lore_lanu Posted July 4, 2009 Share Posted July 4, 2009 Hello again! I've been working on a login script for a while, adn new problems keep popping up. Currently, something odd is going on when I try to execute my script. <?php session_start(); if($_SESSION['pleaselogin'] == 1) { $message = '<div class=red><b>An error has occured.</b> You must be logged in to view this page. Please login below.</div>'; $_SESSION['pleaselogin'] = '0'; } if($_SESSION['loggedin'] == 1) { header('Location: home'); } //This code runs if the form has been submitted if (isset($_POST['submit'])) { include("includes/dbconnect.php"); // Define $username and $password $username= $_POST['username']; $password= md5($_POST['password']); // To protect MySQL injection $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); // Retrieve username and password $sql="SELECT * FROM users WHERE username = '$username' AND password = '$password'"; $result = mysql_query($sql); // Mysql_num_row is counting table row $count = mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count == 1){ // retrieve userid from database $sql = "SELECT id FROM users WHERE username = '$username' AND password = '$password'"; $result = mysql_query($sql); while ($row = mysql_fetch_assoc($result)) { $userid = $row["id"]; } // update lastlogin $llsql = "UPDATE users SET lastlogin = now() WHERE id = '$userid' AND username = '$username'"; $llresult = mysql_query($llsql); $_SESSION['loggedin'] = '1'; $_SESSION['userid'] = $userid; $_SESSION['username'] = $username; header("Location: home"); unset($_POST['username']); }else { $message = '<div class=red><b>An error has occured.</b> Please check that you are using a valid username/password combination.</div>'; } } include ("includes/nologin.php"); include ("includes/header.php"); ?> <img src="i/titles/login.png"><br> Please login to your account to participate in our plot, <i>'the Mutated Moach'</i>. If you do not have an account and would like to participate, feel free to <a href="register">create</a> one.<br> <div class="regvalidate"><?php print $message; ?></div> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <center><div class="logtable logfont"><table><br> <div style="text-align:left;">Username:</div> <input name="username" type="text" value="<?php echo $_POST['username'];?>" class="regbox"><br><br> <div style="text-align:left;">Password:</div> <input name="password" type="password" class="regbox"><br> <input type="submit" name="submit" class="regsend" value="Login" style="margin: 25px 35px;"> </table></div> </form></center> <?php include ("includes/footer.php"); ?> I don't get any php or mysql errors, but, for some reason, whenever I try to log in. I get the error message I wrote that appears directly above the login form. (An error has occured. You must be logged in to view this page. Please login below.) But when I try to log in with, with the message still being displayed, it works fine. This happens every time I try to log in. I just can't figure out what is wrong with the code. I tried removing the if statement that writes the error message, but then the page just refreshes and won't log me in. Can anyone offer me some suggestiosn as to what I did wrong? Also, if you need me to specify the code in some of the files I've included in this one, I will gladly do so. Thanks in advance! Quote Link to comment Share on other sites More sharing options...
The Eagle Posted July 4, 2009 Share Posted July 4, 2009 <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> I do not think the <?php is needed in this. Start the PHP (<?php) code before the <form action=""> Then end it (?>) after the </form> Quote Link to comment Share on other sites More sharing options...
lore_lanu Posted July 4, 2009 Author Share Posted July 4, 2009 Could you explain to me what you mean by that? So you want me to echo the form statement using php? Quote Link to comment Share on other sites More sharing options...
Northern Flame Posted July 4, 2009 Share Posted July 4, 2009 post the script that processes everything because its going to be hard to help you by only looking at the login form ***never mind for some reason it didnt let me scroll up on your code before but now i see it, ill take a look at it right now Quote Link to comment Share on other sites More sharing options...
The Eagle Posted July 4, 2009 Share Posted July 4, 2009 Could you explain to me what you mean by that? So you want me to echo the form statement using php? I am saying your form actions and the echo statements inside your form are faulty and may be potentially identifying incorrectly if the statements do not match the variables. Quote Link to comment Share on other sites More sharing options...
Northern Flame Posted July 4, 2009 Share Posted July 4, 2009 heres one problem i found, if($_SESSION['loggedin'] == 1) { header('Location: home'); } $_SESSION['loggedin'] is not even set yet so its going to default to NULL and later on in the code it is set to 1, that is why it gives you an error message first and then lets you log in....try this: <?php session_start(); //This code runs if the form has been submitted if (isset($_POST['submit'])) { include("includes/dbconnect.php"); // Define $username and $password $username= $_POST['username']; $password= md5($_POST['password']); // To protect MySQL injection $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); // Retrieve username and password $sql="SELECT * FROM users WHERE username = '$username' AND password = '$password'"; $result = mysql_query($sql); // Mysql_num_row is counting table row $count = mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count == 1){ // retrieve userid from database $sql = "SELECT id FROM users WHERE username = '$username' AND password = '$password'"; $result = mysql_query($sql); while ($row = mysql_fetch_assoc($result)) { $userid = $row["id"]; } // update lastlogin $llsql = "UPDATE users SET lastlogin = now() WHERE id = '$userid' AND username = '$username'"; $llresult = mysql_query($llsql); $_SESSION['loggedin'] = '1'; $_SESSION['userid'] = $userid; $_SESSION['username'] = $username; header("Location: home"); unset($_POST['username']); }else { $message = '<div class=red><b>An error has occured.</b> Please check that you are using a valid username/password combination.</div>'; } if($_SESSION['pleaselogin'] == 1) { $message = '<div class=red><b>An error has occured.</b> You must be logged in to view this page. Please login below.</div>'; $_SESSION['pleaselogin'] = '0'; } if($_SESSION['loggedin'] == 1) { header('Location: home'); } } include ("includes/nologin.php"); include ("includes/header.php"); ?> <img src="i/titles/login.png"><br> Please login to your account to participate in our plot, <i>'the Mutated Moach'</i>. If you do not have an account and would like to participate, feel free to <a href="register">create</a> one.<br> <div class="regvalidate"><?php print $message; ?></div> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <center><div class="logtable logfont"><table><br> <div style="text-align:left;">Username:</div> <input name="username" type="text" value="<?php echo $_POST['username'];?>" class="regbox"><br><br> <div style="text-align:left;">Password:</div> <input name="password" type="password" class="regbox"><br> <input type="submit" name="submit" class="regsend" value="Login" style="margin: 25px 35px;"> </table></div> </form></center> <?php include ("includes/footer.php"); ?> Quote Link to comment Share on other sites More sharing options...
lore_lanu Posted July 4, 2009 Author Share Posted July 4, 2009 Actually the code, if($_SESSION['loggedin'] == 1) { header('Location: home'); } is supposed to be there, at least I'm pretty sure. So when a user signs in using the right credentials, a session is started (loggedin) and it is set to '1' or true. So, if the user tries to view the login page again, and they are logged in, they will be automatically redirected to the home page. The error message that is appearing is one that I wrote. if($_SESSION['pleaselogin'] == 1) { $message = '<div class=red><b>An error has occured.</b> You must be logged in to view this page. Please login below.</div>'; $_SESSION['pleaselogin'] = '0'; } This one is set on every protected page. The code on those pages check to see if $_SESSION['loggedin'] is set and equals 1 and if it doesn't sets $_SESSION['pleaselogin'] to one and redirects back to the login page. @The Eagle: I'm really sorry, but I am still unsure of what you are telling me to do. Edit: I executed the code you suggested, Northern Flame, and there doesn't seem to be any difference in what is happening. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 4, 2009 Share Posted July 4, 2009 $_SESSION['loggedin'] and $_SESSION['pleaselogin'] are complements of each other and at the point you do log in, you are not setting $_SESSION['pleaselogin'] to zero, so any page using $_SESSION['pleaselogin'] is not going to act corrrectly. Just use one variable $_SESSION['loggedin']. If it is 1 you are logged in. If it is 0 (or non-existent) you are not logged in. You also need an exit; statement after every header() redirect statement to prevent the remainder of the code on the page from being executed. And the information The Eagle posted is just two different ways of accomplishing the same thing are are not relevant to the problem. Quote Link to comment Share on other sites More sharing options...
lore_lanu Posted July 4, 2009 Author Share Posted July 4, 2009 I see what you are saying, PFMaBiSmAd, but I believe that I do need both $_SESSION['loggedin'] and $_SESSION['pleaselogin']. $_SESSION['loggedin'] identifies whether the user is logged in. It allows users to see (and to not see, such as the login page) certain pages. It is in use until the user logs out. However, $_SESSION['pleaselogin'] is only in use when the user tries to access a page where $_SESSION['loggedin'] is needed. When that requirement is not fulfilled, $_SESSION['pleaselogin'] is created, set to 1, and the user is redirected to the login page. If I only used one variable, $_SESSION['loggedin'], then whenever the user accessed the login form (through any means) they would get the red message. I only want them to see that when they try to access a protected page without logging in. Or am I going about this the wrong way? Quote Link to comment Share on other sites More sharing options...
The Eagle Posted July 4, 2009 Share Posted July 4, 2009 Try the suggested exit(); statement. Quote Link to comment Share on other sites More sharing options...
lore_lanu Posted July 4, 2009 Author Share Posted July 4, 2009 Problem Solved! I tried your tip, PFMaBiSmAd, about using exit; and it worked like a charm! Thanks everyone for the awesome help! Edit: Haha, you beat me to this post The Eagle. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.