Jump to content

Help with protecting a page

pcw

By pcw
in PHP Coding Help

 Share

Recommended Posts

pcw Regular Member

pcw

Posted
Posted

Hi, I have written a registration and login script which works well apart from actually protecting the page you need to register for.

 

This part of the script ensures that the username and password supplied by the user, matches that to what is stored in the mysql database.

 

function login_chk() {

if (isset($_POST['submit'])) {

   $db = "moveitho_sitebuilder";

  mysql_connect('localhost', 'moveitho_paul', 'test') or die(mysql_error());
  mysql_select_db( $db) or die(mysql_error());
     $username = mysql_real_escape_string($_POST['username']);
$password_encoded = mysql_real_escape_string(base64_encode($_POST['password']));
  if ($result = mysql_query("SELECT username, password, verified FROM users WHERE username='$username' AND password='$password_encoded' AND verified='yes'")) {
    if (mysql_num_rows($result) > 0) {
          echo "Login successful";
          header( 'Location: loggedin.php' ) ;

             }else {
          echo "Login not successful.";
         
    }
}else{

    echo "SQL Error: " . mysql_error();
}
}
};

 

Once the script verifies a valid user, it redirects to loggedin.php. However, you can just type www.mydomain.com/loggedin.php and it shows the page without actually loggin in. How do I protect the page so it only shows the data if the user is logged in, and if they are not, then show the login page?

 

Thanks

Link to comment
https://forums.phpfreaks.com/topic/147057-help-with-protecting-a-page/
Share on other sites
MadTechie Regular Member

MadTechie

Posted
Posted

try this

<?php
function login_chk()
{
session_start(); //Added
$_SESSION['valid'] = false; //added
if (isset($_POST['submit']))
{
	$db = "moveitho_sitebuilder";
	mysql_connect('localhost', 'moveitho_paul', 'test') or die(mysql_error());
	mysql_select_db( $db) or die(mysql_error());
	$username = mysql_real_escape_string($_POST['username']);
	$password_encoded = mysql_real_escape_string(base64_encode($_POST['password']));
	if ($result = mysql_query("SELECT username, password, verified FROM users WHERE username='$username' AND password='$password_encoded' AND verified='yes'"))
	{
		if (mysql_num_rows($result) > 0)
		{
			echo "Login successful";
			$_SESSION['valid'] = true; //added
			header( 'Location: loggedin.php' ) ;
		}else {
			echo "Login not successful.";
		}
	}else{
		echo "SQL Error: " . mysql_error();
	}
}
}
?>

 

 

<?php
//at the start of loggedin.php
if($_SESSION['valid'] !== true)
{
header("Location: login.php");
}

//rest of the page
?>

pcw Regular Member

pcw

Posted
  • Author
Posted

Hi, tahnks for your reply.

 

I tried this but it always shows that you are logged in even if you go directly to the page. I deleted all my cookies and browsing history but still shows the login success message. How can I fix this?

 

if($_SESSION['valid'] !== true)
{
header("Location: login.php");

} else {
print "You are logged in";

}

MadTechie Regular Member

MadTechie

Posted
Posted

you need to add session_start(); (i missed that in my example)

 

session_start();  //<-add this
if($_SESSION['valid'] !== true)
{
header("Location: login.php");

} else {
   print "You are logged in";

}

also add the 3 lines to function login_chk()

pcw Regular Member

pcw

Posted
  • Author
Posted

Hi thanks for your reply again. I managed to get it to work with a slight adjustment to your post.

 

Im just posting it in case anyone else has the same prob.

 

session_start();  //<-add this
if($_SESSION['valid'] == true) # This was changed and the sequence following, reversed.
{
   print "You are logged in";

} else {
header("Location: login.php");

}

 

 

The Little Guy Prolific Member

The Little Guy

Posted
Posted

example login processing page:

// Mysql query, and assume it was good
if(mysql_num_rows($sql) == 1){
   session_start();
   $row = mysql_fetch_array($sql);
   $_SESSION['id'] = $row['id'];
   $_SESSION['first'] = $row['first'];
   $_SESSION['last'] = $row['last'];
   // Place other sessions you would like here
   $_SESSION['logged'] = TRUE;  // This line checks on all other pages where user needs to be logged in
   header("Location: /loggedin.php");
   exit;
}
header("Location: /login.php");
exit;

 

Next you will place this at the top of all your pages that require a login.

session_start();
if(!$_SESSION['logged']){
   header("Location: /login.php");
   exit;
}
// Place the the rest of the code here for users that are logged in.
echo 'Welcome '.$_SESSION['first'];

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.