gaza165 Posted September 9, 2008 Share Posted September 9, 2008 I have created what i think is a really basic login script... basically i would like to know... 1) Where have I gone wrong 2) What should/could i do to make this better I have a basic form which sends a post to a page called process.php everything else is done from there. <?php session_start(); mysql_connect("localhost","root","") or die ('Could not connect to localhost'); mysql_select_db("posts"); $_POST['pass'] = md5($_POST['pass']); $query = mysql_query("SELECT * FROM users WHERE username='".$_POST['user']."' AND password='".$_POST['pass']."' LIMIT 1") or die('query failed!'); if(mysql_num_rows($query) == 1) { // set the session variables with the user data while($row = mysql_fetch_assoc($query)) { $_SESSION['login']['username'] = $row['username']; } $_SESSION['login']['loggedin']= true; header("Location: secure.php"); exit(); } else { $_SESSION['login']['loggedin'] = false; header("Location: index.php"); } ?> Link to comment https://forums.phpfreaks.com/topic/123406-need-advice-on-login-script/ Share on other sites More sharing options...
aschk Posted September 9, 2008 Share Posted September 9, 2008 A few things: 1) die() is nasty, replace that with some nice error handling. 2) filter your input mysql_real_escape_string() on ANY user input, as a general rule users are evil 3) remove the while() construct for iterating your rows (as you only have 1) instead use: ... if(mysql_num_rows($query) == 1) { $row = mysql_fetch_assoc($query); $_SESSION['login']['username'] = $row['username']; ... Link to comment https://forums.phpfreaks.com/topic/123406-need-advice-on-login-script/#findComment-637377 Share on other sites More sharing options...
gaza165 Posted September 9, 2008 Author Share Posted September 9, 2008 Ok i have done everything you have asked... However when i create the session variable <?php if(mysql_num_rows($query) == 1) { $row = mysql_fetch_assoc($query); $_SESSION['username'] = $row['username']; $_SESSION['login']['loggedin'] = 1; header("Location: secure.php"); exit(); } ?> when i am redirected to secure.php i want to echo the username so i am doing this <?php session_start(); echo $_SESSION['login']['username']; ?> for some reason it doesnt echo the session variable what is wrong?? Thanks Link to comment https://forums.phpfreaks.com/topic/123406-need-advice-on-login-script/#findComment-637380 Share on other sites More sharing options...
aschk Posted September 9, 2008 Share Posted September 9, 2008 Probably because you wrote the username into $_SESSION['username'] and NOT $_SESSION['login']['username'] (<- which is what you're echo'ing). Link to comment https://forums.phpfreaks.com/topic/123406-need-advice-on-login-script/#findComment-637383 Share on other sites More sharing options...
gaza165 Posted September 9, 2008 Author Share Posted September 9, 2008 Sorry aschk that was a spelling error on my part, will paste the code in full <?php session_start(); mysql_connect("localhost","root","") or die ('Could not connect to localhost'); mysql_select_db("posts"); $_POST['pass'] = md5($_POST['pass']); $query = mysql_query("SELECT * FROM users WHERE username='".$_POST['user']."' AND password='".$_POST['pass']."' LIMIT 1"); if(mysql_num_rows($query) == 1) { $row = mysql_fetch_assoc($query); $_SESSION['login']['username'] = $row['username']; $_SESSION['login']['loggedin'] = 1; header("Location: secure.php"); } else { $_SESSION['login']['loggedin'] = 0; header("Location: index.php"); } ?> then goes to secure.php <?php session_start(); echo $_SESSION['login']['username']; ?> still wont do it.... Link to comment https://forums.phpfreaks.com/topic/123406-need-advice-on-login-script/#findComment-637384 Share on other sites More sharing options...
gaza165 Posted September 9, 2008 Author Share Posted September 9, 2008 I am trying to find out the best way for users to login and logout.. i need to know how to trigger these events properly... so that when the users log in all their session variables are set and when they logout to make sure that the session data is unset and destroyed... this is what i have so far.... <?php session_start(); mysql_connect("localhost","root","") or die ('Could not connect to localhost'); mysql_select_db("posts"); if($_POST['action'] = 'login') { $_POST['pass'] = md5(mysql_real_escape_string($_POST['pass'])); $query = mysql_query("SELECT * FROM users WHERE username='".$_POST['user']."' AND password='".$_POST['pass']."' LIMIT 1"); if(mysql_num_rows($query) == 1) { $row = mysql_fetch_assoc($query); $_SESSION['login']['username'] = $row['username']; header("Location: secure.php"); } else { unset($_SESSION['login']); header("Location: index.php"); } } ?> what is the best way to trigger the logout and what events need to happen before they are redirected back to the login page?? Thanks Garry Link to comment https://forums.phpfreaks.com/topic/123406-need-advice-on-login-script/#findComment-637457 Share on other sites More sharing options...
aschk Posted September 9, 2008 Share Posted September 9, 2008 Well the first thing to note is that you shouldn't have login and logout processed by the same php script... unless you're doing a switch case based on url parameter... let's not go there So, just create a logout.php with the following: <?php session_start(); session_destroy(); header("Location: index.php"); ?> Link to comment https://forums.phpfreaks.com/topic/123406-need-advice-on-login-script/#findComment-637459 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.