scm22ri Posted August 25, 2012 Share Posted August 25, 2012 Hi Everyone, I'm a little confused by sessions. This is my goal. In the below URL If someone clicks on "contact us" and they aren't logged in I want that user to be re-directed to a login page. I know I can do this with php sessions but I'm a confused as to how. Does the session have to be on the car-display-contact2.php or the car-display-contact-update.php? or both pages? How would you attack this problem? http://whatsmyowncarworth.com/auto-members/car-display/car-display-contact2.php Thanks everyone! Quote Link to comment Share on other sites More sharing options...
requinix Posted August 25, 2012 Share Posted August 25, 2012 Both. What you put in the session is some information about the user: 1. In contact2 you session_start() then see that there isn't anything in there indicating the user is logged in, then you redirect 2. to update, which session_starts() too and logs them in, then back to 3. contact2 where you session_start() (it's the same one as before) and see that this time there is something in the session. Quote Link to comment Share on other sites More sharing options...
scm22ri Posted August 25, 2012 Author Share Posted August 25, 2012 Hey Everyone, Thanks for your reply. Appreciate it. I made a little progress today. I added the below syntax and a login URL link is presented. Now I'm trying to figure out after a user logs in how would I get that user back to the car-display-contact-update.php? page? What variables would I need to carry from page to page? How would I get the visitor back to the below page after they login? http://whatsmyowncarworth.com/auto-members/car-display/car-display-contact-update.php?year=57&make=Toyota&model=Camry&submit=Contact+Us This is the syntax I added on my car-display-contact-update.php page if (!isset($_SESSION['id'])) { echo 'Please <a href="http://whatsmyowncarworth.com/auto-members/login.php">log in</a> to access your account'; } Quote Link to comment Share on other sites More sharing options...
Christian F. Posted August 25, 2012 Share Posted August 25, 2012 You want to take the request URL, before redirecting the users to the login page, and URL-encode it. Then send it as a parameter with the redirect, so that you can retrieve it in the login page and redirect the user back after logging in. PS: Do keep in mind that you'll want to validate the URL before using it, to stop attackers from hijacking it. Best solution is to manually construct the URL, based upon the navigation values you're already using internally. Quote Link to comment Share on other sites More sharing options...
scm22ri Posted August 26, 2012 Author Share Posted August 26, 2012 "You want to take the request URL, before redirecting the users to the login page, and URL-encode it. Then send it as a parameter with the redirect, so that you can retrieve it in the login page and redirect the user back after logging in." Hi, Thanks for the reply. I've found a good example of what I would like to accomplish. In the below URL if you click on "write a review" and are not logged in your automatically diverted to a login page but I noticed in the URL the the park name is being carried to the page. That's what I would like to do. http://nationalrvparks.com/campgrounds-rv-parks/kansas/garden-city/rjs-rv-park In your above statement is that what your talking about? Thanks Quote Link to comment Share on other sites More sharing options...
Christian F. Posted August 26, 2012 Share Posted August 26, 2012 Yes, that it is. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 26, 2012 Share Posted August 26, 2012 Or rather than redirecting all over the place, you can simplify everything by integrating (including) the login code directly on any page that needs it. The logic is simple - [*]If the login form is submitted, perform the normal login authentication. If authentication succeeds, set a session variable with the user's id/username indicating he is logged in, and redirect to the current page to clear the post data. If authentication fails, display any error message and since the visitor is not logged in, step #2 will redisplay the login form. [*]If the visitor is not logged in, display the log in form. The log in form submits to the current page. [*]If the visitor is logged in, display a 'You are logged in/Hello" message with his username instead of displaying the login form. [*]If the visitor is logged in, execute the logic and output the content you have defined for the page. Quote Link to comment Share on other sites More sharing options...
scm22ri Posted August 26, 2012 Author Share Posted August 26, 2012 Hi Everyone, Thanks for your responses. Or rather than redirecting all over the place, you can simplify everything by integrating (including) the login code directly on any page that needs it. Yes, this seems a little bit more simplistic (or so I thought). I've been working on this goal for a large portion of the day. I can't quite seem to get things correct. I'm testing this method at the below URL and I'm getting an error of "Missing Data to Run" and I'm not sure why. Any help or suggestions would be great. Below is the URL and also the syntax that's located on the same page. http://whatsmyowncarworth.com/more-practice/member_profile.php?id=10 What do you guys think ... what am I doing wrong here? Thanks everyone! >>>>>>>>>> PHP syntax that's on the above URL <?php session_start(); // Must start session first thing // See if they are a logged in member by checking Session data $toplinks = ""; if (isset($_SESSION['id'])) { // Put stored session variables into local php variable $userid = $_SESSION['id']; $username = $_SESSION['username']; $toplinks = '<a href="member_profile.php?id=' . $userid . '">' . $username . '</a> • <a href="member_account.php">Account</a> • <a href="logout.php">Log Out</a>'; } else { $toplinks = '<a href="join_form.php">Register</a> • <a href="login.php">Login</a>'; } ?> <?php // Use the URL 'id' variable to set who we want to query info about $id = ereg_replace("[^0-9]", "", $_GET['id']); // filter everything but numbers for security if ($id == "") { echo "Missing Data to Run"; exit(); } //Connect to the database through our include include_once "connect_to_mysql.php"; // Query member data from the database and ready it for display $sql = mysql_query("SELECT * FROM members WHERE id='$id' LIMIT 1"); $count = mysql_num_rows($sql); if ($count > 1) { echo "There is no user with that id here."; exit(); } while($row = mysql_fetch_array($sql)){ $username = $row["username"]; $country = $row["country"]; $state = $row["state"]; $city = $row["city"]; $accounttype = $row["accounttype"]; $bio = $row["bio"]; // Convert the sign up date to be more readable by humans $signupdate = strftime("%b %d, %Y", strtotime($row['signupdate'])); } ?> // below is the login script <?php if ($_POST['email']) { //Connect to the database through our include //include_once "connect_to_mysql.php"; $email = stripslashes($_POST['email']); $email = strip_tags($email); $email = mysql_real_escape_string($email); $password = ereg_replace("[^A-Za-z0-9]", "", $_POST['password']); // filter everything but numbers and letters $password = md5($password); // Make query and then register all database data that - // cannot be changed by member into SESSION variables. // Data that you want member to be able to change - // should never be set into a SESSION variable. $sql = mysql_query("SELECT * FROM members WHERE email='$email' AND password='$password' AND emailactivated='1'"); $login_check = mysql_num_rows($sql); if($login_check > 0){ while($row = mysql_fetch_array($sql)){ // Get member ID into a session variable $id = $row["id"]; session_register('id'); $_SESSION['id'] = $id; // Get member username into a session variable $username = $row["username"]; session_register('username'); $_SESSION['username'] = $username; // Update last_log_date field for this member now mysql_query("UPDATE members SET lastlogin=now() WHERE id='$id'"); // Print success message here if all went well then exit the script header("location: member_profile.php?id=$id"); //header("location: http://whatsmyowncarworth.com/more-practice/member_account.php"); exit(); } // close while } else { // Print login failure message to the user and link them back to your login page print '<br /><br /><font color="#FF0000">No match in our records, try again </font><br /> <br /><a href="login.php">Click here</a> to go back to the login page.'; exit(); } }// close if post ?> Quote Link to comment Share on other sites More sharing options...
Christian F. Posted August 26, 2012 Share Posted August 26, 2012 [*]Don't use ereg_replace () to validate IDs, use intval (). The ereg_* () functions are deprecated anyway, and the preg_* () functions should be used instead. [*]Don't add quotes around data for numerical fields in SQL queries. [*]Move the login script into a file of its own, and then include () it if necessary. [*]DO NOT ALTER THE PASSWORD! Especially not to reduce complexity!! (Also, don't use ereg_replace (), as noted above.) [*]Don't use stripslashes () or strip_tags () either, completely unnecessary and potentially harmful in this case. [*]You're not salting the passwords, and you're not using mcrypt () or crypt () with SHA256 (or better), as you should be doing. [*]You're also missing output escaping for your SQL statements. I strongly reading this article, and using the login-system provided by it. Quote Link to comment Share on other sites More sharing options...
scm22ri Posted August 27, 2012 Author Share Posted August 27, 2012 Hi Christian, Thanks for the reply but I'm having a little bit of a problem when it comes to your first instruction. "Don't use ereg_replace () to validate IDs, use intval (). The ereg_* () functions are deprecated anyway, and the preg_* () functions should be used instead." Below is my syntax. if (!preg_match('#^\d+$#', $id)) { echo "Missing Data to Run"; //echo $id; } I don't believe I'm doing it correctly because I'm getting this error message everytime I login (below). But here's my problem. After I get this error message and go back to this page (below URL) it's saying I'm logged in? If I had missing data and my header couldn't be modified then how did I login? What am I doing wrong here .... http://whatsmyowncarworth.com/more-practice/member_profile.php?id=10 (Error message when I login) "Missing Data to Run Warning: Cannot modify header information - headers already sent by (output started at whatsmyowncarworth.com/more-practice/member_profile.php:19) in whatsmyowncarworth.com/more-practice/login-from-page.php on line 30" >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This is all of the php syntax for the member_profile.php page <?php session_start(); // Must start session first thing // See if they are a logged in member by checking Session data $toplinks = ""; if (isset($_SESSION['id'])) { // Put stored session variables into local php variable $userid = $_SESSION['id']; $username = $_SESSION['username']; $toplinks = '<a href="member_profile.php?id=' . $userid . '">' . $username . '</a> • <a href="member_account.php">Account</a> • <a href="logout.php">Log Out</a> • <a>Logged In!</a>'; } else { $toplinks = '<a href="join_form.php">Register</a> • <a href="login.php">Login</a>'; } ?> <?php // Use the URL 'id' variable to set who we want to query info about /* $id = ereg_replace("[^0-9]", "", $_GET['id']); // filter everything but numbers for security if ($id == "") { echo "Missing Data to Run"; exit(); } */ /* if (filter_var($id, FILTER_VALIDATE_INT) == false) { echo "Missing Data to Run"; echo $id; exit(); } */ // $id = $_GET['id'] = 1; // I think this is the correct code to use in replace of what's above but not totally sure yet. ===Figure this out=== It's important. if (!preg_match('#^\d+$#', $id)) { echo "Missing Data to Run"; //echo $id; } //Connect to the database through our include include_once "connect_to_mysql.php"; // Query member data from the database and ready it for display $sql = mysql_query("SELECT * FROM members WHERE id='$id' LIMIT 1"); $count = mysql_num_rows($sql); if ($count > 1) { echo "There is no user with that id here."; exit(); } while($row = mysql_fetch_array($sql)){ $username = $row["username"]; $country = $row["country"]; $state = $row["state"]; $city = $row["city"]; $accounttype = $row["accounttype"]; $bio = $row["bio"]; // Convert the sign up date to be more readable by humans $signupdate = strftime("%b %d, %Y", strtotime($row['signupdate'])); } ?> <?php // this is the login script. It's located on a different page. The member_profile.php includes this file include('login-from-page.php'); ?> Quote Link to comment Share on other sites More sharing options...
Christian F. Posted August 27, 2012 Share Posted August 27, 2012 As ID's doesn't contain anything but integers, you don't need (or want) to use Regular Expressions to validate them. Instead you'll want to do as I stated in the sentence you quoted, and employ intval () instead. The reason you have a problem in your code, is because $id is not defined when you test it. In other words, it has no value, thus it fails the test. The header error message is explained in the thread "HEADER ERRORS - READ HERE BEFORE POSTING THEM". Also, it pretty clearly states what's wrong and where. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.