Wayniac Posted August 2, 2010 Share Posted August 2, 2010 Hello everyone, I'm attempting to find only a specific username in this field "username" located in the database. The code below works when with the rest of the I left out since its not important for this problem. What I would like to do is have it so if I type in the name "john, emily, or chris", and if the name is in the field, then it works. session_register("username"); // Working code, username is the field name. Ex: session_register("john | emily | chris"); // Example code, populated with values. I would like to work the same, except with values instead of using the field name. Let me know if you need any further clarification, thank you. Quote Link to comment Share on other sites More sharing options...
radar Posted August 2, 2010 Share Posted August 2, 2010 to me, this makes no sense. so yes please elaborate. as much information that can be given here the better, that way we can understand what it is you are trying to accomplish and get you an answer in a timely manner. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 2, 2010 Share Posted August 2, 2010 session_register() was depreciated over 8 years ago. Use $_SESSION['name'] to set or reference session variables. Quote Link to comment Share on other sites More sharing options...
will35010 Posted August 2, 2010 Share Posted August 2, 2010 Do you know the name you are looking for? If so, just use an if loop: http://w3schools.com/PHP/php_if_else.asp Something like: if($_SESSION['USERNAME'] == "John"{ then do something here } Quote Link to comment Share on other sites More sharing options...
Wayniac Posted August 2, 2010 Author Share Posted August 2, 2010 Thank you PFMaBiSmAd and radar. What I am attempting to accomplish is to have several usernames and restricted access for them to some pages, but not others. So John would have access to example1.php, but not example2.php and emily vice-verse, etc. Here is my complete code below: <?php // load the configuration file. include("config.php"); ?> <? // Use session variable on this page. This function must put on the top of page. session_start(); ////// Logout Section. Delete all session variable. session_destroy(); $message=""; ////// Login Section. $Login=$_POST['Login']; if($Login){ // If clicked on Login button. $username=$_POST['username']; $password=$_POST['password']; // Check matching of username and password. $result=mysql_query("select * from admin where username='$username' and password='$password'"); if(mysql_num_rows($result)!='0'){ // If match. $_SESSION['username'] // Create session username. header("location:intheloop.php"); // Re-direct to intheloop.php exit; }else{ // If not match. $message="Invalid Username or Password<br>"; } } // End Login authorize check. ?> PS: Trying what you posted will35010, thank you. Quote Link to comment Share on other sites More sharing options...
Stooney Posted August 2, 2010 Share Posted August 2, 2010 There are better ways of managing access in this manner, but this example follows your approach. <?php $username='chris'; //This is the user that's logged in $allowed=array('chris', 'jim', 'mary'); if(in_array($username, $allowed)){ //Grant Access } else{ //No Access } Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 2, 2010 Share Posted August 2, 2010 $_SESSION['username'] = $username; that will set a session called username with the value of the username the person signed in with. and if you wish to restrict access $only = array("John"); if(!in_array($_SESSION["username"] , $only){ header("Location: index.php"); //redirects them if they are not john } // success code only John would see. Quote Link to comment Share on other sites More sharing options...
Wayniac Posted August 2, 2010 Author Share Posted August 2, 2010 Thank you Dezkit, I am following your code at the moment, but I may have made a mistake with my syntax. Here is the code below. <?php // load the configuration file. include("config.php"); ?> <? // Use session variable on this page. This function must put on the top of page. session_start(); ////// Logout Section. Delete all session variable. session_destroy(); $message=""; ////// Login Section. $Login=$_POST['Login']; if($Login){ // If clicked on Login button. $username=$_POST['username']; $password=$_POST['password']; // Check matching of username and password. $result=mysql_query("select * from admin where username='$username' and password='$password'"); if(mysql_num_rows($result)!='0'){ // If match. //session_register("username"); // Create session username. //$_SESSION['username'] // Create session username. $_SESSION['username'] = $username; $only = array("john"); if(!in_array($_SESSION["username"] , $only){ header("location:intheloop.php"); // Re-direct to intheloop.php } exit; }else{ // If not match. $message="Invalid Username or Password<br>"; } } // End Login authorize check. ?> Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 2, 2010 Share Posted August 2, 2010 Lol, why would you put session_start and session_destroy?? You also gotta put session_start on top of everything <?php session_start(); // Use session variable on this page. This function must put on the top of page. // load the configuration file. include("config.php"); ////// Login Section. $Login=$_POST['Login']; if($Login){ // If clicked on Login button. $username=$_POST['username']; $password=$_POST['password']; // Check matching of username and password. $result=mysql_query("select * from admin where username='$username' and password='$password'"); if(mysql_num_rows($result)!='0'){ // If match. //session_register("username"); // Create session username. //$_SESSION['username'] // Create session username. $_SESSION['username'] = $username; $only = array("john"); if(!in_array($_SESSION["username"] , $only){ header("location:intheloop.php"); // Re-direct to intheloop.php } exit; } else { // If not match. $message="Invalid Username or Password<br>"; } } // End Login authorize check. ?> Also, you should really encrypt the passwords with md5, and you should actually make another table with access flag levels instead of using their usernames. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted August 2, 2010 Share Posted August 2, 2010 Just wondering what you're trying to achieve. You're getting input from what appears a form as you're using $_POST to get a username and password. You're then checking that in a database with a SELECT query but you're not getting any info - just checking if the data is present. If it is, you're checking with the contents of an array - wouldn't it be better to set your session variable to the content of the database? You're also creating a session then destroying it!? Quote Link to comment Share on other sites More sharing options...
Wayniac Posted August 2, 2010 Author Share Posted August 2, 2010 Oh haha, sorry must have been an old code. I'm still getting this error: Parse error: syntax error, unexpected '{' in /mnt/w0340/d16/s01/b02c73a9/www/lifelikemedia.ca/wtt/crm/login.php on line 28 This is line 28: if(!in_array($_SESSION["username"] , $only){ But it needs to have that there.... Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 2, 2010 Share Posted August 2, 2010 if(!in_array($_SESSION["username"] , $only)){ sorry about that. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted August 2, 2010 Share Posted August 2, 2010 Just re-read through your post again and I think this is what you're after: <?php // load the configuration file. include("config.php"); // Use session variable on this page. This function must put on the top of page. session_start(); $message=""; ////// Login Section. $Login=$_POST['Login']; if ($Login) { // If clicked on Login button. $username=$_POST['username']; $password=$_POST['password']; // Check matching of username and password. $result=mysql_query("select * from admin where username='$username' and password='$password'"); if (mysql_num_rows($result)>0) { // If match. $row=mysql_fetch_assoc($result); $_SESSION['username']=$row['username']; if ($row['level']==1) { header("Location: intheloop.php"); // Re-direct to intheloop.php exit; } } else { // If not match. $message="Invalid Username or Password<br>"; } } // End Login authorize check. ?> I've indented everything to make it easier to read. Your mysql_num_rows() returns a number and you were checking with a string. If the username and password match the num_rows will be higher than 0 so the code inside the if() executes. We get the first matching row of data from the database and assign the username to a session variable. I've introduced a new field here called "level" - an integer. If the current user's level is 1 only then will the header() bit be called. You could have a couple if() conditionals or even a switch() for multiple choices. Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted August 2, 2010 Share Posted August 2, 2010 Welcome to the world of your database has been shit-bombed! You need to run the post vars through mysql_real_escape_string(). As for the permissions, you would be better served by adding a table to track user id (from the admin table) and the resource that they have access to (the page). Then you can either stick an array of valid resources in the session, or probably better to query on each protected page. Quote Link to comment Share on other sites More sharing options...
dezkit Posted August 2, 2010 Share Posted August 2, 2010 The 2 previous people are correct here is a good tutorial to follow http://phpeasystep.com/phptu/6.html Quote Link to comment Share on other sites More sharing options...
Wayniac Posted August 2, 2010 Author Share Posted August 2, 2010 Thank you all so much! The level code works wonderfully. The idea of using levels instead of names is brilliant, I should have planned it more before jumping right into it. Once again, thank you all so much, I'm going to go check out some of the usful links you all posted above. Thank you! Quote Link to comment Share on other sites More sharing options...
Yesideez Posted August 2, 2010 Share Posted August 2, 2010 AbraCadaver is right about the bombing although I don't quite like his choice of words - you can sanitise your data with a simple function: function dbSafeStr($str) { return mysql_real_escape_string($str); } I've got a few set up prefixed with "dbSafe" for handling certain types of data - just include at the start of each file and use like this: $result=mysql_query("select * from admin where username='".dbSafeStr($username)."' and password='".dbSafeStr($password)."'"); Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted August 3, 2010 Share Posted August 3, 2010 AbraCadaver is right about the bombing although I don't quite like his choice of words - you can sanitise your data with a simple function: Sorry, poop-bombed But you're not going to be saying poop when your tables are truncated or usernames and passwords have been exposed. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.