmpID; $_SESSION['user'] = $_authUname; $_SESSION['pass'] = $_authPword; $_SESSION['isloggedin'] = "1"; echo "<a href='dashboard.php'>Go to Dashboard</a>"; } else { echo "Username/Password Mismatch"; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title></title> <link rel="stylesheet" href="style.css" /> </head> <body> <center> <div align="center" class="login" style="width: 800px; height: auto;"> <table border="0" width="100%"> <tr> <td><img src="img/memberDashboard.png" alt="MemberDashboard Img"></td> </tr> <tr> <td> <p align="center">Please Login</p> <form action="index.php" method="post"> <input type="hidden" name="command" value="login" /> <p align="center">Username: <input type="text" name="username" size="22"><br> Password: <input type="password" name="password" size="22"></p> <p align="center"> <input type="submit" value="Login" name="Submit"></p> </form> </td> </tr> </table> </div> </center> </body> </html> What I am trying to do is: 1. Verify that the username and password are found in the database table 2. If verified, go ahead and process the information, and load the needed data in to $_SESSION variables 3. Tell the global that the user is logged in 4. Pass the information to the page where the data is actually required. What I am asking: 1. What do you see wrong above? 2. How do I correct it? 3. How many licks does it take to get to the center of a tootsie roll pop? 4. Is there an easier way to init the session, pull the data from the database, and then store the data retrieved in a session variable, perhaps in via a function? Any input is greatly appreciated, whether negative, positive, or otherwise. Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 2, 2008 Share Posted August 2, 2008 1) Error check queries example <?php $q = "select * from `table` where 1=1"; $r = mysql_query($q) or die(mysql_error()."<br /><br />".$q); ?> 2) What output do you get if any? 3) How have u done php for 5 years without sessions or logins that is amazing! Quote Link to comment Share on other sites More sharing options...
Andy-H Posted August 2, 2008 Share Posted August 2, 2008 $getmpID = mysql_query("select mpID from table where username='$uname' and password='$pword')"); $_SESSION['mpID'] = $getmpID; ////////////////// $q = mysql_query("SELECT mpID FROM table WHERE username='$uname' AND password='$pword'")or die(mysql_error()); $g = mysql_fetch_row($q); $getmpID = $g[0]; $_SESSION['mpID'] = $getmpID; Quote Link to comment Share on other sites More sharing options...
Andy-H Posted August 2, 2008 Share Posted August 2, 2008 It would also be useful to use mysql_real_escape_string(); on data being used in queries. Maybe also session_register('mpID'); if (!session_is_registered('mpID')){ Header("Location: dashboard.php"); } And in the site if (session_is_registered('mpID')){ Header("Location: index.php"); } Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 2, 2008 Share Posted August 2, 2008 andy-h session_register is a depreciated item that is no longer to be used in php 4. read the note http://us.php.net/session_register Quote Link to comment Share on other sites More sharing options...
Andy-H Posted August 2, 2008 Share Posted August 2, 2008 Thanks lol, I dont know about this stuff - I'm self taught. ??? Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 2, 2008 Share Posted August 2, 2008 I'm self taught. aren't we all (or taught but php.net/phpfreaks ) Quote Link to comment Share on other sites More sharing options...
Andy-H Posted August 2, 2008 Share Posted August 2, 2008 Lol I am assuming you mean "by" when you say "but", I only just found out about phpfreaks but it's taught me alot already lol Quote Link to comment Share on other sites More sharing options...
MechanicsPal Posted August 2, 2008 Author Share Posted August 2, 2008 Thank you all for your input. I did what you said cooldude, and didn't get any errors on output, however, I did realize that I had forgotten to utilize a variable and pull the row data out. Thanks Andy - Now, I must go to the hospital to see if this "T" key can be un-embedded from my skull also, cooldude - For five years, my focus with PHP was the ability to transfix data from a mySQL database and edit/modify variables and other dynamic data. Functions and such, I didn't touch much, as well as sessions. I was aware of the depreciation of the session_register(); function, as I had used it maybe twice, and both times on php3. But yes, I did get lost in the vast quagmire that is PHP Thanks Again!! ~ MechanicsPal Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 2, 2008 Share Posted August 2, 2008 your mysql writing after five years still likes like a new persons mysql fyi. Quote Link to comment Share on other sites More sharing options...
LemonInflux Posted August 2, 2008 Share Posted August 2, 2008 This isn't 5 year's practice. I've been doing PHP 6 months, and I could recreate this within the first month. Surely you must've looked at other things even for a day or two? :/ ---------------- Now playing: Guns N' Roses - It's So Easy via FoxyTunes Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted August 2, 2008 Share Posted August 2, 2008 well I am just pointing out the * operator is a very lazy or newest person technique since usually a table stores data for linking that ins't needed in this query. and the lack of quoting of table names with `` just seems like something you pick up after 5 years since I picked up on it in the first few weeks. Quote Link to comment Share on other sites More sharing options...
Andy-H Posted August 4, 2008 Share Posted August 4, 2008 I was told not to use the backticks :S Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.