mpsn Posted November 15, 2011 Share Posted November 15, 2011 Hi, I want to store login info and create account, but when after I create account, I can't log in, it still displays: "Please register above!" login script: ======== <html> <head> <title>Login</title> </head> <body> <hr /> <form method="post" action=""> <label>Username:</label> <input type="text" name="username"> <br /> <label>Password:</label> <input type="password" name="password"> <p> <input type="submit" value="Login" name="Login" /> <input type="reset" value="Reset" name="Reset" /> </p> </form> <?php //if username/password filled in and submitted, check db to find match login info if(array_key_exists("Login",$_POST) && !empty($_POST["username"]) && !empty($_POST["password"])) { $attemptedUsername=$_POST["username"]; $attemptedPassword=crypt($_POST["password"]); mysql_connect("localhost","root"); mysql_select_db("dummydpevx"); $getLoginInfoQuery=mysql_query("SELECT userName,userPassword FROM users WHERE userName='$attemptedUsername' AND userPassword='$attemptedPassword'"); $getLoginInfo=mysql_fetch_assoc($getLoginInfoQuery); $getUsername=$getLoginInfo["userName"]; $getPassword=crypt($getLoginInfo["userPassword"]); if($attemptedPassword==$getPassword) { session_start();//NB: Start session BEFORE doing any session stuff! $_SESSION["isAuthenticated"]="userAuthenticated"; header("Location: SecureSite.php"); exit; } else//"Please register above!" print "Please register above!"; } ?> </body> </html> here is register script: =============== <html> <head> <title>Register</title> </head> <body> <form method="post" action="" > <p>Create a username <input type="text" name="newUsername" size="10" /> </p> <p>Create a password <input type="password" name= "newPassword" size="10" /> </p> <p> <input type="submit" value="Make account now" name="makeAccountSubmit" /> </p> </form> <?php if(array_key_exists("makeAccountSubmit",$_POST) && !empty($_POST["newUsername"]) && !empty($_POST["newPassword"]) ) { //IF username doesn't exist, then store new user login info to db dummydpevx mysql_connect("localhost","root"); mysql_select_db("someDB"); $newUserName=$_POST["newUsername"]; $newPassword=crypt($_POST["newPassword"]); $usernameQuery=mysql_query("SELECT userName FROM users WHERE userName='$newUserName'"); if(mysql_num_rows($usernameQuery)==0) { $makeNewAccountQuery=mysql_query("INSERT INTO users (userName,userPassword) VALUES('$newUserName','$newPassword')"); print "You are now registered, <a href='login.php'>proceed to login</a>"; } //ELSE IF username exists already, "Username already taken, please enter another BUT KEEP IN MIND user can have any passwords (EVEN IDENTICAL ONES b/c doesn't make sense to say password exists (this will help hackers have easier time hacking!) if(mysql_num_rows($usernameQuery)==1) print "Username taken. Please make another one. <br />"; } if(array_key_exists("makeAccountSubmit",$_POST) ) { if(empty($_POST["newUsername"]) && empty($_POST["newPassword"])) print "Please fill in a username and password! <br />"; else if(empty($_POST["newPassword"])) print "Please fill in a password!<br />"; else if(empty($_POST["newUsername"])) print "Please fill in a username! <br />"; } ?> </body> </html> Please I would appreciate any help, thanks! Quote Link to comment Share on other sites More sharing options...
joel24 Posted November 15, 2011 Share Posted November 15, 2011 you're encrypting the password stored in the database twice - once on insert and then again on checking.. just encrypt it for the insert Quote Link to comment Share on other sites More sharing options...
chriscloyd Posted November 15, 2011 Share Posted November 15, 2011 <html> <head> <title>Login</title> </head> <body> <hr /> <form method="post" action=""> <label>Username:</label> <input type="text" name="username"> <br /> <label>Password:</label> <input type="password" name="password"> <p> <input type="submit" value="Login" name="Login" /> <input type="reset" value="Reset" name="Reset" /> </p> </form> <?php //if username/password filled in and submitted, check db to find match login info if(array_key_exists("Login",$_POST) && !empty($_POST["username"]) && !empty($_POST["password"])) { $attemptedUsername=$_POST["username"]; $attemptedPassword=crypt($_POST["password"]); mysql_connect("localhost","root"); mysql_select_db("db"); $getLoginInfoQuery=mysql_query("SELECT userName,userPassword FROM users WHERE userName='$attemptedUsername' AND userPassword='$attemptedPassword'"); $getLoginInfo=mysql_fetch_assoc($getLoginInfoQuery); $getUsername=$getLoginInfo["userName"]; $getPassword=$getLoginInfo["userPassword"]; if($attemptedPassword==$getPassword) { session_start();//NB: Start session BEFORE doing any session stuff! $_SESSION["isAuthenticated"]="userAuthenticated"; header("Location: SecureSite.php"); exit; } else//"Please register above!" print "Please register above!"; } ?> </body> </html> Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 15, 2011 Author Share Posted November 15, 2011 I decided to use sha1(), but now when the login info is successful on login.php, the SecureSite.php for some reason does not recognize a session has been created(it should). Login script: ======== <?php //if username/password filled in and submitted, check db to find match login info if(array_key_exists("Login",$_POST) && !empty($_POST["username"]) && !empty($_POST["password"])) { $attemptedUsername=$_POST["username"]; $attemptedPassword=sha1($_POST["password"]); mysql_connect("localhost","root"); mysql_select_db("someDB"); $getLoginInfoQuery=mysql_query("SELECT userName,userPassword FROM users WHERE userName='$attemptedUsername' AND userPassword='$attemptedPassword'"); if(mysql_num_rows($getLoginInfoQuery)==1) { session_start();//NB: Start session BEFORE doing any session stuff! $_SESSION["isAuthenticated"]="userAuthenticated"; header("Location: secureSite.php"); exit; } else//"Please register above!" print "Please register above!"; } ?> Here is register script: ================ <?php if(array_key_exists("makeAccountSubmit",$_POST) && !empty($_POST["newUsername"]) && !empty($_POST["newPassword"]) ) { //IF username doesn't exist, then store new user login info to db dummydpevx mysql_connect("localhost","root"); mysql_select_db("someDB"); $newUserName=$_POST["newUsername"]; $newPassword=sha1($_POST["newPassword"]); $usernameQuery=mysql_query("SELECT userName FROM users WHERE userName='$newUserName'"); if(mysql_num_rows($usernameQuery)==0) { $makeNewAccountQuery=mysql_query("INSERT INTO users (userName,userPassword) VALUES('$newUserName','$newPassword')"); print "You are now registered, <a href='login.php'>proceed to login</a>"; } //ELSE IF username exists already, "Username already taken, please enter another BUT KEEP IN MIND user can have any passwords (EVEN IDENTICAL ONES b/c doesn't make sense to say password exists (this will help hackers have easier time hacking!) if(mysql_num_rows($usernameQuery)==1) print "Username taken. Please make another one. <br />"; } if(array_key_exists("makeAccountSubmit",$_POST) ) { if(empty($_POST["newUsername"]) && empty($_POST["newPassword"])) print "Please fill in a username and password! <br />"; else if(empty($_POST["newPassword"])) print "Please fill in a password!<br />"; else if(empty($_POST["newUsername"])) print "Please fill in a username! <br />"; } ?> Here is the secureSite.php (session should have started, since it redirected me to secureSite.php BUT it displays: "You must be registered or logged in..." which doeesn't make sense since the redirect to THIS page means that the user's password was correct... <?php if(isset($_SESSION["isAuthenticated"])) { session_start(); print "YOU ARE ACCESSING SECURE DATA!" else { print "You must be registered or logged in to continue."; print "<hr />"; print "<a href='xmlShredderRegister.php'>Create account</a> <br />"; print "<a href='xmlShredderLogin.php'>Login</a>"; } ?> Please I'd appreciate any help! Quote Link to comment Share on other sites More sharing options...
joel24 Posted November 15, 2011 Share Posted November 15, 2011 you need to start the session before checking values are set. <?php session_start(); if(isset($_SESSION["isAuthenticated"])) { print "YOU ARE ACCESSING SECURE DATA!" else { print "You must be registered or logged in to continue."; print "<hr />"; print "<a href='xmlShredderRegister.php'>Create account</a> <br />"; print "<a href='xmlShredderLogin.php'>Login</a>"; } ?> Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 16, 2011 Author Share Posted November 16, 2011 Yes, I forgot about session_start must come before all code that is based on the session. Thanks. Now I have a new problem, I noticed that each time the user enters either one field (username or password), it displays the appropriate messge ("Please fill in username/password"), BUT when they click the submit (login) it also resets the field where text typed in already, so how do I make it so that if only one field is entered, to display the message of course, AND NOT reset the currently entered field? Any help much appreciated! Quote Link to comment Share on other sites More sharing options...
joel24 Posted November 16, 2011 Share Posted November 16, 2011 I wouldn't bother making it easier, typing a username / password isn't a very demanding task; if they do it wrong then they can do it again. if you persist to have it that way though, you can do something like this. <form method="post" action=""> <label>Username:</label> <input type="text" name="username" value='<?php echo (isset($_POST['username']))?$_POST['username']:''; ?>' > <br /> <label>Password:</label> <input type="password" name="password"> <p> <input type="submit" value="Login" name="Login" /> <input type="reset" value="Reset" name="Reset" /> </p> </form> Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 16, 2011 Author Share Posted November 16, 2011 Thanks, ok here's another problem. I just made a logout page and updated the db users table to hold each users last session (a datetime type). So I used a hidden input type in Index.php BUT and set up the query to add the time as so in the disconnect script, BUT now when I click the login script, it says I am not logged in! (for the Index.php. So that everything is all here, here's the scripts: Login ===== <html> <body> <form method="post" action="Index.php"> <p> <label>Username:</label> <input type="text" name="username" size="10"> </p> <?php //if username/password filled in and submitted, check db to find match login info if(array_key_exists("Login",$_POST) && !empty($_POST["username"]) && !empty($_POST["password"])) { $attemptedUsername=$_POST["username"]; $attemptedPassword=sha1($_POST["password"]); mysql_connect("localhost","root"); mysql_select_db("someDB"); $getLoginInfoQuery=mysql_query("SELECT userName,userPassword FROM users WHERE userName='$attemptedUsername' AND userPassword='$attemptedPassword'"); if(mysql_num_rows($getLoginInfoQuery)==1) { session_start();//NB: Start session BEFORE doing any session stuff! $_SESSION["isAuthenticated"]="userAuthenticated"; } else//"Please register above!" print "Please register above!"; } if(array_key_exists("Login",$_POST) ) { if(empty($_POST["username"]) && empty($_POST["password"])) print "Please fill in a username and password! <br />"; else if(empty($_POST["password"])) print "<Please fill in a password!<br />"; else if(empty($_POST["username"])) print "Please fill in a username! <br />"; } ?> <p> <label>Password:</label> <input type="password" name="password" size="10"> </p> <p> <input type="submit" value="Login" name="Login" /> <input type="reset" value="Reset" name="Reset" /> </p> </form> </body> </html> Index.php: (Here is where I put the hidden input type to be able to link with disconnect.php) ======== <?php session_start(); if(isset($_SESSION["isAuthenticated"])) { require("disconnect.inc.php"); $attemptedUsername=$_POST["username"]; print ' <html> <head><title>Home</title></head> <body> <form id="logoutForm" name="logoutForm" method="post" action=""> <input name="logout" type="submit" id="logout" value="Log out" /> <input type="hidden" name="attemptedUsernameHidden" value=';print $attemptedUsername; print '/> </form>'; mysql_connect("localhost","root"); mysql_select_db("someDB"); $userName=$_POST["username"]; print ' <p> Last session:'; $getUserInfoQuery=mysql_query("SELECT lastSession,mostRecentActivity FROM users WHERE userName='$userName'"); $getUserInfo=mysql_fetch_assoc($getUserInfoQuery); print $getUserInfo["lastSession"]."<br />"; print "Last activity: ".$getUserInfo["mostRecentActivity"]."<br />"; print ' </p> </body> </html>'; } else { print "You must be registered or logged in to continue."; print "<hr />"; print "<a href='xmlShredderRegister.php'>Create account</a> <br />"; print "<a href='xmlShredderLogin.php'>Login</a>"; } ?> Finally, here is disconnect.php: ====================== <?php //run this script only if the logout button has been clicked if(array_key_exists('logout', $_POST)) { mysql_connect("localhost","root"); mysql_select_db("someDB"); $attemptedUsername=$_POST["username"];//**THIS SHOULD HAVE CARRIED OVER FROM THE hidden input type in Index.php!!! $updateLastSessionQuery=mysql_query("UPDATE users SET lastSession WHERE userName='$attemptedUsername'"); // end session and redirect //empty the $_SESSION array $_SESSION = array(); session_destroy(); header("Location: login.php"); exit; }//END IF for when logout submitted ?> Any help much appreciated! Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 16, 2011 Author Share Posted November 16, 2011 I don't want to repost as new topic, so please can someone help me out! I just want to be able to logout, and once logged out store current timestamp, so that when the same user logs in again, it will display on Index.php the last session timestamp. Any help much appreciated! Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 17, 2011 Author Share Posted November 17, 2011 Please, please can someone help me, I just want to store the current timestamp when user logs out and then when they log back in, on the Index.php, it will show the Last Session fetching info from the NOW() value stored during logout. Any help much appreciated! Quote Link to comment Share on other sites More sharing options...
gizmola Posted November 17, 2011 Share Posted November 17, 2011 You're wasting your time, people just don't bother to logout from most web applications. If they do logout, you simply need to run in our logout script an UPDATE query that sets your logout_time or whatever you called it to NOW() and mysql will set the logout time. Login is something they *need* to do, assuming authentication is important so you're better off, updating the table to indicate their last login. Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 17, 2011 Author Share Posted November 17, 2011 Sorry, that is what I meant. So continuing with my scripts, do you see what I am doing incorrectly? Any help much appreciated! Quote Link to comment Share on other sites More sharing options...
gizmola Posted November 17, 2011 Share Posted November 17, 2011 Sure -- this is a minor addition to your login script. if(mysql_num_rows($getLoginInfoQuery)==1) { session_start();//NB: Start session BEFORE doing any session stuff! // Update the last login time $result = mysql_query("UPDATE users SET lastSession WHERE userName='$attemptedUsername'"); 2 quick notes about your code -1st, you need to use mysql_real_escape_string() on your input. As it is now, your login code is sql injectable via the username column. -2nd, on your attempt to update things on disconnect. There is no way you should be using a hidden form variable for that. This is exactly what session variables are for. When the user does a login, you should set a session variable that contains the username. You can then use this on disconnect, or for that matter in any other script. Because session variables exist only on the server, they can be depended on whereas user input of any form can not. Form data can be easily tampered with, and can not be depended on. If I want to screw with your site, and i figure out what you're doing with hidden fields i can easily start causing your site to set logouts for arbitrary users. There is no need for that, once you create the session variable. All you need to to update information on logout is read the user from the session variable. Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 17, 2011 Author Share Posted November 17, 2011 Thanks for the heads up, but then what is the purpose of hidden input type then? Quote Link to comment Share on other sites More sharing options...
gizmola Posted November 17, 2011 Share Posted November 17, 2011 Thanks for the heads up, but then what is the purpose of hidden input type then? Exactly -- there is no purpose to that. You should not use it, as it can be tampered with. Furthermore, based on your reply, there is no purpose to trying to update the information on logout. I would just remove all that code. It has no benefit, and as I said before, people rarely logout -- they just close the browser or go to another tab and forget about your site. Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 18, 2011 Author Share Posted November 18, 2011 I thought about turning on magic quotes BUT it escapes everything which can get hairy, so I think better to just do it manually, but then what's difference b/t mysql_real_escape_string VS addslashes()? Quote Link to comment Share on other sites More sharing options...
gizmola Posted November 18, 2011 Share Posted November 18, 2011 Don't use magic_quotes. Addslashes/stripslashes is not character set aware. Thus it can be fooled into allowing sql injections with the insertion of multibyte characters. The only thing you need to keep in mind wiht mysql_real_escape_string() is that you already need to have instantiated a mysql connection before you call it. This is because it uses the mysql client connection information to intelligently handle the data it receives as input. Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 19, 2011 Author Share Posted November 19, 2011 If if want to keep track of last session(meaning whenever user refreshes the browser or clicks on a link/button to update the session information, will the session only keep track per browser? I noticed on this very excellent site www.phpfreaks.com whenever you open new windows for the browser you originally logged on in that each new window of same browser still keeps you logged and only updates the last activity time whenever browser is refreshed or clicks a link, BUT NOT update when user just clicks the back button of browser. But when I open a DIFFERENT browser, it shows I am logged out, so in short I just want to know is a session unique to each browser or you have to set it to remember if user is jumping b/t browsers for a given authenticatd site? Quote Link to comment Share on other sites More sharing options...
joel24 Posted November 19, 2011 Share Posted November 19, 2011 the session is for each browser, not computer. the back button will load the site from the browser's cache so it won't contact the site, hence you won't be able to update the session... unless you were to call the content with an ajax request, but I think you'll be finding the juice isn't worth the squeeze... why would you want to record if a user refreshes the page or clicks the back button? Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 19, 2011 Author Share Posted November 19, 2011 lol, that is hilarious! You're right! But I was just curious about sessions I guess, but that makes sense with browsers storing a cache so that's why the back buttons is not considered remembering current activity by user! Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 20, 2011 Author Share Posted November 20, 2011 Hi, I don't know now why the login doesn't work. Here are the issues: on login script: ========== Issue 1)when I enter the correct login info, it still takes to unaunthenicated (no session set) index.php Issue 2)I noticed that the only way for it to display the missing fields message(eg: "Please fill in username!") when Login submitted is if I don't put in anything in <form action=""> rather than put in <form action="index.php'> here is login script: ============= <html> <head> <title>Login</title> </head> <body> <form method="post" action=""><!-WHY doesn't it show the missing fields conditions at buttom if I put in action="index.php"??--> <p> <label>Username:</label> <input type="text" name="username"> </p> <p> <label>Password:</label> <input type="password" name="password"> </p> <p> <input type="submit" value="Login" name="Login" /> <input type="reset" value="Reset" name="Reset" /> </p> </form> <?php //if username/password filled in and submitted, check db to find match login info if(array_key_exists("Login",$_POST) && !empty($_POST["username"]) && !empty($_POST["password"])) { $server="localhost"; $user="root"; $pass=""; $db="somedb"; $attemptedUsername=$_POST["username"]; $attemptedPassword=sha1($_POST["password"]); $dbObj=new mysqli($server,$user,$pass,$db); $SQL="SELECT userName,userPassword FROM users WHERE userName='$attemptedUsername' AND userPassword='$attemptedPassword'"; $getLoginInfoQuery=$dbObj->query($SQL); if($getLoginInfoQuery->num_rows==1) { session_start();//NB: Start session BEFORE doing any session stuff! $_SESSION["isAuthenticated"]="userAuthenticated"; } else//"Please register above!" print "Please register above!"; } if(array_key_exists("Login",$_POST) ) { if(empty($_POST["username"]) && empty($_POST["password"])) print "Please fill in a username and password! <br />"; else if(empty($_POST["password"])) print "<Please fill in a password!<br />"; else if(empty($_POST["username"])) print "Please fill in a username! <br />"; } ?> </body> </html> here is index.php: ============= <?php session_start(); if(isset($_SESSION["isAuthenticated"])) { require("disconnect.inc.php"); $username=$_POST["username"];//FROM login.php //print $username."<br />"; print ' <html> <head><title>Home</title></head> <body> <form id="logoutForm" name="logoutForm" method="post" action=""> <input name="logout" type="button" id="logout" value="Log out" /> </form> <hr />'; print "<p>WELCOME, you are accessing secret info! </p>"; } else { print "You must be registered or logged in to continue."; print "<hr />"; print "<a href='xmlShredderRegister.php'>Create account</a> <br />"; print "<a href='xmlShredderLogin.php'>Login</a>"; print "</body>"; print "</html>"; } ?> finally is here disconnect session script: (disconnect.inc): ======================================== <?php if(isset($_POST["logout"])) { $_SESSION=array(); session_destroy(); //redirect user back to login page header("Location: login.php"); exit; } ?> Please I'd appreciate any help as I've been going nuts about what should be pretty simple to resolve! Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 20, 2011 Share Posted November 20, 2011 In your first chunk of code, you attempt to assign a value to $_SESSION['isAuthenticated'], but you don't have session_start() in the script. Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 20, 2011 Author Share Posted November 20, 2011 Hi, actually I forgot to put session_start as first item in script so now it works new problem now (minor one also): when user just press Login, it goes to the Index.php RATHER than display the appropriate message: "Please fill in username and password! etc." Quote Link to comment Share on other sites More sharing options...
mpsn Posted November 20, 2011 Author Share Posted November 20, 2011 No, it's actually not working. I don't understand. Please take a look, I appreciate any help! Quote Link to comment Share on other sites More sharing options...
Alexv Posted November 20, 2011 Share Posted November 20, 2011 session_start(); must go before any content is sent to the browser. Put it on the first line in login script. And also // Put this after $_SESSION["isAuthenticated"]="userAuthenticated"; to redirect browser to index.php print '<meta http-equiv="refresh" content="0;url=index.php">'; Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.