[SOLVED] Member login, check login, login success

[zimmer]

I am new to to PHP and I found a template to help me get a member log in to a section of my web page. The member log in works no matter what is unput into the user or password , check log in seems to be working but I dont know for sure, the login success file posts login successful. I will post everything I have and tell me what is going wrong.

 

Main_login.php

 

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">

<tr>

<form name="form1" method="post" action="checklogin.php">

<td>

<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">

<tr>

<td colspan="3"><strong>Member Login </strong></td>

</tr>

<tr>

<td width="78">Username</td>

<td width="6">:</td>

<td width="294"><input name="myusername" type="text" id="myusername"></td>

</tr>

<tr>

<td>Password</td>

<td>:</td>

<td><input name="mypassword" type="text" id="mypassword"></td>

</tr>

<tr>

<td> </td>

<td> </td>

<td><input type="submit" name="Submit" value="Login"></td>

</tr>

</table>

</td>

</form>

</tr>

</table>

 

Checklogin.php

<?php

ob_start();

$hostname='host'; // Host name

$username="username"; // Mysql username

$password="password"; // Mysql password

$db_name="database"; // Database name

$tbl_name="table"; // Table name

 

 

// Connect to server and select databse.

mysql_connect("$hostname", "$username", "$password")or die("Couldn't connect to SQL Server on $hostname");

mysql_select_db("$db_name")or die("Couldn't select database on $db_name");

 

// Define $myusername and $mypassword

$myusername=$_POST['myusername'];

$mypassword=$_POST['mypassword'];

 

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";

$result=mysql_query($sql);

 

// Mysql_num_row is counting table row

//$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

 

if($result=true){

// Register $myusername, $mypassword and redirect to file "login_success.php"

session_register("myusername");

session_register("mypassword");

header("location:login_success.php");

}

else {

echo "Wrong Username or Password";

}

 

ob_end_flush();

?>

 

Login_success.php

 

<?

//Check if session is not registered , redirect back to main page.

//Put this code in first line of web page.

 

session_start();

if(!session_is_registered(myusername)){

header("location:index.php");

}

?>

 

<html>

<body>

Login Successful

</body>

</html>

 

 

 

Issues:

1. I need to ensure the user/pass is only allowed for users in the database.

2. I need the login successful page to redirect to a another page.

3. I need the page from 2 not viewable without logging in.

 

 

 

 

 

-Zimmer

[phpSensei]

This will fix the check for valid username and passwords I hope...

 

edit: If you want to redirect the user, this script must come before ANY HTML. Meaning, Line 1

 

<?php
ob_start();
$hostname='host'; // Host name 
$username="username"; // Mysql username 
$password="password"; // Mysql password 
$db_name="database"; // Database name 
$tbl_name="table"; // Table name 


// Connect to server and select databse.
mysql_connect("$hostname", "$username", "$password")or die("Couldn't connect to SQL Server on $hostname"); 
mysql_select_db("$db_name")or die("Couldn't select database on $db_name");

// Define $myusername and $mypassword 
$myusername=mysql_real_escape_string($_POST['myusername']); 
$mypassword=mysql_real_escape_string($_POST['mypassword']); 

$sql="SELECT * FROM ".$tbl_name." WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count == 0){
echo "Wrong Username or Password";

}
else {
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("Location:login_success.php");
}

ob_end_flush();
?>

Login_success.php

<? 
//Check if session is not registered , redirect back to main page. 
//Put this code in first line of web page. 

session_start();
if(!session_is_registered(myusername)){
header("location:index.php");
}
?>

[revraz]

You have your $count line remarked out

 

//$count=mysql_num_rows($result);

 

So it just passes by because it was a valid sql query, but you didnt check to see if anything returned.

[zimmer]

I by passes that because I was getting an error.

 

This will fix the check for valid username and passwords I hope...

 

edit: If you want to redirect the user, this script must come before ANY HTML. Meaning, Line 1

 

<?php
ob_start();
$hostname='host'; // Host name 
$username="username"; // Mysql username 
$password="password"; // Mysql password 
$db_name="database"; // Database name 
$tbl_name="table"; // Table name 


// Connect to server and select databse.
mysql_connect("$hostname", "$username", "$password")or die("Couldn't connect to SQL Server on $hostname"); 
mysql_select_db("$db_name")or die("Couldn't select database on $db_name");

// Define $myusername and $mypassword 
$myusername=mysql_real_escape_string($_POST['myusername']); 
$mypassword=mysql_real_escape_string($_POST['mypassword']); 

$sql="SELECT * FROM ".$tbl_name." WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count == 0){
echo "Wrong Username or Password";

}
else {
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("Location:login_success.php");
}

ob_end_flush();
?>

Login_success.php

<? 
//Check if session is not registered , redirect back to main page. 
//Put this code in first line of web page. 

session_start();
if(!session_is_registered(myusername)){
header("location:index.php");
}
?>

 

I am getting the following error with those changes.

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/content/r/e/m/remmiz/html/checklogin.php on line 21

Wrong Username or Password

[phpSensei]

change

 

$result=mysql_query($sql);

 

to

$result=mysql_query($sql) or die(mysql_error());

 

And post the error that it spits out.

[revraz]

You need to fix the errors, not go around them.

 

I by passes that because I was getting an error.

 

[phpSensei]

You can't Ignore errors like that, or else your script wont run.

[zimmer]

Hmm, now there is no error... ???

 

So, if I want a user to log in before viewing a page I have to add the main_login.php to that web page at line 1?

 

[phpSensei]

Hmm, now there is no error... ???

 

So, if I want a user to log in before viewing a page I have to add the main_login.php to that web page at line 1?

 

 

If you use

header 

function,

then the <?php << must be at LINE 1 of your page.

[zimmer]

Also how do I set it to not show the password, but show *** instead?

[phpSensei]

Also how do I set it to not show the password, but show *** instead?

 

Change this line

 

<td><input name="mypassword" type="text" id="mypassword"></td>

to

 

<td><input name="mypassword" type="password" id="mypassword"></td>

[zimmer]

Thanks!

 

I am still a little confused with the redirect...lemme do some trials and I will get back.

[zimmer]

ok, I have tried a few things but I keep getting this error. Also when I type the address with employees.php I can see the page without having to login.

 

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/content/r/e/m/remmiz/html/employees.php:2) in /home/content/r/e/m/remmiz/html/employees.php on line 6

 

 

Here is the top 36 lines of the page:

 

<head>

<?

//Check if session is not registered , redirect back to main page.

//Put this code in first line of web page.

 

session_start();

if(!session_is_registered(myusername)){

header("location:index.html");

}

?>

<style type="text/css">

 

#dropmenudiv{

position:absolute;

border:1px solid black;

border-bottom-width: 0;

font:normal 12px Verdana;

line-height:18px;

z-index:100;

}

 

#dropmenudiv a{

width: 100%;

display: block;

text-indent: 3px;

border-bottom: 1px solid black;

padding: 1px 0;

text-decoration: none;

font-weight: bold;

}

 

#dropmenudiv a:hover{ /*hover background color*/

background-color: yellow;

}

 

</style>

 

[phpSensei]

The script has to go before any HTML on your page

 

<?php

session_start();
if(!session_is_registered(myusername)){
header("location:index.html");
}

?>

//////////////// HTML GOES HERE

 

session_start(); ALWAYS AT LINE 1 of your document

header Always needs to be called before any html on the document, refer to my example ^above^

[zimmer]

Yeah, I was just going to reply that I figured it out, but you posted the answer too!

 

One final question with this topic. When I type the address in manually without logging in how do I direct it to the log in page automatically instead of a "page not found" page?

[phpSensei]

Yeah, I was just going to reply that I figured it out, but you posted the answer too!

 

One final question with this topic. When I type the address in manually without logging in how do I direct it to the log in page automatically instead of a "page not found" page?

 

what do you mean? If the user isnt logged in?

[revraz]

You shouldn't get a page not found at all if your code is redirecting right.

 

But when you login, set a $_SESSION with some type of key.  Then check that key at every page you want them to be logged in to see.

[zimmer]

Yes. If a user is not logged in but types the address of the employee.php it currently loads a "page not found" error page. I would like to have to point directly to the login page.

[zimmer]

You shouldn't get a page not found at all if your code is redirecting right.

 

But when you login, set a $_SESSION with some type of key.  Then check that key at every page you want them to be logged in to see.

 

 

I will have to look into this...because I have no idea what that is/means.

[revraz]

Then something else is wrong, you must be typing the url wrong if that is a valid page and works if you are logged in.

 

Yes. If a user is not logged in but types the address of the employee.php it currently loads a "page not found" error page. I would like to have to point directly to the login page.

[phpSensei]

Yes. If a user is not logged in but types the address of the employee.php it currently loads a "page not found" error page. I would like to have to point directly to the login page.

 

Alright please change this line of code,

 

session_register("myusername");
session_register("mypassword"); 

 

to

 

$_SESSION['username'] = $username;
$_SESSION['is_logged'] = true;

// NEVER EVER put the password in a session, for security reasons.

 

 

And to answer your question,

 

put this on top of each page you want blocked

 

<?php
session_start();
if(!isset($_SESSION['is_logged'])){

header("Location: Login.php");

}
?>

 

Other than that, maybe your links are wrong.

[revraz]

On your login page, after a successful login, enter this

 

echo "Logged In <br />";

$_SESSION['auth']=1;

 

Then on everypage you want to check, just check it

 

if ($_SESSION['auth']==1)

[zimmer]

<?php
session_start();
if(!isset($_SESSION['is_logged'])){

header("Location: Login.php");

}
?>

 

Other than that, maybe your links are wrong.

 

I used this and it worked:

session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}

[zimmer]

Yes. If a user is not logged in but types the address of the employee.php it currently loads a "page not found" error page. I would like to have to point directly to the login page.

 

Alright please change this line of code,

 

session_register("myusername");
session_register("mypassword"); 

 

to

 

$_SESSION['username'] = $username;
$_SESSION['is_logged'] = true;

// NEVER EVER put the password in a session, for security reasons.

 

 

If I do this then will I have to change what I used in my above post?

[revraz]

change

 

 

session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}

to

 

<?php
session_start();
if(!isset($_SESSION['is_logged'])){

header("Location: Login.php");

}
?>