Website login script outdated

[blink359]

I want to create a login section to a part of my website so skipped ahead a bit in my book and looked at the loging script i copied it out trying to understand it best i could and it doesnt work i think it may be because the book is a bit outdated now and would like to know whats outdated in the script and what to put in it instead, if you can help me it would be much appriciated, if you can help me and have time could you explain the changes a bit aswell please.

Login code

<?php
//check for required fields from the from
if ((!isset($_POST["username"])) || (!isset($_POST["password"]))) {
	header("location: userlogin.html");
	exit;
}

//conect to server and select database
$mysqli = mysqli_connect("mysql12*********", "a98553*******", "********", "a985*******");

//create and issue the query
$sql = "SELECT f_name, l_name FROM users WHERE
user= '".$_POST["user"]."' AND
password = PASSWORD('".$_POST["password"]."')";
$result = mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

//get the number of rows in the result set; should be 1 match 
if (mysqli_num_rows($result) == 1) {

//if authorize, get the fvalues of f_name l_name
while ($info = mysqli_fetch_array($result)) {
	$f_name = stripslashes($info['f_name']);
	$l_name = stripslashes($info['l_name']);
}

//set authorization cookie
setcookie("auth", "1", 0, "/", "", 0);

//creat display string
$display_block = "
<p>Welcome ".$f_name." ".$_lname."!</p>
<p>JNCO Menu:</p>
<ul>
<li><a href=\"emailall.php\">Send an email to everyone in Valiant Flight</a></li><br />
<li><a href=\"emaillist.php\">List of Valiant flight email addresses</a></li><br />
</ul>";
} else {
//redirect back to login form if not authorized
header("Location: userlogin.html");
ecit;
}
?>

Checking if there logged in

<?php
if ($_COOKIE["auth"] == "1") {
	$display_block = "message";
} else {
//redirect back to login form if not authorized
header("Location: jncologin.html");
exit;
}
?>

 

If anyone can help it will be great

 

Thanks

 

Blink359

[trq]

I wouldn't say the script is outdated so much as very poorly written.

 

A few things. Firstly, mysql's PASSWORD function should never be used as means of hashing passwords. There is no guarantee they won't change there algorithms between versions (this is highlighted within the mysql manual).

 

Secondly, there is no need at all for the while loop. You should only have one record.

 

Other than that, there probably not too much wrong with it. I prefer to use sessions rather than cookies to maintain a users session data but whatever....

[tHud]

ecit; ?

[PFMaBiSmAd]

The use of a cookie simply with the value 1 in it to determine is someone is logged in is easy for a visitor to produce (early versions of phpbb and some other major php applications did things like that and people were becoming administrators to sites just by setting cookies and taking the sites over.)

 

If you use a cookie it should only identify the visitor (not determine if he is logged in) and the value stored in the cookie should be a unique and hard to guess value created per visitor (see the uniqid function) and stored in the cookie and stored in your user table in your database to tie the visitor together with his record in the user table. To determine if someone is actually logged in, you must rely only on a value stored on the server, not the simple existence of a cookie with a easy to guess value in it.

[tHud]

Hey Blink, I'm very much a newbie myself - so don't shoot if I'm wrong

 

But... it looks like you aren't actually doing anything with that $display_block

 

I mean you aren't echo-ing it.

 

What is not working?

Are you getting an error? Or a blank screen?