emediastudios Posted August 17, 2008 Share Posted August 17, 2008 Hi guys. I have a login script, and wanted to modify it. was originally a one user login but I have added more users now and a new field that says page, with the text file.php in there, that is the file for that user. There is no id field. My script is below, what i need is to query the database and record the (page) info that matches against a user and pass and use that (page value) in the go to page. hearder Hope this makes scense. <?php include('includes/include.php'); #Form has been submitted? if((isset($_POST['login'])) AND ($_POST['login'] == 'Login')){ ob_start(); $host=""; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name=""; // Database name $tbl_name=""; // Table name #Check for blanks and clean data $errors_login = array(); #Initiate error variable if(empty($_POST['username'])) $errors_login[] = 'You must enter a username.'; else $clean['username'] = htmlspecialchars($_POST['username']); if(empty($_POST['password'])) $errors_login[] = 'You must enter a password.'; else $clean['password'] = htmlspecialchars($_POST['password']); //verify password... $get_pass = mysql_query("SELECT * FROM $tbl_name WHERE password = '".$_POST['password']."'"); $q = mysql_fetch_object($get_pass); if(!$q) { $errors_login[] = 'Wrong password.'; } //verify user... $get_user = mysql_query("SELECT * FROM $tbl_name WHERE username = '".$_POST['username']."' "); $q = mysql_fetch_object($get_user); if(!$q) { $errors_login[] = 'Wrong username.'; } //check that username is only letters or numbers if (! preg_match('/^[a-zA-Z0-9]+$/i', $_POST['username'])){ $errors_login[]= "Your username must be <i><b>ONLY</b></i> letters or numbers."; } //check that password is only letters or numbers if (! preg_match('/^[a-zA-Z0-9]+$/i', $_POST['password'])){ $errors_login[]= "Your password must be <i><b>ONLY</b></i> letters or numbers."; } // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $username and $password $username=$_POST['username']; $password=$_POST['password']; // To protect MySQL injection (more detail about MySQL injection) $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count==1){ // Register $username, $password and redirect to file "templates.php" session_register("username"); session_register("password"); header("location:advertiser.php"); } else { ob_end_flush(); } } ?>code] Quote Link to comment Share on other sites More sharing options...
MasterACE14 Posted August 17, 2008 Share Posted August 17, 2008 this part here... //check that username is only letters or numbers if (! preg_match('/^[a-zA-Z0-9]+$/i', $_POST['username'])){ $errors_login[]= "Your username must be <i><b>ONLY</b></i> letters or numbers."; } //check that password is only letters or numbers if (! preg_match('/^[a-zA-Z0-9]+$/i', $_POST['password'])){ $errors_login[]= "Your password must be <i><b>ONLY</b></i> letters or numbers."; } you only need that in the register page. Not the login. And your code should work fine. Just add LIMIT 1 to the end of the SELECT queries. Quote Link to comment Share on other sites More sharing options...
emediastudios Posted August 17, 2008 Author Share Posted August 17, 2008 I did as you metioned, and erased that piece of unnessesary code. Do i need to put LIMIT 1? I cust want to direct to the file that is a field (page) that corrasponds to the user name and password. for example a record in my users table is: username: barry password: backfilp page: bazza.php If they login with those details thay will be directed to the bazza.php file, I presume i get that info and put it in the header instead of ("location:advertiser.php"); be something like ($page); I Just dont know how to get the $page value from the database.' <?php session_register("username"); session_register("password"); header("location:advertiser.php"); ?> Quote Link to comment Share on other sites More sharing options...
emediastudios Posted August 17, 2008 Author Share Posted August 17, 2008 Anyone? Please help Quote Link to comment Share on other sites More sharing options...
emediastudios Posted August 17, 2008 Author Share Posted August 17, 2008 I think im making progress <?php $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; $result=mysql_query($sql); $page=$_GET['page']; // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count==1){ // Register $username, $password and redirect to file "templates.php" session_register("username"); session_register("password"); header("location:$page"); } else { ob_end_flush(); } } ?> This is wrong i'm sure header("location:$page"); Is this right $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; $result=mysql_query($sql); $page=$_GET['page']; Quote Link to comment Share on other sites More sharing options...
Bendude14 Posted August 17, 2008 Share Posted August 17, 2008 you need to link the user id to the page so when you retrieve the users details you can pass that id to the end of an url. something like this header("Location: profiles.php?id=$id"); then on there page you can query the db "SELECT * FROM table WHERE user_id='$id'"; You will also need to validate on that page that the person visiting the page is actually the right person if its a private section otherwise people could just change the Id in the url and view someone elses page. just validate using the session change this line then you will receive any error messages you may get $result=mysql_query($sql) or trigger_error("Query failed". mysql_error()); Quote Link to comment Share on other sites More sharing options...
emediastudios Posted August 18, 2008 Author Share Posted August 18, 2008 The user has no details in the database linked to them, so i dont need to populate a file with there details. Each user has there own file which is recorded in the page field, but i added the id field anyway. i only have 5 users, my table structure is: id, username, password, page. In the page field is a record that says for example goldwell.php, each user is different. What i want is, when they login, PHP to get the page record for that user and direct them to that page (the file in the Page field) on successful login. Thanks for any help Quote Link to comment Share on other sites More sharing options...
trq Posted August 18, 2008 Share Posted August 18, 2008 This is just an example. <?php if (isset($_POST['submit'])) { // connect to db $uname = mysql_real_escape_string($_POST['username']); $upass = mysql_real_escape_string($_POST['password']); $sql = "SELECT page FROM users WHERE uname = '$uname' && upass = '$upass';"; if ($result = mysql_query($sql)) { if (mysql_num_rows($result)) { session_start(); $_SESSION['logged'] = true; $row = mysql_fetch_assoc($result); header("Location: " . $row['page']); } else { echo "User does not exist"; } } else { echo "Query failed<br />$sql<br />" . mysql_error(); } } ?> Quote Link to comment Share on other sites More sharing options...
Andy-H Posted August 18, 2008 Share Posted August 18, 2008 Yup, thats the one lol Also I heard that regex is like 40 times slower than if (!ctype_alnum($_POST['username'])){ Quote Link to comment Share on other sites More sharing options...
emediastudios Posted August 18, 2008 Author Share Posted August 18, 2008 i used snippets of your code and WOLA its running perfect. Thanks a ton!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.