Login Form Sessions help

[lbaxterl]

Hi im implementing a login form in my site and i wanted to know how i would adopt it to use sessions, allowing access to the admin page only if the user is logged in. Ive posted the login form and the confirm login script below any help appreciated.

 

 

Login form:

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title></title>
</head>
<style type="text/css">
body {
text-align: center;
font-family: helvetica;
}
#loginForm {
padding: 1em;
background: #e3e3e3;
width: 260px;
margin: 3em auto 0;
text-align: left;
}
</style>
<body>

<div id="loginForm">
<form name="form1" method="post" action="confirmlogin.php">
<h2>LOGIN</h2>
<p>Username: <input type="text" name="myusername" id="myusername" /></p>
<p>Password: <input type="text" name="mypassword" id="mypassword"/></p>
<p><input type="submit" value="Login" name="submit" /></p>
</form>
</div>
</body>
</html>

 

 

confirmlogin.php

<?php
$username = $_POST['myusername'];
$password = $_POST['mypassword'];

require 'common.php';

$q = "SELECT id FROM members WHERE username = '$username' AND password = '$password'";

$result = $mysqli->query($q) or die(mysqli_error());

if (mysqli_num_rows($result) == 1) {
echo ' <meta HTTP-EQUIV="refresh" content=0;url="admin.php"/>';
} else {
$message = "User Name Not Recongised, Please Try Again!";
echo $message .  ' <meta HTTP-EQUIV="refresh" content=5;url="login.php"/>';
}
?>

 

thank you

 

 

[PHP Monkeh]

On the first line of your confirm_login.php page put this:

 

session_start();

 

then replace your if() with something like this:

 

$q = "SELECT id FROM members WHERE username = '" . mysql_real_escape_string($username) . "' AND password = '" . mysql_real_escape_string($password) . "'";

$result = $mysqli->query($q) or die(mysqli_error());

if (mysqli_num_rows($result) == 1) {
$user = $result->fetch_array(MYSQLI_NUM);
$_SESSION['admin'] = $user[0]; // Sets the session to the user's ID
header("Location: admin.php");
} else {

 

I'd suggest using mysql_real_escape_string() or whatever the mysqli function is on your $username and $password variables in the query though like I've done in the example above.

[lbaxterl]

thanks ive implemented the code but now im being bombarded with errors:

 

 

 

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /web/users/e5034824/Test/confirmlogin.php:1) in /web/users/e5034824/Test/confirmlogin.php on line 2

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /web/users/e5034824/Test/confirmlogin.php:1) in /web/users/e5034824/Test/confirmlogin.php on line 2

 

 

<?php
session_start();
$username = $_POST['myusername'];
$password = $_POST['mypassword'];

require 'common.php';

$q = "SELECT id FROM members WHERE username = '$username' AND password = '$password'";

$result = $mysqli->query($q) or die(mysqli_error());

if (mysqli_num_rows($result) == 1) {
$user = $result->fetch_array(MYSQLI_NUM);
$_SESSION['admin'] = $user[0]; // Sets the session to the user's ID
} else {
$message = "User Name Not Recongised, Please Try Again!";
echo $message .  ' <meta HTTP-EQUIV="refresh" content=5;url="login.php"/>';
}
?>

 

I always get the header error message but have no clue on how to fix it any ideas?

[PHP Monkeh]

Make sure there aren't any blank lines before the <?php tag or anything sent to the browser before the session_start() code.

[redarrow]

also make sure common has got no wight spaces.

 

require 'common.php';