[SOLVED] User logon and cookies help

[Vitamin]

I'm trying to build a web app just to learn php.  The main screen is a user logon screen when the user logs on it authenticates it though mySQL.  The next screen is like a user screen.  Well lets say the user wants to create a new customer, so there is a link to a new page to create a new customer.  Well on the new customer page there is a link back to the main user screen.  I'm using cookies to make sure its all working and I am able to output the cookies on the 3rd page for the user information, so I know its working.  I just don't know how to get the user information back to the main user screen.  I'll just show the code.

 

Logon screen form.

<form method="post" action="userlogon.php">
<center>User Name: <center><input name="username" type="text" /></center></center><br />
<center>Password: <center><input name="password" type="password" /></center></center><br />
    <center><input type="submit" name="submitinfo" value="Submit"></center></form>

 

<?php
$link = mysql_connect('host','root','pass')
or die("you fail");
mysql_select_db("dbname");
session_start();
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];

$username = $_POST['username'];
$password = $_POST['password'];
if($username=="" || $password=="")
{
die("Please do not leave the username / password field blank!");
}
$result = mysql_query("SELECT * FROM users WHERE
username='$username' AND password='$password'");
$number = mysql_num_rows($result);
if($number==0)
{
die("Your login details are not right. Please click the back button
and correct them.");
}

?>

 

New customer screen.

<?php
session_start();
$user = $_SESSION['username'];
$pass = $_SESSION['password'];

<a href="userlogon.php">Main Screen</a>

 

When I click on the link on the 3rd page I get this

"Please do not leave the username / password field blank!"

I understand that it should not work, I have thought about using a hidden form, but not sure how to go about doing that.

 

Is there maybe a tutorial somewhere about users logging on and how to pass variables so that only users can get to screens after the main logon screen?

 

I help would be appreciated.

[kenshintomoe225]

I'm not exactly sure of the behavior of POST between pages, but the $_POST global is populated by the POST field in the HTTP request header.  So if it gets overwritten each time, so don't those fields you are setting your session variables to when you link back.

 

I would set your session variables after you have done the authentication and it is valid.  Then I would set the session variables to the post variables ONLY once, and that is after authentication.  Then we you check them again, check against the session variables instead of the post ones.  Is that making sense?  I'm a little tired right now hehe.  Let's see about a code example:

 

<?php
$link = mysql_connect('host','root','pass')
or die("you fail");
mysql_select_db("dbname");
session_start();


$username = $_POST['username'];
$password = $_POST['password'];
if($_SESSION['username']=="" || $_SESSION['password']=="")
{
die("Please do not leave the username / password field blank!");
}
$result = mysql_query("SELECT * FROM users WHERE
username='$username' AND password='$password'");
$number = mysql_num_rows($result);
if($number==0)
{
die("Your login details are not right. Please click the back button
and correct them.");
}
else
{
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
}

?>

 

This is roughly what i'm talking about.  Also, you are running the authorization script each time you load the page, creating unpredictable results (well, without me stepping through your code for a little while).  Use another session variable to signify a user that has already logged in, and don't bother with the authorization if they are already a valid user.

[jwilliam]

You should only perform the authentication when the form has been submitted.  You can do that like this:

 

if(isset($_POST['submitinfo'])) {
  /* perform authentication */
}

 

Also, you've got a pretty major security flaw in your authentication algorithm.  Any time you take data from a user and query your database with it, you need to "scrub" the data first.  If you allow the user to enter anything they want in your login form without cleaning it then I could enter something like this as my username:

 

' OR 1=1; --

 

Then, when my username data is inserted into your mysql query, it looks like this:

 

"SELECT * FROM users WHERE username='' OR 1=1; --' AND password='whatever'"

 

By doing that I would now have access to your password-protected pages.  Luckily, this is easy to handle.  To "scrub" the data you need to pass it through mysql_real_escape_string() so...

 

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

 

That's it.  $username and $password are now safe to use in mysql queries.  Form more info on this Google "mysql injection attacks."

[Vitamin]

Thanks for the help guys.  I got it to work, but got a new problem.  If I were just type in type in

xxx.xxx.xxx.xxx/userlogon.php it takes me to the page and does not give me a error.  Here is my new code.

<?php
$link = mysql_connect('host','root','pass')
or die("you fail");
mysql_select_db("videostore");
session_start();              //start session


$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);


if(isset($_POST['submitinfo'])) {
if($username=="" || $password=="")
{
die("Please do not leave the username / password field blank!");
}
$result = mysql_query("SELECT * FROM users WHERE
username='$username' AND password='$password'");
$number = mysql_num_rows($result);
if($number==0)
{
die("Your login details are not right. Please click the back button
and correct them.");
}

$_SESSION['username'] = $username;   //sets session vars
$_SESSION['password'] = $password;   //sets session vars
}

?>

 

Any ideas?

[kenshintomoe225]

It looks like you're still setting your session variables every time you load that page, to whatever the value of $username and $password are.  Also, I would change the names of the variables to make it easier to read and follow.

[Vitamin]

It looks like you're still setting your session variables every time you load that page, to whatever the value of $username and $password are.  Also, I would change the names of the variables to make it easier to read and follow.

 

Oh right on thanks.  Ill try that.

[kenshintomoe225]

sure thing!

 

And just as a quick tip, for something like keeping track of a logged in user, you want to set those session variables only once, like right after they login.  Don't keep clobbering them with data, or else you run a very high risk of corrupting the values inside and breaking your page.

 

if( $login == TRUE;)
{
    $_SESSION['user'] = $username;
    $_SESSION['pass'] = $password;
     $login = FALSE;  //don't touch any of these anymore.  Its just an example, I'l leave it to your good sense to put it to work 
}

[Vitamin]

Woot got it. Cant type in .../userlogon.php and get on anymore.

 

Had to put in a else and die statement to go along with the if(isset) statement.

 

Thanks for the help and the tip!

 

 

[Vitamin]

Ok I lied this is not solved yet.  Still cant get it perfect.

Basic layout.

page 1 -> page 2 through a form (login)

page 2 -> page 3 link with session vars

page 3 -> page 2 broken get errors

<?php
if(isset($_POST['submitinfo'])){
//auth works and sets session username

}elseif(isset($_SESSION['username'])){//something needs to go here, but what?
}
else {
  die("Noob!");
}
?>

 

The Noob! is what I get when going from page 3 to page 2 though a link.

 

Ill add anything if you need it.

[Vitamin]

OK never mind I got it had to start the session before the if statement because the if statement needs to use it not just the auth part of the if statement.

 

Wow so happy now... like 3 hours of trying to figure this out.