[SOLVED] Do you actually understand how your login works?

[Trium918]

Come to think of it, I really don't!

 

I need help understanding how my log in

process actually works. Thank in advance!

 

I am trying to add $_SESSION['members_id'] = $members_id;

to my log in.

 

The user enters their data into the form. The submit button has

a name attribute called sublogin. The form is then submitted to

a php script by using the POST method. That script is below.

<?php
if (isset($_POST['sublogin']))
#They have just tried logging in
{
    $user_name= trim($_POST['user_name']);
    $password = trim($_POST['password']);

   #Checks that username is in database and password is correct 
   $result = login($_POST['user_name'], $_POST['password']); #Wil I need another variable?

   #Check error codes 
   if($result == 0){
      // unsuccessful login
      echo "<p class='genmed'>You could not be logged in. 
            You must be logged in to view this page.</p>";
  echo "<p class='genmed'> $user_name $password</p>";
      exit;
   }   
   
   // if they are in the database register the user id
   $valid_user = $user_name;
   $_SESSION['valid_user']= $valid_user; 

   $_SESSION['members_id'] = $members_id; #Wil I need to add  another variable to the login function?
   
   $password_str = $password;
   $password_str = md5($password_str);
   $_SESSION['password'] = $password_str;
   	   
}
?>

 

Here is the log in function which is used in

the script above.

<?php
function login($user_name, $password)
// check username and password with db
// if yes, return true
// else return false
{
  // connect to db
  $conn = db_connect();
  if (!$conn)
    return 0;

  $result = mysql_query("SELECT * FROM members_info WHERE  user_name='$user_name' AND password=MD5('$password')");
  
  if ($result){
  
  $sql1="SELECT last_visit FROM members_info WHERE user_name='$user_name'";
  $result1=mysql_query($sql1);
  $row=mysql_fetch_assoc($result1);
  $last=$row['last_visit'];
  
  #Display date as 5/8/2007 format
  $last = date('n/d/Y', strtotime($last));  
  
  $_SESSION['last']=$last;   //use the session variable to hold the previous last visit date.


  $sql="UPDATE members_info SET last_visit=NOW() WHERE user_name='$user_name'";   //now only update it
  $result2=mysql_query($sql);  
  }
  
  if (!$result)
     return 0;
  
  if (mysql_num_rows($result)>0)
     return 1;
  else 
     return 0;
}
?>

[ryeman98]

What you need to do is look at parts of code that you do not understand. Whatever it is, go to php.net or google and type it in. Then read whatever comes up and it should help you understand better until finally, the whole thing will make sense. 

[Trium918]

What you need to do is look at parts of code that you do not understand. Whatever it is, go to php.net or google and type it in. Then read whatever comes up and it should help you understand better until finally, the whole thing will make sense. 

 

I am trying to add $_SESSION['members_id'] = $members_id;

to my log in.

 

[per1os]

It would help if you had session_start() at the top of your script.

[ryeman98]

It would help if you had session_start() at the top of your script.

 

Just about to say that

 

I was also about to say this:

#Wil I need to add  another variable to the login function?

Have you tried it without/with another variable? I suppose you haven't been able to without session_start() but try it with now.

[Trium918]

It would help if you had session_start() at the top of your script.

 

How many sessions do I have to start? There is

one already started

[Trium918]

I am trying to add $_SESSION['members_id'] = $members_id;

to my log in.

 

Does anyone see where this can be done with in

the code that I provided

[per1os]

It would help if you had session_start() at the top of your script.

 

How many sessions do I have to start? There is

one already started

 

At the top of every page if it is not included with a session already started.

[Diego17]

confusing this function is called session_start then.

http://www.php.net/manual/en/function.session-start.php

session_start() creates a session or resumes the current one based on the current session id that's being passed via a request, such as GET, POST, or a cookie.

a bit like windows: you have to click "start" to shutdown he computer

 

[Trium918]

It would help if you had session_start() at the top of your script.

 

How many sessions do I have to start? There is

one already started

 

At the top of every page if it is not included with a session already started.

 

I got it working by doing this:

What could go wrong with the way

that I have?

<?php
function login($user_name, $password)
// check username and password with db
// if yes, return true
// else return false
{
  // connect to db
  $conn = db_connect();
  if (!$conn)
    return 0;

  $result = mysql_query("SELECT * FROM members_info WHERE  user_name='$user_name' 
  													AND password=MD5('$password')");

  if ($result){
  
  $sql1="SELECT members_id,last_visit FROM members_info WHERE user_name='$user_name'";
  $result1=mysql_query($sql1);
  $row=mysql_fetch_assoc($result1);
  
  $last=$row['last_visit'];	
      $membersid=$row['members_id'];
  
      $_SESSION['membersid'] = $membersid;
  
  #Display date as 5/8/2007 format
  $last = date('n/d/Y', strtotime($last));  
  
  $_SESSION['last']=$last;   //use the session variable to hold the previous last visit date.


  $sql="UPDATE members_info SET last_visit=NOW() WHERE user_name='$user_name'";   //now only update it
  $result2=mysql_query($sql);  
  }
  
  if (!$result)
     return 0;
  
  if (mysql_num_rows($result)>0)
     return 1;
  else 
     return 0;
}
?>

[trq]

What could go wrong with the way

that I have?

 

We can't see ANY call to session_start() in ANY of your code. This needs to be placed in ALL files that you intend to use the $_SESSION array in.

 

One thing I will say about your login script is that it over complicates things. Its also got quite a bit of redundant code. For instance, you run two separate queries against the same table, why?

 

Also, putting the actual login in a function (at least the way you have implemented it) actually limits you in some ways.

 

I could rewrite your login in a much simpler manor but thats not going to help you understand the process. Your very likely to need to make customizations to your login in the future and unless you fully understand how / why it works your going to need to ask for help everytime.

[Trium918]

What could go wrong with the way

that I have?

 

One thing I will say about your login script is that it over complicates things. Its also got quite a bit of redundant code. For instance, you run two separate queries against the same table, why?

 

 

I understand having a session started at the start of

every page intended to use them.

 

I wrote it so that I could keep up with the user's

last log in. I was unaware of the redundant.

<?php
function login($user_name, $password)
// check username and password with db
// if yes, return true
// else return false
{
  // connect to db
  $conn = db_connect();
  if (!$conn)
    return 0;

  $result = mysql_query("SELECT * FROM members_info WHERE  user_name='$user_name' 
  													AND password=MD5('$password')");

  if ($result){
  
  $sql1="SELECT members_id,last_visit FROM members_info WHERE user_name='$user_name'";
  $result1=mysql_query($sql1);
  $row=mysql_fetch_assoc($result1);
  
  $last=$row['last_visit'];	
      $membersid=$row['members_id'];
  
      $_SESSION['membersid'] = $membersid;
  
  #Display date as 5/8/2007 format
  $last = date('n/d/Y', strtotime($last));  
  
  $_SESSION['last']=$last;   //use the session variable to hold the previous last visit date.


  $sql="UPDATE members_info SET last_visit=NOW() WHERE user_name='$user_name'";   //now only update it
  $result2=mysql_query($sql);  
  }
  
  if (!$result)
     return 0;
  
  if (mysql_num_rows($result)>0)
     return 1;
  else 
     return 0;
}
?>

[per1os]

Why wouldn't this work better?

 

<?php
$conn = db_connect(); // why connect inside the function and not globally?

function login($user_name, $password)
// check username and password with db
// if yes, return true
// else return false
{
    $result = mysql_query("SELECT * FROM members_info WHERE  user_name='$user_name' 
  													AND password=MD5('$password') LIMIT 1");

  if (mysql_num_rows($result)>0){
  $row=mysql_fetch_assoc($result);

          $_SESSION['membersid'] = $row['members_id'];
  
  #Display date as 5/8/2007 format
  $last = date('n/d/Y', strtotime($row['last_visit']));  
  
  $_SESSION['last']=$last;   //use the session variable to hold the previous last visit date.


  $sql="UPDATE members_info SET last_visit=NOW() WHERE membersid='" . $_SESSION['membersid'] . "'";   //now only update it
  mysql_query($sql) OR return false;  
          return true;
  }
  
   return false;
}
?>

[Trium918]

Why wouldn't this work better?

 

<?php
$conn = db_connect(); // why connect inside the function and not globally?

function login($user_name, $password)
// check username and password with db
// if yes, return true
// else return false
{
    $result = mysql_query("SELECT * FROM members_info WHERE  user_name='$user_name' 
  													AND password=MD5('$password') LIMIT 1");

  if (mysql_num_rows($result)>0){
  $row=mysql_fetch_assoc($result);

          $_SESSION['membersid'] = $row['members_id'];
  
  #Display date as 5/8/2007 format
  $last = date('n/d/Y', strtotime($row['last_visit']));  
  
  $_SESSION['last']=$last;   //use the session variable to hold the previous last visit date.


  $sql="UPDATE members_info SET last_visit=NOW() WHERE membersid='" . $_SESSION['membersid'] . "'";   //now only update it
  mysql_query($sql) OR return false;  
          return true;
  }
  
   return false;
}
?>

 

Must be an error some where. I am getting a white page.

[per1os]

It could be you are inconsistent with your members_id. Which is it? members_id or membersid that can mean a world of difference, also I am not sure if you are trying to implement it or not. Either way figure that you you have a working function.

[Trium918]

It could be you are inconsistent with your members_id. Which is it? members_id or membersid that can mean a world of difference, also I am not sure if you are trying to implement it or not. Either way figure that you you have a working function.

 

It is this part of the code. When I commented it out

it worked.

<?php
  $sql="UPDATE members_info SET last_visit=NOW() WHERE members_id='" . $_SESSION['membersid'] . "'";   //now only update it
  mysql_query($sql) or return false; 
?>

[per1os]

Well sounds like you know where the problem is, now fix it.

[Trium918]

Well sounds like you know where the problem is, now fix it.

 

Ok, it is this line here. Does the or return false has to

be in there are what? It works fine with out it

I was just asking.

<?php
mysql_query($sql) or return false; 
?>

[per1os]

It doesn't have to, but if something is wrong with the update statement, which it seemed like there was due to the member_id inconsistency. Change that to be OR DIE (mysql_error()) and see what is up. Code is no good if it is flawed with inconsistent and wrongly coded programming.

[Trium918]

It doesn't have to, but if something is wrong with the update statement, which it seemed like there was due to the member_id inconsistency. Change that to be OR DIE (mysql_error()) and see what is up. Code is no good if it is flawed with inconsistent and wrongly coded programming.

 

Everything seems to work!

Last question before solved.

 

Does the script needs to be changed.

<?php
  #Check error codes 
   if($result == 0){
      // unsuccessful login
      echo "<p class='genmed'>You could not be logged in. 
            You must be logged in to view this page.</p>";
  echo "<p class='genmed'> $user_name $password</p>";
      exit;
   }   
?>

 

to this

<?php
  #Check error codes 
   if($result === false){
      // unsuccessful login
      echo "<p class='genmed'>You could not be logged in. 
            You must be logged in to view this page.</p>";
  echo "<p class='genmed'> $user_name $password</p>";
      exit;
   }   
?>

 

Since there is no number being returned

 

return 0

return 1 etc..

 

 

 

[Trium918]

It doesn't have to, but if something is wrong with the update statement, which it seemed like there was due to the member_id inconsistency. Change that to be OR DIE (mysql_error()) and see what is up. Code is no good if it is flawed with inconsistent and wrongly coded programming.

 

Everything seems to work!

Last question before solved.

 

Does the script needs to be changed.

<?php
  #Check error codes 
   if($result == 0){
      // unsuccessful login
      echo "<p class='genmed'>You could not be logged in. 
            You must be logged in to view this page.</p>";
  echo "<p class='genmed'> $user_name $password</p>";
      exit;
   }   
?>

 

to this

<?php
  #Check error codes 
   if($result === false){
      // unsuccessful login
      echo "<p class='genmed'>You could not be logged in. 
            You must be logged in to view this page.</p>";
  echo "<p class='genmed'> $user_name $password</p>";
      exit;
   }   
?>

 

Since there is no number being returned

 

return 0

return 1 etc..

 

*bump*

[per1os]

Not necessarily. 0 is considered to be false unless you use the === operator. Here is how I would do it instead.

 

<?php
  #Check error codes 
   if (!$result){
      // unsuccessful login
      echo "<p class='genmed'>You could not be logged in. 
            You must be logged in to view this page.</p>";
  echo "<p class='genmed'> $user_name $password</p>";
      exit;
   }   
?>

 

No need to really "set" a condition when that will work just as well.