Jump to content

Securing a page for invidual users


Dada78

Recommended Posts

Ok I have a registration form built and working. I have a login script built and working and sessions working and going to the User CP on login. Now the one thing I need to figure out is I need when each user logs in they are directed to their User CP like it does now, but I need User CP to show the members info on that page and just for them. I do want to make sure the registered members are logging into the User CP that is just able to be accessed by them with their information. I don't want the registered users to all be sent to the same page. I need it to be unique to that member because it will handle their display information about their Christmas display. I hope that makes sense. Any way to go about this to make sure this is happens?

 

-Thanks

Link to comment
Share on other sites

Well currently the registration consists of email and desired password. That is what you use to login. Now in the Database I have a column named ID and is set it increment, so every new registration has a unique ID that I was wanting to use to make sure hey were different. So at the top of each secure page I have this code

 

<?
session_start();
if($_SESSION['hasLoggedIn']!=1)
{
   header("Location: login.php");
}
?>

 

 

 

Then on my login script is like this.

 

<?php

include ('db_connect.php');

if (isset($_POST['submit']))
{
    if ($_POST['email'] == "" || $_POST['password'] == "")
    {
  
        $error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
    }
    else
    {
     
      // email and password sent from signup form
      $email=$_POST['email'];
      $password=$_POST['password'];
     
      $sql="SELECT * FROM users WHERE email='$email' and password='" . md5($password) . "'"; 
      $result=mysql_query($sql);
     
      // Mysql_num_row is counting table row
      $count=mysql_num_rows($result);
      // If result matched $email and $password, table row must be 1 row
     
      if($count==1)
      {
         // Register $email, $password and redirect to file "user.php"
         $_SESSION['hasLoggedIn'] = 1;

      //get the users id that is associated with him
       $SQL2 = "SELECT * FROM users WHERE email='$email'";
       $result2 = mysql_query($SQL);
       $row = mysql_fetch_assoc($result);

   //store the id in the session for use
       $_SESSION['userID'] = $row['id'];
      
         session_register("email");
         session_register("password");
         header("location:user.php");
      }
   }
}
?>

 

 

But I was thinking how do I know each person is being sent to their own unique control panel? Shouldn't the URL being something like user.php?id=1 or something a long those longs after they have logged in?

 

-Thanks

Link to comment
Share on other sites

no it doesn't have to be ?user.php?id=$userid it could be if u wanted...

 

if you had the above links then all you would need to do on user.php is select all the information out of the database with that id

 

$userid = $_GET['id'];

and then

SELECT * from db WHERE userid='$userid'

 

or you could use the sessions you have registered

 

if(!$SESSION_['hasloggedin']) {

redirect to login/index

} else {

using the session for userid...

SELECT * FROM db WHERE userid=session[userid]

}

Link to comment
Share on other sites

Where do I put this exactly?

 

I have this on the user.php page to test what is being shown on each log on. Right now it shows everything instead of just the information for that user that is logged in. What and where do I put to pull just the information for that user on the page when they log in?

 

I am using this to display the information.

 

<?PHP $result = mysql_query("SELECT * FROM users");

while($row = mysql_fetch_array($result))
  {
  echo "<br />";
  echo $row['displayname'];
  echo "<br />";
  }
?>

 

-Thanks

 

 

Link to comment
Share on other sites

Okay, first of all, don't register the user's password in the session. There is no need to and it's not exactly safe.

 

<?php
         session_register("email");
         session_register("password"); //GET RID OF THIS LINE
         header("location:user.php");
?>

 

The reason it shows the information for everybody, is because in your query, to instruct it to. You didn't define a WHERE clause. You will have to get the email from the user currently logged in (which you stored in their session) and display only the information from that database of the current sessions email address. (NOTE: I would suggest ensuring no one can use the same email address if it already exists in the DB on your registration form).

 

Hmm, okay, well, after looking at your code, there is a lot of stuff in your login script you dont need, and also doesnt work, so here's what I suggest. Use this as your login script:

 

<?php
include ('db_connect.php');

// email and password sent from login form
$email = $_POST['email'];
$pass = md5($_POST['password']);

$query = "SELECT * FROM users WHERE email='$email' and password='$pass'";
$result = mysql_query($sql) or die(mysql_error() . "<pre>$query</pre>");

$count = mysql_num_rows($result);

if($count==1){

// Register $email and redirect to users location
session_register("email");
header("location:user.php");
}
else {
echo "Wrong Username or Password";
}
?>

 

Now, on the pages you want to secure use this:

 

<?php
session_start();

if(!isset($_SESSION['email'])) {
  header("location:login.php");
}

?>

 

Ok, now that all that is done, we next want to save the current users email (which is their login id essentially) (which we stored in the session) for later use.

 

<?php
$email = $_SESSION['email'];
?>

 

Next in order to display the information for only that user, we tell our query to select the information from row in the table and only the row that contains the current user's email (hence, only showing THEIR information).

 

<?php
// note the use of the where clause
$query = "SELECT * FROM users WHERE email='$email'";

// the <pre>$query</pre> line simply echo's the error if there is any
$result = mysql_query($query, $conn) or die(mysql_error() . "<pre>$query</pre>");

$grab = mysql_fetch_array($result);

$showinfo = "Your unique id is: " . $grab['id'] . "<br />Your email address is: " . $grab['email'] . "<br />Your password is: " . $grab['password'];

echo "<div>";
echo $showinfo;
echo "</div>";
?>

 

Hope that helps.

Link to comment
Share on other sites

Ok thanks for the help. I already had sessions set up and a sessions page that I would use an include state to call to each secure page and it worked. My login form and everything worked fine, the one I used above doesn't work. Also yes I have it restricted to where only one user to registered with one email address. It won't allow for multiple emails addresses to be registered. The reason I wanted to use the ID is because I have a column in my DB that is ID that is auto-increment. So would it be better to use the ID or the email to get the information? 

Link to comment
Share on other sites

Ok this is starting to make more sense now and come together. In the code above you mentioned this code, where do it go and how is it used?

 

<?php
$email = $_SESSION['email'];
?>

 

I have a sessions.php page with this in it

 

<?php
session_start();

if(!isset($_SESSION['email'])) {
  header("location:login.php");
}

?>

 

Then at the top of all the pages I want secure with sessions I use this.

 

<php include ('session.php'); ?>

 

Now I have set up a test query like this on the users.php page but it doesn't display anything and no error. I think because the session is set correctly. Anyways here is the test query I have on user.php

 

<?php

$result = mysql_query("SELECT * FROM users
WHERE email='email'");

while($row = mysql_fetch_array($result))
  {
  echo $row['displayname'];
  echo "<br />";
  }

?>

 

Now this is my login page, it checks if a field has been left empty but doesn't send an error for wrong password or  email, it just refreshes the page.

 

<?php

session_start();

include ('db_connect.php');

if (isset($_POST['submit']))
{
    if ($_POST['email'] == "" || $_POST['password'] == "")
    {
  
        $error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
    }
    else
    {
     
      // email and password sent from signup form
      $email=$_POST['email'];
      $password=$_POST['password'];
     
      $sql="SELECT * FROM users WHERE email='$email' and password='" . md5($password) . "'"; 
      $result=mysql_query($sql);
     
      // Mysql_num_row is counting table row
      $count=mysql_num_rows($result);
      // If result matched $email and $password, table row must be 1 row
     
      if($count==1)
      {
         // Register $email, $password and redirect to file "user.php"
         $_SESSION['hasLoggedIn'] = 1;

      //get the users id that is associated with him
       $SQL2 = "SELECT * FROM users WHERE email='$email'";
       $result2 = mysql_query($SQL);
       $row = mysql_fetch_assoc($result);

   //store the id in the session for use
       $_SESSION['userID'] = $row['id'];
      
         session_register("email");
         header("location:user.php");
      }
   }
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta name="description" content="Mesquite Texas Country Christmas" />
<meta name="keywords" content="Mesquite, Texas, Country Christmas" />
<meta name="author" content="NA" />
<link rel="stylesheet" type="text/css" href="/stylesheet.css" media="screen" title="FBC" />
<script type="text/javascript" src="drop_down.js"></script>
<title>A Mesquite Country Christmas - Login</title>
</head>
<body>

<div id="wrap">

<a href="/index.html">
<img id="frontphoto" src="/images/header.png" width="760" height="237" alt="Mesquite Country Christmas" border="0"></a>

<div id="menu">

<h2 class="hide">Menu:</h2>

<ul id="avmenu">
<li><a href="/index.html">Home</a></li>
<li><a href="/christmasstory.html">The Christmas Story</a></li>
<li><a href="/directions.html">Directions</a></li>
<li><a href="#">Information</a><ul>
      <li><a href="/information.html">Display Facts & Info</a></li>
      <li><a href="/faq.html">FAQ</a></li>
      <li><a href="/playlist.html">2008 Playlist</a></li>
      <li><a href="#">Christmas History</a></li>
  </ul></li>
<li><a href="#">Photos</a>
  <ul>
      <li><a href="/2007photos.html">2007</a></li>
  </ul></li>
<li><a href="#">Videos</a>
  <ul>
      <li><a href="/2007videos.html">2007</a></li>
  </ul></li>
<li><a href="/guestbook.php">Guestbook</a></li>
<li><a href="/webcam.html">Web Cam</a></li>
<li><a href="/webradio.html">Internet Radio</a></li>
<li><a href="http://www.noradsanta.org/" TARGET="_blank">Track Santa</a></li>
<li><a href="/projects.html">Projects & How Tos</a></li>
<li><a href="/links.html">Links</a></li>
<li><a href="/contact_us.html">Contact Us</a></li>
</ul>

<center><a href="http://www.toysfortots.org/" TARGET="_blank"><img src="/images/toys_for_tots.jpg" border="0" width="110" height="153" vspace="10"></a></center>

<center><a href="http://christmas.bronners.com/2007/house/534.html"><img src="http://christmas.bronners.com/voteforme/vote.jpg" border="0" width="110" height="153" alt="christmas decorations" vspace="10"></a></center>

</div>

<div id="content">


<div class="fadebox">

<h2>Login Now</h2>

<hr />

	<p>Log into your account to submit new displays as well as modify existing ones. Registration is free, so if you don't already have an account, <a href="/local/register.php">create one</a>!</p>

	<table width="28%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>	
	<table width="300" border="0" align="left" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="login.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong> User Login</strong></td>
</tr>
<tr>
<td width="78"> Email:</td>
<td width="294"><input name="email" type="text" id="email" size="30"></td>
</tr>
<tr>
<td> Password:</td>
<td><input name="password" type="password" id="password" size="30"></td>
</tr>
<tr>
<td colspan="2" align="right" class="errorText">
<?PHP
// then we check for the error message
if (isset($error)) {
   echo $error . '<br />';
}
?> </td>
</tr>
<tr>
<td colspan="2" align="right"><input type="submit" name="submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
</td>
</tr>
<tr>
<td><table width="300" border="0" align="left" cellpadding="0" cellspacing="0">
<tr>
<td>
<p><a href="/local/forgot.php">Forgot Password</a> | <a href="/local/register.php">Register</a></p>
</td>
</tr>
</table></td>
</tr>
</table>


</div>



   </div>
</div>

<div id="footer">
© 2007 Mesquite Country Christmas

<br />
<br />

<script type="text/javascript"><!--
google_ad_client = "pub-8048181801684156";
//468x60, created 1/8/08
google_ad_slot = "0360766123";
google_ad_width = 468;
google_ad_height = 60;
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>


</div>

</div>
</body>
</html>

 

Anyone know what I am leaving out or forgetting?

 

-Thanks

 

 

Link to comment
Share on other sites

Hi, Well I'm going to be honest here but your user system hasn't really been design for the required but it is written in PHP so it can be flexed to suit.

 

Personal I would use cookies due to the fact that your session.save file will eventually get fill though you can just set a cron job for that to be cleaned up. On the other hand you wouldn't have to have long URL’s. On login success you can just set some cookies, not the password even if it's md5. Generate and random string on login and set the random string in a cookie along with there ID or email address then when displaying there CP simply cross reference with the cookie information and database to display their information and settings.

 

Just an idea, open up a few options for you - hopefully.

 

Link to comment
Share on other sites

Actually it sounds a little more complicated then I would like to make it. I am just a designer so all I work with is HTML XHTML CSS etc. The guy that was in with me on this site that knows php and was suppose to do that part bailed because of other commitments. So I am just trying to keep this simple as possible. This is just a hobbyist site so I don't need anything real fancy or high tech with all the bells and whistles for security. Just as long as it serves it's purpose and functions I will be happy. I don't expect a lot of people to be using this but maybe 50 people tops if I am lucky. If someone wants to hack this little script more power to them. It would be like stealing from a blind and deaf man if they did it and it wouldn't hurt the rest of my site anyways. I could just install my backup and away I go again. Also the user would have to have cookies enabled for your method to work. I would really like to just stick with sessions as it seems as a easier way to go.

 

So if anyone can help me with the problem I am currently having listed in my previous post that would be great.

Link to comment
Share on other sites

Actually it sounds a little more complicated then I would like to make it. I am just a designer so all I work with is HTML XHTML CSS etc. The guy that was in with me on this site that knows php and was suppose to do that part bailed because of other commitments. So I am just trying to keep this simple as possible. This is just a hobbyist site so I don't need anything real fancy or high tech with all the bells and whistles for security. Just as long as it serves it's purpose and functions I will be happy. I don't expect a lot of people to be using this but maybe 50 people tops if I am lucky. If someone wants to hack this little script more power to them. It would be like stealing from a blind and deaf man if they did it and it wouldn't hurt the rest of my site anyways. I could just install my backup and away I go again. Also the user would have to have cookies enabled for your method to work. I would really like to just stick with sessions as it seems as a easier way to go.

 

So if anyone can help me with the problem I am currently having listed in my previous post that would be great.

 

Yea okay, but like I said I was just putting another idea out there. Also the majority of internet users have cookies enabled as most sites require them.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.