bobby317 Posted June 28, 2010 Share Posted June 28, 2010 Right now I have my login working and goes where I want it to. But say you type in the address of the part the login page takes you to if you login successfully it will bypass the login and show the page without being logged in. So I want to find a fix for this. I think it involves cookies or seasons but I am new to those. Is there anyone who could guide me in the proper way to make this more secure or point me to some online sources? Thanks. Quote Link to comment Share on other sites More sharing options...
TOA Posted June 28, 2010 Share Posted June 28, 2010 Please post your code Yes either of those methods are fine. Declare a session variable like this: $_SESSION['variable'] = 'somevalue'; and then when you want to use it you can just call that variable back **All files using sessions (or carrying them) must begin with session_start(); Quote Link to comment Share on other sites More sharing options...
bobby317 Posted June 28, 2010 Author Share Posted June 28, 2010 Here is the code for my login page: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Login</title> <link href="eventMain.css" rel="stylesheet" type="text/css" /> </head> <body> <?php //Starts the code when form is submitted: if( !isset($_POST['submit'])){ include_once "loginform.html"; } else { //Flag varable to track sucsess $okey = TRUE; //Check that email is not empty if (empty($_POST['email1'])) { print '<p class="error">Please enter your email address.</p>'; include_once "loginform.html"; $okey = FALSE; //check that email is not empty } elseif (empty($_POST['pass1'])) { print '<p class="error">Please enter your password</p>'; include_once "loginform.html"; $okey = FALSE; //If there were no errors, print a success message: } elseif ($okey == TRUE) { //Trims email and password and sets to a varible: $email = trim($_POST['email1']); $password = trim($_POST['pass1']); //Encript password using email as salt: $password = sha1($email.$password); //Include files for conecting to database: $dbc = mysql_connect('rwddesign.com:3306', 'rwddesi1_bobby31', 'jessica'); mysql_select_db('rwddesi1_test'); //Query for checking database for user name and pass $loginQuery = "SELECT * FROM users WHERE email = '$email' and password = '$password'"; //Gets results from above query $result = mysql_query($loginQuery); //Count number of rows returned from query $count = mysql_num_rows($result); //checks if there is a match if ($count == 1) { //If there is a match include "addevent.php"; //If no Match } else { print '<p class="error">Wrong Username or Password</p>'; include_once "loginform.html"; } } } ?> </body> </html> And here is the page it goes to: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Add Event</title> </head> <link href="eventMain.css" rel="stylesheet" type="text/css" /> <body> <?php //set addEventForm.html for include to a varibal $form = "addEventForm.html"; $calendar = "1stCalendar.php"; //Start code when form is submited if( !isset($_POST['submit'])) { include_once "$form"; include_once "$calendar"; } else { //Flag varible to track success $okay = TRUE; //Valadate name field if (empty($_POST['eventName'])) { print '<p class="error">Please the event your name.</p>'; $okay = FALSE; include_once "$form"; include_once "$calendar"; //Valadate date //Month } elseif (empty($_POST['month'])) { print '<p class="error">Please enter the month.</p>'; $okay = FALSE; include_once "$form"; include_once "$calendar"; //Day } elseif (empty($_POST['day'])) { print'<p class="eroor">Please enter the day.</p>'; $okay = FALSE; include_once "$form"; include_once "$calendar"; //Year } elseif (empty($_POST['year'])) { print'<p class="error">Please enter the year.</p>'; $okay = FALSE; include_once "$form"; include_once "$calendar"; //Valadate startTime } elseif (empty($_POST['startTime'])) { print'<p class="error">Please enter a start time.</p>'; $okay = FALSE; include_once "$form"; include_once "$calendar"; //Valadate endTime } elseif (empty($_POST['endTime'])) { print'<p class="error">Please enter a end time.</p>'; $okay = FALSE; include_once "$form"; include_once "$calendar"; //Valadate description } elseif (empty($_POST['description'])) { print'<p class="error">Please enter a description.</p>'; $okay = FALSE; include_once "$form"; include_once "$calendar"; //If $okay = TRUE orginize data and input into database } elseif ($okay == TRUE) { //remove white spaces create varables $eventName = trim($_POST['eventName']); $startTime = trim($_POST['startTime']); $timeOfDay1 = $_POST['timeOfDay1']; $endTime = trim($_POST['endTime']); $timeOfDay2 = $_POST['timeOfDay2']; $description = trim($_POST['description']); //Set am or pm for time $fStartTime = "$startTime $timeOfDay1"; $fEndTime = "$endTime $timeOfDay2"; //get date put to varable $date = "{$_POST['day']}-{$_POST['month']}-{$_POST['year']}"; //convert date to timestamp $Tdate = strtotime($date); //Include files for conecting to database: $dbc = mysql_connect('rwddesign.com:3306', 'rwddesi1_bobby31', 'jessica'); mysql_select_db('rwddesi1_test'); //Define the query: $query = "INSERT INTO events (eventID, date, startTime, endTime, eventName, description) VALUES (0, FROM_UNIXTIME($Tdate), '$fStartTime', '$fEndTime', '$eventName', '$description')"; //Exicute query if (@mysql_query($query)) { //Print message if secsessful print '<h1>Your event has been added!</h1>'; include_once "$form"; include_once "$calendar"; } else { //print message for all other errors. print '<h1 class="error">Could not add event because:' . mysql_error() . ' .</h1> <p class="error">The query being run was: ' . $query . '</p>'; include_once "$calendar"; include_once "$form"; } } } ?> </body> </html> Thanks again and please explain anything so I can learn. Quote Link to comment Share on other sites More sharing options...
TOA Posted June 28, 2010 Share Posted June 28, 2010 I can look into your code in a bit, still at work First thing I noticed is that you could create more structured, readable code using a switch in the second file instead of multiple ifelse statements (Not your issue though) Basically we want (in english): When the user submits the form, check the username (however you're doing it, havnt looked). If it passes, assign it to a session variable, most likely named Username or something to that effect. That variable is then available to any page after that opens a session at the top (even if it's a page previously visited) Ill try to look deeper into your issue in a bit, but until then, look at the manual regarding sessions Quote Link to comment Share on other sites More sharing options...
bobby317 Posted June 28, 2010 Author Share Posted June 28, 2010 will do and thanks for everything. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.