[SOLVED] Password authentication and then redirect?

[webmaster1]

Hi Freaks!

 

I have two text fields (username, password) and a submit button that I want at the top of all my pages for website I'm working on.

 

When its authenticated I want it to redirect to a private page.

 

Most tutorials only show me how to put a link on each page that only when clicked pulls up the text fields and submit button (in a seperate page) upon directing to the url.

 

Can anyone help me out? I'm very new to PHP.  ???

 

Thanks!

 

 

[trq]

Im not sure I understand the question?

[premiso]

Sounds like an html issue, not php. I fail to see where this involves PHP?

[webmaster1]

Im not sure I understand the question?

 

What an expedient response!

 

Here's how most tutorials advise how to password protect a page:

 

Intended Page:

<?php 
include "password_protect_page.php"; 
?> 

 

PHP Page:

<?php
session_start();
$admin_user_name = "admin"; 
$admin_password = "pass";
//you can change the username and password by changing the above two strings 
if (!isset($HTTP_SESSION_VARS['user'])) {

if(isset($HTTP_POST_VARS['u_name'])) 
	$u_name = $HTTP_POST_VARS['u_name'];

if(isset($HTTP_POST_VARS['u_password'])) 
	$u_password = $HTTP_POST_VARS['u_password'];

if(!isset($u_name)) {
	?>
	<HTML>



	<BODY bgcolor=#ffffff>

 

A working example can be found here with the username as 'admin' and the password as 'pass':

 

http://www.phpbuddy.com/sample/password_pg.php

 

This IS NOT what I want to do.

 

Instead I want the form (picture below) to be situated in the top right of all of my pages

 

 

When the correct details are entered I want the user to be redirected to the desired page.

 

The difference is that the tutorials require a url to be followed and only then pulls up the password form.

 

I want the password form to be available on all my page and to redirect upon the users correct submission.

 

I hope this makes sense. 

 

[webmaster1]

Sounds like an html issue, not php. I fail to see where this involves PHP?

 

I'm relying on PHP to authenticate the given username and password.

[revraz]

Subsitute the code you have to use the form variables then?

[webmaster1]

Subsitute the code you have to use the form variables then?

 

That went over my head. Is their anything else I can provide to help you lads to help me? 

[Goldeneye]

Hmmm a little general clarification might help (rewording your problem)

 

What it seems like you're asking right now is how to put the HTML form in the same page as the PHP script. Is that what you're trying to achieve?

[webmaster1]

Hmmm a little general clarification might help (rewording your problem)

 

What it seems like you're asking right now is how to put the HTML form in the same page as the PHP script. Is that what you're trying to achieve?

 

Sorry about being so incoherent. Hopefully this will help:

 

index.html

 

• Contains the regular content of my home page (text and graphics)
  
• Also contains a password form (text field, password field and sumbit button). I want PHP to firstly verify the correct user input and secondly redirect the user to the desired page.
  

 

privatepage.html

 

• Contains the content of the private page  (text and graphics).
  
• I don't think this needs any php.
  

 

[revraz]

What do you mean by redirect to the desired page?  What determines the desired page and what restrictions are on this page?

[premiso]

Your form action should take you to valid.php

 

valid.php

<?php
    $valid_username = "admin";
    $valid_password = "password";

    $username = isset($_POST['username'])?$_POST['username']:"";
    $password = isset($_POST['password'])?$_POST['password']:"";

    if ($username == $valid_username && $password == $valid_password) {
            header("Location: privatepage.html");
    }else {
             header("Location: index.html");
    }
?>

 

Something like that? As long as you have the form and the field names are username and password that should work.

[webmaster1]

What do you mean by redirect to the desired page?  What determines the desired page and what restrictions are on this page?

 

The 'desired page' is single page where I want the client to be able to submit text to database I've created. It'll be set up using PHP.

 

There is only one 'desired page' thought I don't want it to be publically accessable.

[webmaster1]

Your form action should take you to valid.php

 

valid.php

<?php
    $valid_username = "admin";
    $valid_password = "password";

    $username = isset($_POST['username'])?$_POST['username']:"";
    $password = isset($_POST['password'])?$_POST['password']:"";

    if ($username == $valid_username && $password == $valid_password) {
            header("Location: privatepage.html");
    }else {
             header("Location: index.html");
    }
?>

 

Something like that? As long as you have the form and the field names are username and password that should work.

 

Thanks so much Premiso; I'm checking this now and will get back to you in a few minutes!

[webmaster1]

I was hoping to clarify a few basics based on the code provided by Premiso.

 

To try out the code I have a page.html with the following code:

 

<html>
<head></head>
<body>
<input type="text" name="username">
<input type="password" name="password">
<input type="button" name="login" value="login">
</body>
</html>

 

How do I link the form to valid.php?

 

Sorry for being such a newb, I know these are probably very basic questions but I apreciate the help.

[revraz]

Search on the HTML FORM tag.

[trq]

Given this form...

 

<html>
<head></head>
<body>
<form action="login.php" method="post">
  <input type="text" name="username">
  <input type="password" name="userpass">
  <input type="submit" name="login" value="login">
</form>
</body>
</html>

 

If you create another page called login.php.

<?php

if (isset($_POST['username']) && isset($_POST['userpass'])) {
  $username = mysql_real_escape_string($_POST['username']);
  $userpass = mysql_real_escape_string($_POST['userpass']);

  $sql = "SELECT username FROM users WHERE username = '$username' && userpass = MD5('$userpass')";
  if ($result = mysql_query($sql)) {
    if (mysql_num_rows($result)) {
      session_start();
      $_SESSION['logged'] = true;
      header("location: http://yoursite.com/private.php");
    } else {
      header("location: http://yoursite.com/incorrect.php");
    }
  }
}

?>

 

All you need do now is create your private.php page.

<?php

session_start();
if (isset($_SESSION['logged'])) {
  // private stuff oges here.
} else {
  echo "Sorry, you need to be logged in to view this page";
}

?>

 

Of course you'll also need to create a registration page and what not, but really, this is just a simple example. There are literally thousands of examples of login/registration systems built with php. You just need to get your head around the logic so you can make them fit your own needs.

[webmaster1]

So far I've gotten Premiso's to work (thank you so much):

 

page.html

<html>
<head></head>
<body>
<form action="valid.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit">
</form>
</body>
</html>

 

valid.php

<?php
    $valid_username = "admin";
    $valid_password = "password";

    $username = isset($_POST['username'])?$_POST['username']:"";
    $password = isset($_POST['password'])?$_POST['password']:"";

    if ($username == $valid_username && $password == $valid_password) {
            header("Location: privatepage.html");
    }else {
             header("Location: index.html");
    }
?>

 

I'm looking into Thorpes method as soon as I finish creating the database. I just have a few questions:

 

• Is my password method less secure if I don't use SQL?
  
• Can I just 'include' the form as a header in my html page or must any page I use the form with have the .php extension? (e.g. index.php)
  
• Is it possible use an image as button (with a javascript rollover effect) with the php code or should I not even bother googling it?

 

Sorry for badgering but I'm sure this thread will help round up this topic for other newbies like me.

 

[trq]

1: Not really, just allot more limited.

2: If you wish to call the include function your page must be parsed by php. Your server can be configured to parse *.html files as php, but I wouldn't recommend it.

3: Of course you can.

[Aonxe]

If you want your password to be more secure, encrypt it with md5 or sha1, and storing it in a database allows for you to maintain the security even if someone were to get a hold of your files.

[webmaster1]

If you want your password to be more secure, encrypt it with md5 or sha1, and storing it in a database allows for you to maintain the security even if someone were to get a hold of your files.

 

Right, I'm back. Thanks for the input. I'll post my code as soon as its completed. (obviously not for any of you brainchilds but for any fellow newbs that stumble across this thread via a search engine.)

[webmaster1]

I've attempted Thorpes method but I keep on getting the following error:

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in XXX/login.php on line 8

 

I've used the following code:

 

page.php

<html>
<head></head>
<body>
<form action="login.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit">
</form>
</body>
</html>

 

login.php

<?php

include("dbinfo.inc.php");

if (isset($_POST['username']) && isset($_POST['password'])) {
  $username = mysql_real_escape_string($_POST['username']);
  $userpass = mysql_real_escape_string($_POST['password']);

  $sql = "SELECT username FROM users WHERE username = '$username' && password = MD5('$password')";
  if ($result = mysql_query($sql)) {
    if (mysql_num_rows($result)) {
      session_start();
      $_SESSION['logged'] = true;
      header("location: private.php");
    } else {
      header("location: invalid.php");
    }
  }
}

?>

 

dbinfo.inc.php

<?
$username="XXX";
$password="XXX";
$database="XXX";
?>

 

private.php

<?php

session_start();
if (isset($_SESSION['logged'])) {
  // private stuff goes here.
} else {
  echo "Sorry, you need to be logged in to view this page";
}

?>

 

Can anybody spot where I've gone wrong? It occurs when I click the submit button on my form.

 

My database is already created.

 

I know I'm close to completing this but I can't seem to get passed this error.

[webmaster1]

 

 

My only concern with Premiso's method is that the URL of the private page can be accessed by typing it in to the address bar.

[trq]

You haven't made any connection to the database!

[trq]

My only concern with Premiso's method is that the URL of the private page can be accessed by typing it in to the address bar.

 

Same with mine. Both however won't display the private stuff unless your logged in. Is this for multiple users or what? if its just a simple single username / password your probably best just using Premiso's, mine will allow for mutliple users.

[premiso]

The simple solution to the problem with my method is rename privateplace.html to privateplace.php. Then add a check like in thropes to display the private stuff.

 

Modified version of my script to set a session variable:

 

<?php
session_start();
    $valid_username = "admin";
    $valid_password = "password";

    $username = isset($_POST['username'])?$_POST['username']:"";
    $password = isset($_POST['password'])?$_POST['password']:"";

    if ($username == $valid_username && $password == $valid_password) {
          $_SESSION['logged'] = true;   
         header("Location: privatepage.html");
    }else {
             $_SESSION['logged'] = false;
             header("Location: index.html");
    }
?>

 

Than your private page would be

<?php
sesson_start();

if (!$_SESSION['logged'])
    header("location: index.html");

// put the private data here, no one will see it unless they are logged in.
?>

 

Basically everything you need is contained in this post, just pick and choose and implement.