Jump to content

fairly basic php question, regarding a simple log-in system


Recommended Posts

I've got some simple PHP code for a user log-in system.

 

it checks to see if the username/pw is correct, if so it transfers you to universal 'gallery.php' page

code below

 

my question is, how can i specifiy which page gets loaded. if user A logs in correctly, he/she will get transferred to gallery_userA.php, and, if user B logs in correctly, he/she will get transferred to gallery_userB.php. etc.

 

I don't need any special security features. just something basic so each user can have their own page.

 

<?php
ob_start();
$host="localhost"; // Host name
$username="xxx"; // Mysql username
$password="xxx"; // Mysql password
$db_name="xxx"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:/gallery/");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

Hope you automate the page creation process.  but if you have this:

// Register $myusername, $mypassword and redirect to file "login_success.php"

session_register("myusername");

session_register("mypassword");

header("location:/gallery/");

 

You can just change the header line to:

header("Location: /gallery/gallery_".$myusername.".php");
exit();

 

you could use a get variable and redirect like:

header("Location: /gallery/?user=".$myusername);

 

or you could have the index.php script in the gallery directory load the information based on the session that is set in the previous script

 

also you should be registering your sessions like this:

 

$_Session['username'] = $myusername;

 

as session_register is deprecated

 

ldb358,

 

what line of code should i replace with

$_Session['username'] = $myusername;

?? I'm a php noob.

 

Also, i would like to automate the process as you suggested andrew, but it will leave me with a messy URL. Is it possible to direct to a specific directory, with each directory containing an 'index.php'?

 

thanks!

header("Location: /gallery/".$myusername."/index.php");
exit();

 

Only problem is you must make sure user names match "/[a-zA-Z][a-zA-Z0-9]+/"

So, they can have letters and numbers (starting with a letter).  That way you can be sure that no matter what file system you are using, there won't be a problem. This particular one also requires it to be at least 2 characters long, you could use * instead of + if you want to allow 1 character user names.

replace:

session_register("myusername");

 

with:

 

$_SESSION['username'] = $myusername;

 

you could then fix the messy url problem by loading the username stright from $_SESSION['username'] or by using url rewriting( via htaccess not php)

You know, maybe if we knew a bit more of the implementation there is probably a better way to go about than just redirecting a different page for each user.  It generally works better to dynamically load content into a single page. 

andrew,

 

this is simply client log-in system for a photography site. i don't have too many clients so something complex isn't necessary (yet). i'm also going to be the one who defines the login/password.

 

One issue i'm running into, is when a user logs in (for example: user123), they will get directed to the 'user123' page. based off this code:

header("Location: /clients/".$myusername."/");

 

 

and in the directory 'user123' i have an index.php file with this code:

 

 

 

<?
session_start();
if(!session_is_registered(user123)){
header("location:../../index.php");
}
?>

<html>
<body>
Login Successful

<p>GALLLLERY</p>

</body>
</html>

 

'user123' does not work and the page doesn't load. it DOES work when its 'myusername'

if(!session_is_registered(myusername)){

 

is it possible to fix this?

 

 

is because of how you register your sessions you need to remove the quotes from:

 

session_register("myusername");
//with 
session_register($myusername);

but as i said earlier that method is depreciated and you should use:

$_SESSION['username'] = $myusername;
//and to check of they are logged in
if(isset($_SESSION['username']){}

is because of how you register your sessions you need to remove the quotes from:

 

session_register("myusername");
//with 
session_register($myusername);

but as i said earlier that method is depreciated and you should use:

$_SESSION['username'] = $myusername;
//and to check of they are logged in
if(isset($_SESSION['username']){}

 

I tried what you said earlier but then I wasn't able to log-in at all.

So my checklogin.php would be:

 

<?php
ob_start();
$host="localhost"; // Host name
$username="xx"; // Mysql username
$password="xx"; // Mysql password
$db_name="xx"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword

$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row


if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register($myusername);
session_register($mypassword);
header("Location: /clients/".$myusername."/");
}
else {
echo "Wrong Username or Password";

ob_end_flush();
?>

 

and in each client directory, there would be:

 

<?
$_SESSION['username'] = $myusername;
//and to check of they are logged in
if(isset($_SESSION['username']){
header("location:../../index.php");
}
?>

 

With what's above this is not working.

okay your setting it in the wrong place, what you need to do is replace:

 

session_register($myusername);
session_register($mypassword);
//with
$_SESSION['username'] = $myusername;
$_SESSION['password'] = $mypassword;

so your final script would look like:

 

<?php
ob_start();
$host="localhost"; // Host name
$username="xx"; // Mysql username
$password="xx"; // Mysql password
$db_name="xx"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row


if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $myusername;
$_SESSION['password'] = $mypassword;
header("Location: /clients/".$myusername."/");
}
else {
echo "Wrong Username or Password";

ob_end_flush();
?>

 

and your other script should look like:

 

session_start();
if(isset($_SESSION['username']){
header("location:../../index.php");
}

 

And the header() redirect needs an exit; statement after it to prevent the remainder of the code on the page from executing while the browser performs the redirect. All a hacker needs to do is ignore the header redirect and he can access the 'protected' page the same as if the security check code was not even there.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.