[SOLVED] LOGIN SCRIPT

[emediastudios]

Hi guys.

I have a login script, and wanted to modify it.

was originally a one user login but I have added more users now and a new field that says page, with the text file.php in there, that is the file for that user.

 

There is no id field.

My  script is below, what i need is to query the database and record the (page) info that matches against a user and pass and use that (page value) in the go to page. hearder

Hope this makes  scense.

<?php

include('includes/include.php');


#Form has been submitted?
if((isset($_POST['login'])) AND ($_POST['login'] == 'Login')){
ob_start();
$host=""; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name=""; // Table name 



#Check for blanks and clean data
$errors_login = array(); #Initiate error variable

if(empty($_POST['username'])) $errors_login[] = 'You must enter a username.'; else $clean['username'] = htmlspecialchars($_POST['username']);
if(empty($_POST['password'])) $errors_login[] = 'You must enter a password.'; else $clean['password'] = htmlspecialchars($_POST['password']);

//verify password...
$get_pass = mysql_query("SELECT * FROM $tbl_name WHERE password = '".$_POST['password']."'");
$q = mysql_fetch_object($get_pass);
   if(!$q) { 
$errors_login[] = 'Wrong password.'; 
}

	//verify user...
$get_user = mysql_query("SELECT * FROM $tbl_name WHERE username = '".$_POST['username']."' ");
$q = mysql_fetch_object($get_user);
   if(!$q) { 
$errors_login[] = 'Wrong username.'; 
}

//check that username is only letters or numbers
if (! preg_match('/^[a-zA-Z0-9]+$/i', $_POST['username'])){
	$errors_login[]= "Your username must be <i><b>ONLY</b></i> letters or numbers.";
}
//check that password is only letters or numbers
if (! preg_match('/^[a-zA-Z0-9]+$/i', $_POST['password'])){
	$errors_login[]= "Your password must be <i><b>ONLY</b></i> letters or numbers.";
}


// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $username and $password 
$username=$_POST['username']; 
$password=$_POST['password']; 


// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row

if($count==1){
// Register $username, $password and redirect to file "templates.php"
session_register("username");
session_register("password"); 
header("location:advertiser.php");
}
else {

ob_end_flush();
}
}
?>code]

[MasterACE14]

this part here...

//check that username is only letters or numbers
if (! preg_match('/^[a-zA-Z0-9]+$/i', $_POST['username'])){
	$errors_login[]= "Your username must be <i><b>ONLY</b></i> letters or numbers.";
}
//check that password is only letters or numbers
if (! preg_match('/^[a-zA-Z0-9]+$/i', $_POST['password'])){
	$errors_login[]= "Your password must be <i><b>ONLY</b></i> letters or numbers.";
}

you only need that in the register page. Not the login.

 

And your code should work fine. Just add LIMIT 1 to the end of the SELECT queries.

[emediastudios]

I did as you metioned, and erased that piece of unnessesary code.

Do i need to put LIMIT 1?

 

I cust want to direct to the file that is a field (page) that corrasponds to the user name and password.

 

for example a record in my users table is:

username: barry

password: backfilp

page: bazza.php

 

If they login with those details thay will be directed to the bazza.php file,

I presume i get that info and put it in the header instead of ("location:advertiser.php");  be something like

($page);

 

 

I Just dont know how to get the $page value from the database.'

<?php

session_register("username");

session_register("password");

header("location:advertiser.php");

?>

[emediastudios]

Anyone? Please help

 

[emediastudios]

I think im making progress

 

<?php
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
$page=$_GET['page'];

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row

if($count==1){
// Register $username, $password and redirect to file "templates.php"
session_register("username");
session_register("password"); 
header("location:$page");
}
else {

ob_end_flush();
}
}
?>

 

This is wrong i'm sure

header("location:$page");

 

Is this right

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";

$result=mysql_query($sql);

$page=$_GET['page'];

 

[Bendude14]

you need to link the user id to the page so when you retrieve the users details you can pass that id to the end of an url.

 

something like this header("Location: profiles.php?id=$id");

 

then on there page you can query the db "SELECT * FROM table WHERE user_id='$id'";

 

You will also need to validate on that page that the person visiting the page is actually the right person if its a private section otherwise people could just change the Id in the url and view someone elses page. just validate using the session

 

 

change this line then you will receive any error messages you may get

 

$result=mysql_query($sql) or trigger_error("Query failed". mysql_error());

[emediastudios]

The user has no details in the database linked to them, so i dont need to populate a file with there details.

Each user has there own file which is recorded in the page field, but i added the id field anyway.

 

i only have 5 users, my table structure is:

 

id, username, password, page.

 

In the page field is a record that says for example goldwell.php, each user is different.

What i want is, when they login, PHP to get the page record for that user and direct them to that page (the file in the Page field) on successful login.

 

Thanks for any help

[trq]

This is just an example.

 

<?php

  if (isset($_POST['submit'])) {
    // connect to db

    $uname = mysql_real_escape_string($_POST['username']);
    $upass = mysql_real_escape_string($_POST['password']);

    $sql = "SELECT page FROM users WHERE uname = '$uname' && upass = '$upass';";

    if ($result = mysql_query($sql)) {
      if (mysql_num_rows($result)) {
        session_start();
        $_SESSION['logged'] = true;
        $row = mysql_fetch_assoc($result);
        header("Location: " . $row['page']);
      } else {
        echo "User does not exist";
      }
    } else {
      echo "Query failed<br />$sql<br />" . mysql_error();
    }
  }

?>

[Andy-H]

Yup, thats the one lol Also I heard that regex is like 40 times slower than

 

if (!ctype_alnum($_POST['username'])){

 

 

[emediastudios]

i used snippets of your code and WOLA its running perfect.  Thanks a ton!!