thenewperson Posted October 26, 2009 Share Posted October 26, 2009 Need help with my login, its a successful login which reads from the user table but i can login by typing the username in the url such as phpfreaks.com?user=franky. This is the only way i know how to do login so if anyone can help out with this. The session stays if i have this on the top of each page $user = $_GET['user']; session_start(); the confirm php file has the database information for login and puts the username in url Current login.php <? include ('confirm.php'); $user = $_POST['user']; $pass = $_POST['pass']; $sql="SELECT * FROM users WHERE user_name='$user' and user_password='$pass'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1){ header("Location: http://likeftp.com?user=$user"); } if($count==1){ $name=strip_tags($_POST['user']); $sql2="INSERT INTO login SET username='$user', online='ONLINE'"; $result2=mysql_query($sql2); }else { header("Location: http://likeftp.com/invalidname.php"); } ?> the login page <? $user = $_GET['user']; session_start(); $_SESSION['user'] = $user; ?> Link to comment https://forums.phpfreaks.com/topic/179110-solved-login-help/ Share on other sites More sharing options...
mrMarcus Posted October 26, 2009 Share Posted October 26, 2009 you need to create an HTML form to pass the login variables. Link to comment https://forums.phpfreaks.com/topic/179110-solved-login-help/#findComment-945002 Share on other sites More sharing options...
mrMarcus Posted October 26, 2009 Share Posted October 26, 2009 here's a pretty basic example (not tested): <?php if (isset ($_POST['submit'])): session_start(); //start session; include ('confirm.php'); //db information; #sanitize incoming form data; $user = mysql_real_escape_string (trim ($_POST['user'])); $pass = mysql_real_escape_string (trim ($_POST['pass'])); $sql = mysql_query ("SELECT * FROM users WHERE user_name='{$user}' AND user_password='{$pass}' LIMIT 1"); if (mysql_num_rows ($sql) > 0) { $res = mysql_fetch_assoc ($sql); $_SESSION['user'] = $res['user_name']; //session var; if (mysql_num_rows ($res) > 0) { header ('Location: http://likeftp.com?user='.$user); exit (0); } } else { header ('Location: http://likeftp.com/invalidname.php'); exit (0); } else: echo <<<FORM <form action="" method="post"> user: <input type="text" name="user" /><br /> pass: <input type="text" name="pass" /> <input type="submit" name="submit" value="login >>" /> </form> FORM; endif; ?> Link to comment https://forums.phpfreaks.com/topic/179110-solved-login-help/#findComment-945009 Share on other sites More sharing options...
jkewlo Posted October 27, 2009 Share Posted October 27, 2009 I have never seen anything like this mrMarcus.. index.php <html> <body> <form method="post" action="check.php"> Username: <input type="text" name="username"><br> Password: <input type="password" name="password"><br> <input type="submit" value="login"> <input type="hidden" name="login"> </form> </body> </html> check.php <?php session_start(); require_once('connect.php'); // username and password sent from form $username = $_POST['username']; $password = $_POST['password']; $username = stripslashes($username); $password = stripslashes($password); $password = md5($password); $sql = "SELECT * FROM users WHERE username='" . $username . "' and password='" . $password . "'"; $result = mysql_query($sql); // Mysql_num_row is counting table row $count = mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if ($count == 1) { while($rows=mysql_fetch_array($result)){ // Register $username, $password and redirect to file "member.php" $_SESSION['myusername'] = $username; // USERNAME SESSION header("location: profile.php"); // REDIRECT TO Profile is all is correct and handled correct } } } else { echo "invalid username or password"; } ?> Pretty simple.. and should work if you have any problems PM me This code has come from my login script that I use. but has been moded for you to use Link to comment https://forums.phpfreaks.com/topic/179110-solved-login-help/#findComment-945130 Share on other sites More sharing options...
mrMarcus Posted October 27, 2009 Share Posted October 27, 2009 I have never seen anything like this mrMarcus..i don't follow. <?php $username = $_POST['username']; $password = $_POST['password']; $username = stripslashes($username); $password = stripslashes($password); $password = md5($password); ?> you don't need to redefine $password 3 times here .. and what slashes are you stripping here? you are throwing bare post values into the db .. i had written a simple, yet highly efficient chink of code that was secure and easy to follow. also, a while() loop is redundant in this case since there is no reason to loop the one result that is coming from the db. and since you haven't sanitized your incoming form values, throwing your posted username value into a session is a really bad idea: $_SESSION['myusername'] = $username; best practice is to take it form the db after proper sanitization, that way, you should know that the value from the db is legitimate. and always add exit(); immediately following your header() redirections to avoid further execution of script. EDIT: to my original code <?php if (mysql_num_rows ($res) > 0) { header ('Location: http://likeftp.com?user='.$user); exit (0); } //change out $user to $res['user_name'] ?> not saying the code i wrote is super-fantastic or anything, but it adheres to basic anti-SQL injection techniques, and is quite efficient. something i threw together in 2 minutes. EDIT: keep in mind OP, if you are allowing for spaces in usernames, make sure to encode them and then decode them properly when sending them via the URL, otherwise, they will not be readable against the db. Link to comment https://forums.phpfreaks.com/topic/179110-solved-login-help/#findComment-945371 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.