dyr Posted March 1, 2012 Share Posted March 1, 2012 I based this off some other pages read, and think I'm doing this wrong or it's just not connecting. Here's the database table: CREATE TABLE users ( id INT NOT NULL AUTO_INCREMENT, username VARCHAR(30) NOT NULL UNIQUE, password VARCHAR(64) NOT NULL, salt VARCHAR(3) NOT NULL, PRIMARY KEY(id) ); Ando far I have index.php with my login form <form name="login" action="login.php" method="post"> Username: <input type="text" name="username" /> Password: <input type="password" name="password" /> <input type="submit" value="Login" /> </form><br />Would you like to <a href="register.php">register?</a></center> Then I have my actual login on login.php (header.php includes website's main image as well as session_start(): <?php include('header.php'); $username = $_POST['username']; $password = $_POST['password']; //connect to the database here $username = mysql_real_escape_string($username); $query = "SELECT password, salt FROM users WHERE username = '$username';"; $result = mysql_query($query); if(mysql_num_rows($result) < 1) //no such user exists { header('Location: login.php'); die(); } $userData = mysql_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userData['salt'] . hash('sha256', $password) ); if($hash != $userData['password']) //incorrect password { header('Location: login_form.php'); die(); } else { validateUser(); //sets the session data for this user } //redirect to another page or display "login success" message ?> then I have my register php on register.php: <?php include('header.php'); //retrieve our data from POST $username = $_POST['username']; $pass1 = $_POST['pass1']; $pass2 = $_POST['pass2']; if($pass1 != $pass2) header('Location: register_form.php'); if(strlen($username) > 30) header('Location: register_form.php'); $hash = hash('sha256', $pass1); function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3); } $salt = createSalt(); $hash = hash('sha256', $salt . $hash); $dbhost = 'localhost'; $dbname = 'mygame'; $dbuser = 'root'; $dbpass = ''; $conn = mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname, $conn); //sanitize username $username = mysql_real_escape_string($username); $query = "INSERT INTO users ( username, password, salt ) VALUES ( '$username' , '$hash' , '$salt' );"; mysql_query($query); mysql_close(); header('Location: login.php'); ?> and lastly the register form: <center><form name="register" action="register.php" method="post"> Username: <input type="text" name="username" maxlength="30" /> Password: <input type="password" name="pass1" /> Password Again: <input type="password" name="pass2" /> <input type="submit" value="Register" /> </form></center> I am getting the errors: Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /Applications/XAMPP/xamppfiles/htdocs/testing/login.php on line 13 Warning: Cannot modify header information - headers already sent by (output started at /Applications/XAMPP/xamppfiles/htdocs/testing/config.php:1) in /Applications/XAMPP/xamppfiles/htdocs/testing/login.php on line 15 Could someone explain why this is happening? Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/ Share on other sites More sharing options...
Psycho Posted March 1, 2012 Share Posted March 1, 2012 Your query is failing and returning false thus the error Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given Change your query call to this to see the problem $result = mysql_query($query) or die("Query: $query<br>Error: " . mysql_error()); Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1322548 Share on other sites More sharing options...
dyr Posted March 1, 2012 Author Share Posted March 1, 2012 Thank you for the help! Now I am getting these errors: Fatal error: Call to undefined function validateUser() in /Applications/XAMPP/xamppfiles/htdocs/testing/login.php on line 27 Warning: Cannot modify header information - headers already sent by (output started at /Applications/XAMPP/xamppfiles/htdocs/testing/header.php:6) in /Applications/XAMPP/xamppfiles/htdocs/testing/register.php on line 28 Here are my updated scripts: config.php <?php session_start(); $dbhost = 'localhost'; $dbname = 'mygame'; $dbuser = 'root'; $dbpass = ''; $conn = mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname, $conn); ?> login.php <?php include('header.php'); $username = $_POST['username']; $password = $_POST['password']; //connect to the database here $username = mysql_real_escape_string($username); $query = "SELECT password, salt FROM users WHERE username = '$username';"; $result = mysql_query($query) or die("Query: $query<br>Error: " . mysql_error()); if(mysql_num_rows($result) < 1) //no such user exists { header('Location: login.php'); die(); } $userData = mysql_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userData['salt'] . hash('sha256', $password) ); if($hash != $userData['password']) //incorrect password { header('Location: login_form.php'); die(); } else { validateUser(); //sets the session data for this user } //redirect to another page or display "login success" message ?> register.php <?php include('header.php'); //retrieve our data from POST $username = $_POST['username']; $pass1 = $_POST['pass1']; $pass2 = $_POST['pass2']; if($pass1 != $pass2) header('Location: register_form.php'); if(strlen($username) > 30) header('Location: register_form.php'); $hash = hash('sha256', $pass1); function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3); } $salt = createSalt(); $hash = hash('sha256', $salt . $hash); //sanitize username $username = mysql_real_escape_string($username); $query = "INSERT INTO users ( username, password, salt ) VALUES ( '$username' , '$hash' , '$salt' );"; mysql_query($query); mysql_close(); header('Location: login.php'); ?> <center><form name="register" action="register.php" method="post"> Username: <input type="text" name="username" maxlength="30" /> Password: <input type="password" name="pass1" /> Password Again: <input type="password" name="pass2" /> <input type="submit" value="Register" /> </form></center> membersonly.php <?php include('header.php'); if(!isLoggedIn()) { header('Location: login.php'); die(); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1322553 Share on other sites More sharing options...
Drummin Posted March 1, 2012 Share Posted March 1, 2012 Remove include('header.php'); from login.php Move include('header.php'); down below processing code to just before form on register.php. On membersonly.php, again, move include('header.php'); down below any header redirect script line. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1322573 Share on other sites More sharing options...
dyr Posted March 1, 2012 Author Share Posted March 1, 2012 Sorry, I read somewhere that using headers and constant redirects bog down the servers so I tried recoding some things, though the majority is still the same. The four pages now are config.php, index.php, logout.php, and register.php. config.php <?php $dbhost = 'localhost'; $dbuser = 'root'; $dbpass = ''; $dbname = 'mygame'; $link = mysql_pconnect($dbhost, $dbuser, $dbpass) or die("Could not connect to server."); $selectdb = mysql_select_db($dbname, $link) or die("Could not connect to database."); // Check to see if user is logged in if((!isset($_SESSION['id'])) || (!isset($_SESSION['username'])) || (!isset($_SESSION['password']))) { unset($_SESSION['username']); unset($_SESSION['password']); unset($_SESSION['id']); } function validateUser() { session_regenerate_id (); //this is a security measure $_SESSION['valid'] = 1; $_SESSION['userid'] = $userid; } function isLoggedIn() { if(isset($_SESSION['valid']) && $_SESSION['valid']) return true; return false; } function logout() { $_SESSION = array(); //destroy all of the session variables if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); } session_destroy(); } ?> index.php (login) <?php include('config.php'); $username = $_POST['username']; $password = $_POST['password']; //connect to the database here $username = mysql_real_escape_string($username); $query = "SELECT password, salt FROM users WHERE username = '$username';"; $result = mysql_query($query) or die("Query: $query<br>Error: " . mysql_error()); if(mysql_num_rows($result) < 1) //no such user exists { die(); } $userData = mysql_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userData['salt'] . hash('sha256', $password) ); if($hash != $userData['password']) //incorrect password { die(); } else { validateUser(); //sets the session data for this user } if(!isLoggedIn()) { echo 'You are already logged in!'; } else { echo '<center>You are not logged in. <br><br> <form action=index.php method=post> Username: <input type=text name=username><br> Password: <input type=password name=pass><br> <input type=submit name=submit value=Submit> </form> Would you like to <a href=register.php>register?</a></center>'; } ?> logout.php <?php if(!logout()) { echo 'You have been logged out. <a href=index.php>Continue</a>'; } ?> register.php <?php <?php include('config.php'); //retrieve our data from POST $username = $_POST['username']; $pass1 = $_POST['pass1']; $pass2 = $_POST['pass2']; if($pass1 != $pass2) header('Location: register_form.php'); if(strlen($username) > 30) header('Location: register_form.php'); $hash = hash('sha256', $pass1); function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3); } $salt = createSalt(); $hash = hash('sha256', $salt . $hash); //sanitize username $username = mysql_real_escape_string($username); $query = "INSERT INTO users (username, password, salt) VALUES ('$username' , '$hash' , '$salt');"; mysql_query($query); mysql_close(); echo 'You have been registered! You may now <a href=index.php>Log in</a>.'; } else { echo '<center><form name=register action=register.php method=post> Username: <input type=text name=username maxlength=30><br> Password: <input type=password name=pass1><br> Password Again: <input type=password name=pass2><br> <input type=submit name=submit value=Submit> </form></center>'; } ?> I am getting the error when I go to register.php: Parse error: syntax error, unexpected '}' in /Applications/XAMPP/xamppfiles/htdocs/testing/register.php on line 31 (this is the } right before the ?>) Why is this happening? I checked and all tags are closed. Also the echo 'You have been registered!' does not run after you hit submit on the form. Another question I have is concerning the index.php, when I login I am led to a blank page instead of it checking if the user is logged in and displaying the echo message 'You are already logged in!' As well as when I refresh the page, my session does not stay and I have to log in once again. Am I using echos/sessions wrong? Are there any redundancies in my code that could be causing this error? I am extremely new and doing this script (as well as trying to enable proper security features), with the help/explanation of you guys is really helping me understand it! So thanks again for all the replies and for being so patient with me! I also heard regenerating the user ID (in the config.php page, 'function validateUser) is not the best option security wise? What would you guys recommend instead, or is what I heard incorrect? Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1322886 Share on other sites More sharing options...
Psycho Posted March 1, 2012 Share Posted March 1, 2012 (this is the } right before the ?>) Why is this happening? Because that is NOT line 31 nor the } the error is referring to. Line 31 comes before that. Use a decent editor that will show you the line numbers. This is the line in question. } //<==Line 31 else { The PHP parser is telling you the error. That closing brace is "unexpected". There is no opening curly brace that matches up with that closing one. AND there is no IF statement to match up with that else statement. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1322914 Share on other sites More sharing options...
dyr Posted March 1, 2012 Author Share Posted March 1, 2012 Thanks Psycho, how would I go about that using my code $query = "INSERT INTO users (username, password, salt) VALUES ('$username' , '$hash' , '$salt');"; mysql_query($query); mysql_close(); } Would I have to rewrite the entire thing to $line= mysql_connect type of thing to form an if statement? Couldn't find any examples online that relate to this. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1322924 Share on other sites More sharing options...
Psycho Posted March 2, 2012 Share Posted March 2, 2012 I have no idea what you are talking about. You have an else statement with no if(). I have no idea what you intended your if() condition to be since you didn't write one. But, looking at your code I would rewrite it from scratch. There seems to be no flow to the logic. There are plenty of tutorials out there for you to look at rather than me try and rewrite your code. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1322940 Share on other sites More sharing options...
ReeceSayer Posted March 2, 2012 Share Posted March 2, 2012 Try this. <?php include('config.php'); //retrieve our data from POST $username = $_POST['username']; $pass1 = $_POST['pass1']; $pass2 = $_POST['pass2']; if($pass1 != $pass2) { header('Location: register_form.php'); } if(strlen($username) > 30) { header('Location: register_form.php'); } if (strlen($username) < 30 && $pass1 == $pass2){ $hash = hash('sha256', $pass1); function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3); } $salt = createSalt(); $hash = hash('sha256', $salt . $hash); //sanitize username $username = mysql_real_escape_string($username); $query = "INSERT INTO users (username, password, salt) VALUES ('$username' , '$hash' , '$salt')"; mysql_query($query); mysql_close(); echo 'You have been registered! You may now <a href=index.php>Log in</a>.'; } else { echo '<center><form name=register action=register.php method=post> Username: <input type=text name=username maxlength=30><br> Password: <input type=password name=pass1><br> Password Again: <input type=password name=pass2><br> <input type=submit name=submit value=Submit> </form></center>'; } ?> It's untested and may not work but there were a lot of tiny errors in the code. Added an if statement to check values are correct before submitting, you also need to check that the username doesn't already exist (unless you are allowing people with the same user name??) Just trying to help as i need the practice. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1323073 Share on other sites More sharing options...
dyr Posted March 4, 2012 Author Share Posted March 4, 2012 Hi, I went and redid the register code. It was working fine, until I entered in the callname in the form, my users table, and this script. Now, I get the "success! registered!" message but the information isn't actually being added to the database and I can't login. register.php <?php include('config.php'); if($loggedin == '1') die("You can't register another account while you're logged in."); if(isset($_POST['submit'])) { $callname = mysql_real_escape_string($_POST['callname']); $uname = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $email = mysql_real_escape_string($_POST['email']); if((!isset($_POST['username'])) || (!isset($_POST['callname'])) || (!isset($_POST['email'])) || (!isset($_POST['pass'])) || ($uname == '') || ($_POST['pass'] == '')) die("Please fill out the form completely. <br><br> <a href=register.php>Continue</a>"); $check = @mysql_query("SELECT id FROM users WHERE username = '$uname'"); $check = @mysql_num_rows($check); if($check > 0) die("Sorry, that username has already been taken. Please try again. <br><br> <a href=register.php>Continue</a>"); function validateEmailAddress($email) { return filter_var($email, FILTER_VALIDATE_EMAIL) && preg_match('/@.+\./', $email); } if(validateEmailAddress($email) !=1) { echo "That email address does not exist.<br /><br /><a href=register.php>Continue</a>"; exit(); } $pass = md5($_POST['pass']); $date = date("m/d/y"); $newPlayer = @mysql_query("INSERT INTO users (username, password, callname, email, registered) VALUES ('$uname', '$pass', '$callname', '$email', '$date')" or die('Cant connect to database').mysql_error()); echo 'You have been registered! You may now <a href=index.php>Log in</a>.'; } else { echo '<form action=register.php method=post> Callname: <input type=text name=callname><br> Username: <input type=text name=username><br> Email: <input type=text name=email><br> Password: <input type=password name=pass><br> <input type=submit name=submit value=Submit> </form>'; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1323870 Share on other sites More sharing options...
litebearer Posted March 4, 2012 Share Posted March 4, 2012 Long weekend, but try this... <?php include('config.php'); if($loggedin == '1'){ die("You can't register another account while you're logged in.");} if(isset($_POST['submit'])){ if((!isset($_POST['username'])) || (!isset($_POST['callname'])) || (!isset($_POST['email'])) || (!isset($_POST['pass'])) || ($uname == '') || ($_POST['pass'] == '')){ echo 'Please fill out the form completely. <br><br><a href="register.php">Continue</a>'; exit(); } $callname = mysql_real_escape_string($_POST['callname']); $uname = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $email = mysql_real_escape_string($_POST['email']); $query = "SELECT id FROM users WHERE username = '$uname'"; $result = mysql_query($query); $check = mysql_num_rows($result); if($check > 0) { echo 'Sorry, that username has already been taken. Please try again.<br><br><a href="register.php">Continue</a>'; exit(); } function validateEmailAddress($email) { return filter_var($email, FILTER_VALIDATE_EMAIL) && preg_match('/@.+\./', $email); } if(validateEmailAddress($email) !=1) { echo 'That email address does not exist.<br /><br /><a href="register.php">Continue</a>'; exit(); } $pass = md5($_POST['pass']); $date = date("m/d/y"); $query2 ="INSERT INTO users (username, password, callname, email, registered) VALUES ('$uname', '$pass', '$callname', '$email', '$date')" or die(mysql_error()); $result2 = mysql_query($query2); if(mysql_affected_rows()>0){ echo 'You have been registered! You may now <a href="index.php">Log in</a>.'; exit(); }else{ echo "Registration failed - Contact Admin"; exit(); } }else{ ?> <form action="register.php" method="post"> Callname: <input type="text" name="callname"><br> Username: <input type="text" name="username"><br> Email: <input type="text" name="email"><br> Password: <input type="password" name="pass"><br> <input type="submit" name="submit" value="Submit"> </form> <?PHP } ?> Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1323883 Share on other sites More sharing options...
dyr Posted March 4, 2012 Author Share Posted March 4, 2012 Hey, sorry I found a parse error, I forgot to close the ) after the " in one of my lines. It works now, but your way is much more logical so that helped me understand the process a lot more, thank you! What's not working now is the sessions... I'm not sure if it's do to this registration mess but they worked before and now they are not. xD right now after I login it only lets me go to one page, then after that whenever I click on a 'logged in only' link it says I must login to view this page. I'm attempting to use sessions so that if the user is logged in they can keep their session and stay logged in as long as they want. I do this by including my date.php (lists main links, time, and session check to see if they're logged in) on each page I want logged in-only access. date.php <?php session_start(); if ($_SESSION['id']=="") { header("Location: YouMustLogInNotice.html"); } echo '<head>'; echo '<center><a href=index.php>Main</a> | <a href=myprofile.php>Profile</a> | <a href=inbox.php>Inbox</a> | <a href=page1.php>To-Do List</a> | <a href=logout.php>Logout</a></center>'; echo '</head>'; print date('g:i a - l, F jS'); echo '<br /><br />'; ?> is it conflicting with my configuration page? Because on the config.php page, i use variables loggedin and logged out, as well as isset sessions. <?php $dbhost = 'localhost'; $dbuser = 'root'; $dbpass = ''; $dbname = 'mygame'; $link = mysql_pconnect($dbhost, $dbuser, $dbpass) or die("Could not connect to server."); $selectdb = mysql_select_db($dbname, $link) or die("Could not connect to database."); if((!isset($_SESSION['id'])) || (!isset($_POST['callname'])) || (!isset($_SESSION['username'])) || (!isset($_SESSION['email'])) || (!isset($_SESSION['password']))) { unset($_SESSION['callname']); unset($_SESSION['username']); unset($_SESSION['email']); unset($_SESSION['password']); unset($_SESSION['id']); $loggedin = 0; } else { $loggedin = 1; } ?> Here's my log-in page if that's helpful at all: <?php include('config.php'); if($loggedin == '0') { if(isset($_POST['submit'])) { if((!isset($_POST['username'])) || (!isset($_POST['pass'])) || ($_POST['username'] == '') || ($_POST['pass'] == '')) die("Please fill out the form completely. <br><br> <a href=index.php>Continue</a>"); $player = @mysql_query("SELECT id, username, password, callname, email, registered, lastlogin FROM users WHERE username = '".$_POST['username']."'"); $player = @mysql_fetch_assoc($player); mysql_real_escape_string($username); mysql_real_escape_string($password); if($player['id'] == false) die("Sorry, that user is not in our database.<br><br> <a href=index.php>Back</a>"); else if($player['password'] != md5($_POST['pass'])) die("Wrong password!<br><br> <a href=index.php>Back</a>"); $_SESSION['id'] = $player['id']; $_SESSION['username'] = $player['username']; $_SESSION['callname'] = $player['callname']; $_SESSION['email'] = $player['email']; $_SESSION['password'] = $player['password']; $date = date("m/d/y"); $update = @mysql_query("UPDATE users SET lastlogin = '$date' WHERE id = '".$_SESSION['id']."'"); echo 'You are now logged in!'; } else { echo 'You are not logged in. <br><br> <form action=index.php method=post> Username: <input type=text name=username><br> Password: <input type=password name=pass><br> <input type=submit name=submit value=Submit> </form> Would you like to <a href=register.php>register?</a>'; } } else { echo 'You are logged in! Welcome to my game, '.$_SESSION['username'].'!'; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1323889 Share on other sites More sharing options...
ReeceSayer Posted March 5, 2012 Share Posted March 5, 2012 You don't seem to be calling session start when you're setting your sessions in the log-in page. That's probably it. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1324073 Share on other sites More sharing options...
dyr Posted March 5, 2012 Author Share Posted March 5, 2012 In config.php session_start(); is already included. Regardless, I added session_start(); at the top of the login php anyway and it still doesn't work. I tried taking out date.php too, and that doesn't make a difference either, the sessions still don't work. I'm very baffled, not sure why this is happening. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1324256 Share on other sites More sharing options...
ReeceSayer Posted March 6, 2012 Share Posted March 6, 2012 Okay.... Only one thing i can think of off the top of my head. You're echoing out the variables and it seems to be missing double quotes / single quotes (i'm not sure if this has to be done and i don't have the time to test at the minute.) Try it the way litebearer did in his example. That way we can rule that out 100%. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1324322 Share on other sites More sharing options...
dyr Posted March 6, 2012 Author Share Posted March 6, 2012 Seems to be an error in the register code litebearer posted, even if the form is filled out it still says the form is not complete. However I can try and edit my register/login code in the way you specified. So basically, it'd be something like echo "You are logged in! Welcome to my game, '.$_SESSION['username'].'!"; instead of echo 'You are logged in! Welcome to my game, '.$_SESSION['username'].'!'; Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1324324 Share on other sites More sharing options...
ReeceSayer Posted March 6, 2012 Share Posted March 6, 2012 No sorry i didn't mean like that. However, If you haven't already solved the issue it appears to be this: if((!isset($_SESSION['id'])) || (!isset($_POST['callname'])) || (!isset($_SESSION['username'])) || (!isset($_SESSION['email'])) || (!isset($_SESSION['password']))) { unset($_SESSION['callname']); unset($_SESSION['username']); unset($_SESSION['email']); unset($_SESSION['password']); unset($_SESSION['id']); $loggedin = 0; } else { $loggedin = 1; } You're checking for a post value when you should be checking for your session value instead. I've just tested it and it works as you want i think. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1324575 Share on other sites More sharing options...
dyr Posted March 6, 2012 Author Share Posted March 6, 2012 Hi, yes I did fine that problem! Was just about to come resolve this post when you posted. Thanks again for the help and sticking with me! Rookie mistake, thanks again. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1324586 Share on other sites More sharing options...
Dzyu Posted March 28, 2012 Share Posted March 28, 2012 I am struggling with the same tutorial as the OP. It can be found here: http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/comment-page-2/#comment-9676 I seems to me the functions aren't complete as I keep getting "undefined function" errors. It is indeed the session control I am struggling with. This is my code so far: login_form.php <?php session_start(); ?> <!DOCTYPE HTML> <html> <head> <title>Logon</title> </head> <body> <h1>Login</h1> <form name="login" action="login.php" method="post"> Username: <input type="text" name="username" /> Password: <input type="password" name="password" /> <input type="submit" value="Login" /> </form> </body> </html> login.php <?php session_start(); //must call session_start before using any $_SESSION variables $username = $_POST['username']; $password = $_POST['password']; //connect to the database here require('dbConn.php'); $username = mysql_real_escape_string($username); $query = "SELECT passord, salt FROM brukere WHERE brukernavn = '$username';"; $result = mysql_query($query); if(mysql_num_rows($result) < 1) //no such user exists { Print "No such user"; //header('Location: login_form.php'); die(); } $userData = mysql_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userData['salt'] . hash('sha256', $password) ); if($hash != $userData['passord']) //incorrect password { Print "Login failed"; //header('Location: login_form.php'); die(); } else { validateUser(); //sets the session data for this user } Print "Login success"; //header("Location: membersonly.php") //redirect to another page or display "login success" message ?> membersonly.php <?php session_start(); //if the user has not logged in if(!isLoggedIn()) { header('Location: login.php'); die(); } ?> <!DOCTYPE HTML> <html> <head> <title>Logon</title> </head> <body> <h1>You are currently logged into the members only area!</h1> </body> </html> As you can see, if you look at the tutorial three functions (I've pasted them in below for your convenience) are mentioned and I have no clue what to do with them. I tried inserting the functions at random places in my code, but they don't work as is the way I do it. function validateUser() { session_regenerate_id (); //this is a security measure $_SESSION['valid'] = 1; $_SESSION['userid'] = $userid; } function isLoggedIn() { if(isset($_SESSION['valid']) && $_SESSION['valid']) return true; return false; } function logout() { $_SESSION = array(); //destroy all of the session variables session_destroy(); } These are the errors I get: Fatal error: Call to undefined function isLoggedIn() in C:\xampp\htdocs\bibliotek\membersonly.php on line 3 Notice: Undefined variable: userid in C:\xampp\htdocs\bibliotek\login.php on line 10 I have been looking at other tutorials, but since I've come so far with this code I would love to get it to work rather than starting anew. The problem with merging just the session control with my current progress is that I don't really understand the code well enough to modify it. I need to have a login system up and running for a school project. The class is 'iterative project' so we're allowed to use whatever we find as long as we refer to sources. Since PHP is supposedly very easy we decided to go with that, and so far, getting the database integration has been a cinch. Oh, and I have a deadline tomorrow, so any assistance is greatly appreciated! Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1331892 Share on other sites More sharing options...
Dzyu Posted March 28, 2012 Share Posted March 28, 2012 Never mind. Feel free to delete my post or let it die. Quote Link to comment https://forums.phpfreaks.com/topic/258015-help-with-loginlogout-script/#findComment-1331902 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.