forumnz Posted December 30, 2006 Share Posted December 30, 2006 Ok, I have a password verification script. When someone tries to get to the index.php they are taken straight to Login.php so they can login. When they enter their details in goes to loginaction.php and checks it against the database I have.Except the problem is when it checks it, it goes straight back to he login page prompting to login again. I have put the script below. Please help. Note: I have changed password in example.[code]<?php// Check if the information has been filled inif($psEmail == '' || $psPassword == '') {// No login informationheader('Location: Login.php?refer='.urlencode($psRefer));} else {// Authenticate user$hDB = mysql_connect('localhost', 'php', 'passord');mysql_select_db('my_db', $com);$sQuery = "Select iUser, MD5(UNIX_TIMESTAMP() + iUser + RAND(UNIX_TIMESTAMP())) sGUIDFrom tblUsersWhere sEmail = '$psEmail'And sPassword = password('$psPassword')";$hResult = mysql_query($sQuery, $hDB);if(mysql_num_rows($hResult)) {$aResult = mysql_fetch_row($hResult);// Update the user record$sQuery = "Update tblUsersSet sGUID = '$aResult[1]'Where iUser = $aResult[0]";mysql_query($sQuery, $hDB);// Set the cookie and redirectsetcookie("session_id", $aResult[1]);if(!$psRefer) $psRefer = 'index.php';header('Location: '.$psRefer);} else {// Not authenticatedheader('Location: Login.php?refer='.urlencode($psRefer));}}?> [/code] Quote Link to comment Share on other sites More sharing options...
michaellunsford Posted December 30, 2006 Share Posted December 30, 2006 I dont' see your index page here... is it checking for that cookie that login is setting?Also, your login form is open to [url=http://us3.php.net/manual/fi/security.database.sql-injection.php]SQL Injection Attacks[/url]. You need to excape any content coming from an untrusted source (like unknown web site visitors) using [url=http://us3.php.net/mysql_real_escape_string]mysql_real_escape_string()[/url] Quote Link to comment Share on other sites More sharing options...
forumnz Posted December 30, 2006 Author Share Posted December 30, 2006 I dont understand what you mean?The index page is there. I got this off a website.Do you know of any website that provide a good tutorial or script(s) for password protecting pages using mysql? or is this one fixable? Quote Link to comment Share on other sites More sharing options...
forumnz Posted December 30, 2006 Author Share Posted December 30, 2006 anyone? Quote Link to comment Share on other sites More sharing options...
michaellunsford Posted December 30, 2006 Share Posted December 30, 2006 all three of your scripts are crammed together in one code block. I can't tell who is who.also, I see the cookie being created, but I don't see anything actually checking for that cookie. Quote Link to comment Share on other sites More sharing options...
forumnz Posted December 30, 2006 Author Share Posted December 30, 2006 What should I do? Start over? Quote Link to comment Share on other sites More sharing options...
michaellunsford Posted December 30, 2006 Share Posted December 30, 2006 once you've verified that a user is logged in, the script creates a cookie. does the index.php script check to see that the cookie exists before dumping you back to login.php? Quote Link to comment Share on other sites More sharing options...
forumnz Posted December 30, 2006 Author Share Posted December 30, 2006 oh i see... no it doesnt... i created the index page just so it would have something to go to ( so i could see if it worked!)Lol thanks but what does the cookie need to say? and does it go before the <html> tag? Quote Link to comment Share on other sites More sharing options...
forumnz Posted December 30, 2006 Author Share Posted December 30, 2006 So far the index.php just has [code]<?PHP require('incSession.php'); ?> [/code] Quote Link to comment Share on other sites More sharing options...
forumnz Posted December 30, 2006 Author Share Posted December 30, 2006 and incSession.php leads to:[code]<?php// Check for a cookie, if none got to login pageif(!isset($HTTP_COOKIE_VARS['session_id'])) {header('Location: Login.php?refer='.urlencode($PHP_SELF.'?'.$HTTP_SERVER_VARS['QUERY_STRING']));}// Try to find a match in the database$sGUID = $HTTP_COOKIE_VARS['session_id'];$hDB = mysql_connect('server', 'username', 'password');mysql_select_db('database', $hDB);$sQuery = "Select iUserFrom tblUsersWhere sGUID = '$sGUID'";$hResult = mysql_query($sQuery, $hDB);if(!mysql_num_rows($hResult)) {// No match for guidheader('Location: Login.php?refer='.urlencode($PHP_SELF.'?'.$HTTP_SERVER_VARS['QUERY_STRING']));}?> [/code] Quote Link to comment Share on other sites More sharing options...
michaellunsford Posted December 30, 2006 Share Posted December 30, 2006 could it be that you haven't put in your mysql_connect parameters? the 'server','username','password' are placeholders for your actual parameters. Is that information correct on your local copy? Quote Link to comment Share on other sites More sharing options...
forumnz Posted December 30, 2006 Author Share Posted December 30, 2006 Oh I see. Well that may have been 1 prob but that hasnt fixed it. Any more ideas?I really appreciate this BTW Quote Link to comment Share on other sites More sharing options...
forumnz Posted December 30, 2006 Author Share Posted December 30, 2006 anyone? Quote Link to comment Share on other sites More sharing options...
michaellunsford Posted December 30, 2006 Share Posted December 30, 2006 do you actually have a database called `tblUsers` with a table called `tblUsers` that has some content? Quote Link to comment Share on other sites More sharing options...
forumnz Posted December 30, 2006 Author Share Posted December 30, 2006 Yes I have.. i have two test users in it as well =) Quote Link to comment Share on other sites More sharing options...
michaellunsford Posted December 30, 2006 Share Posted December 30, 2006 best suggestion is to step through the entire process. have it echo results back so you know what's going on. You'll probably also need to include things like [code=php:0]echo mysql_error();[/code] to make sure you're getting results. Quote Link to comment Share on other sites More sharing options...
forumnz Posted December 30, 2006 Author Share Posted December 30, 2006 Okay, Ill try that.Do you know of any scripts that are easier to work with?Like the URL of them or what I should google to find? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.