Please help with code!!

forumnz · December 30, 2006

Ok, I have a password verification script. When someone tries to get to the index.php they are taken straight to Login.php so they can login. When they enter their details in goes to loginaction.php and checks it against the database I have.

Except the problem is when it checks it, it goes straight back to he login page prompting to login again. I have put the script below. Please help. Note: I have changed password in example.

[code]<?php
// Check if the information has been filled in
if($psEmail == '' || $psPassword == '') {

// No login information
header('Location: Login.php?refer='.urlencode($psRefer));

} else {

// Authenticate user
$hDB = mysql_connect('localhost', 'php', 'passord');
mysql_select_db('my_db', $com);

$sQuery = "
Select iUser, MD5(UNIX_TIMESTAMP() + iUser + RAND(UNIX_TIMESTAMP())) sGUID
From tblUsers
Where sEmail = '$psEmail'
And sPassword = password('$psPassword')";

$hResult = mysql_query($sQuery, $hDB);

if(mysql_num_rows($hResult)) {

$aResult = mysql_fetch_row($hResult);

// Update the user record
$sQuery = "
Update tblUsers
Set sGUID = '$aResult[1]'
Where iUser = $aResult[0]";

mysql_query($sQuery, $hDB);

// Set the cookie and redirect
setcookie("session_id", $aResult[1]);

if(!$psRefer) $psRefer = 'index.php';
header('Location: '.$psRefer);

} else {

// Not authenticated
header('Location: Login.php?refer='.urlencode($psRefer));

}
}
?> [/code]

michaellunsford · December 30, 2006

I dont' see your index page here... is it checking for that cookie that login is setting?

Also, your login form is open to [url=http://us3.php.net/manual/fi/security.database.sql-injection.php]SQL Injection Attacks[/url]. You need to excape any content coming from an untrusted source (like unknown web site visitors) using [url=http://us3.php.net/mysql_real_escape_string]mysql_real_escape_string()[/url]

forumnz · December 30, 2006

I dont understand what you mean?

The index page is there. I got this off a website.

Do you know of any website that provide a good tutorial or script(s) for password protecting pages using mysql? or is this one fixable?

forumnz · December 30, 2006

anyone?

michaellunsford · December 30, 2006

all three of your scripts are crammed together in one code block. I can't tell who is who.

also, I see the cookie being created, but I don't see anything actually checking for that cookie.

forumnz · December 30, 2006

What should I do? Start over?

michaellunsford · December 30, 2006

once you've verified that a user is logged in, the script creates a cookie. does the index.php script check to see that the cookie exists before dumping you back to login.php?

forumnz · December 30, 2006

oh i see... no it doesnt... i created the index page just so it would have something to go to ( so i could see if it worked!)

Lol thanks but what does the cookie need to say? and does it go before the <html> tag?

forumnz · December 30, 2006

So far the index.php just has [code]<?PHP require('incSession.php'); ?> [/code]

forumnz · December 30, 2006

and incSession.php leads to:

[code]<?php
// Check for a cookie, if none got to login page
if(!isset($HTTP_COOKIE_VARS['session_id'])) {
header('Location: Login.php?refer='.urlencode($PHP_SELF.'?'.$HTTP_SERVER_VARS['QUERY_STRING']));
}

// Try to find a match in the database
$sGUID = $HTTP_COOKIE_VARS['session_id'];
$hDB = mysql_connect('server', 'username', 'password');
mysql_select_db('database', $hDB);

$sQuery = "
Select iUser
From tblUsers
Where sGUID = '$sGUID'";

$hResult = mysql_query($sQuery, $hDB);

if(!mysql_num_rows($hResult)) {
// No match for guid
header('Location: Login.php?refer='.urlencode($PHP_SELF.'?'.$HTTP_SERVER_VARS['QUERY_STRING']));
}
?> [/code]

michaellunsford · December 30, 2006

could it be that you haven't put in your mysql_connect parameters? the 'server','username','password' are placeholders for your actual parameters. Is that information correct on your local copy?

forumnz · December 30, 2006

Oh I see. Well that may have been 1 prob but that hasnt fixed it. Any more ideas?

I really appreciate this BTW

forumnz · December 30, 2006

anyone?

michaellunsford · December 30, 2006

do you actually have a database called `tblUsers` with a table called `tblUsers` that has some content?

forumnz · December 30, 2006

Yes I have.. i have two test users in it as well =)

michaellunsford · December 30, 2006

best suggestion is to step through the entire process. have it echo results back so you know what's going on. You'll probably also need to include things like [code=php:0]echo mysql_error();[/code] to make sure you're getting results.

forumnz · December 30, 2006

Okay, Ill try that.

Do you know of any scripts that are easier to work with?

Like the URL of them or what I should google to find?

Sign In

Please help with code!!

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information