Jump to content


Photo

password protected pages


  • Please log in to reply
9 replies to this topic

#1 kaspm

kaspm
  • Members
  • PipPipPip
  • Advanced Member
  • 39 posts

Posted 03 May 2006 - 01:13 AM

Hi I have a members only area for my site, and I need to find out how to keep people from accessing pages when they are not logged in. If they try to access that page it needs to send them to the log in page. Can someone help.
Thanks

#2 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 03 May 2006 - 01:46 AM

make a login page where the user enters a username and password. query the database to make sure they are valid. start a session with their information, if they are validated. on each page you don't want to be accessed, check if a session has been started. if it has not been started, redirect them to the login page.
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#3 kaspm

kaspm
  • Members
  • PipPipPip
  • Advanced Member
  • 39 posts

Posted 03 May 2006 - 01:49 AM

I'm pretty new to php could you post a simple code on how to do that, or a tutorial.
Thanks


#4 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 03 May 2006 - 02:36 AM

okay, so basically you make a form to get the user's name and password:

login.html
<html>
<head></head>
<body>
<form action = "authenticate.php" method = "post">
     Name:<input name="userename" type="text" size="10"><br>
    Password<input type="password" name="password" size="10"><br>
    <input type="submit" value="login">
</form>
</body>
</html>

when the user clicks on the submit button the information will be sent to authenticate.php which looks something like this:

authenticate.php
<?php 
1    session_start();
2    session_register("userinfo"); 
3    if((!$_POST['username']) or (!$_POST['password']))
4       { header("Location:$HTTP_REFERER"); exit(); }

5    $username=$_POST['username'];
6    $password=$_POST['password'];
          
7    $conn = @mysql_connect("localhost","dbusername","dbpassword") or die("Err:Conn");
8    $rs = @mysql_select_db("dbname",$conn) or die("Err:Db");

9    $sql = "select * from userinfo where name='$userename' and password = '$password' ";
10   $rs = mysql_query($sql, $conn) or die("Err:Query");

11   $match = mysql_numrows($rs);

12   if ($match != 0) { 
13      $userinfo=mysql_fetch_array($rs);
14      mysql_close($conn);
15      header("Location:loggedinpage.php"); 
16      exit(); 
17   } else { 
18         header("Location:loginhelp.php"); 
19         exit(); 
20   }
?>

so basically this

1 starts a session
2 makes a new session variable called userinfo
3-4 checks to see if user submitted a name and password. if not, then it kicks them back to the page they were just at (which would be login.html)
5-6 assigns some variables to the posted variables. this is optional. i like to do it cuz it's easier to code. less quotes to deal with throughout the code. it's a good idea to do things like strip slashes/tags after this line, but we're shooting for basic.
7-8 connect to the database.
9-10 query the database to see if there is an entry that matches the user's name and password.
11 set a variable to the number of entries that match it. if you coded your registration script properly, there should only be one entry, or none at all, because your registration script should check to make sure the user's name is unique (or whatever info you are checking, like email address)
12 if there is an entry then execute code on lines 13-16
13 assign the user's info from the database to the session variable you created earlier (userinfo)
14 close the database connection
15 redirect the user to whatever page you want them to first see when they are logged in
16 stop parsing any more script in the file.
17 if there was not a match found in the database then run lines 18-20
18-20 redirect user to a login help page or back to the login page or wherever.

okay so, assuming that the user's name and password exist and they are valid you now how their information stored in $userinfo that you can use for the rest of your pages. so the last thing you want to do is, at the beginning of each page that you only want logged in users to be able to go to, you would put this:

<?php 
   session_start(); 
   if ($userinfo == null) {
      header("Location:loginhelp.php");
      exit;
   }
?>

session_start(); starts the session for this page and makes your variable accessible to the page. then the if statement checks to see if your variable exists. It will only exist if the user went through the login page and logged in. if it is null (that is, if it doesn't exist) then it kicks them over to login help or back to login or wherever you want them to go, and stops parsing of anything else on the page.

to access the user's info, all you have to do is for instance, this:

echo "hello there, " . $userinfo['name'] . "!";

this will echo on the page

hello there, joe!

or whatever the user's name is.

so there you go, a basic login script. this of course assumes that you do have a table setup with user information and you know your database username and password and all that information for authenticate.php to log into the database and check.

also, this is a pretty basic script. it's quick and dirty and gets the job done for the average user but you will want to modify it to make it more secure. for instance, you may want to parse the user's username/password submissions to make sure they are inputting valid things that won't harm your database, etc...

also sql has a built in password encryption thingy that's prety easy to implement. but you would need to alter the query a bit. and/or you may want to do your own md5 encryption of passwords. or whatever.
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#5 craygo

craygo
  • Staff Alumni
  • Advanced Member
  • 1,973 posts
  • LocationRhode Island

Posted 03 May 2006 - 01:08 PM

I got to say Crayon, That is a very good tutorial for this subject. You took some time on that to explain all the details. Hats off my friend. Can't get much clearer than that.

Ray

#6 lead2gold

lead2gold
  • Members
  • PipPipPip
  • Advanced Member
  • 164 posts
  • LocationOttawa, On

Posted 03 May 2006 - 01:13 PM

[!--quoteo(post=370873:date=May 3 2006, 09:08 AM:name=craygo)--][div class=\'quotetop\']QUOTE(craygo @ May 3 2006, 09:08 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
I got to say Crayon, That is a very good tutorial for this subject. You took some time on that to explain all the details. Hats off my friend. Can't get much clearer than that.

Ray
[/quote]

I agree!
Well done Crayon!!

#7 kaspm

kaspm
  • Members
  • PipPipPip
  • Advanced Member
  • 39 posts

Posted 03 May 2006 - 02:42 PM

Thanks Crayon that really help a lot.

#8 SharkBait

SharkBait
  • Members
  • PipPipPip
  • Advanced Member
  • 845 posts
  • LocationMetro Vancouver, BC

Posted 03 May 2006 - 03:04 PM

If you the MySQL Password() you can retrieve it (unencrypt it) if you go the MD5 way you are unable to unencrypt (reverse) it.

So if use choose to MD5 the passwords, and a user forgets what their password was, you will have to generate a new password for them.

Also with MD5, when a user logs in you have to check the MD5 hashs against each other.

So:

$salt = "ThisIsMySecretMD5Phrase"

// Get input from a form
$password = $_POST['password'];

// Encyrpt the encrypted password & salt
$password = md5(md5($password).md5($salt));


Is how I go about encrypting passwords.

So if the user enters deafult123 has a password the encypted version looks like:

092adab8b2d42876ed56bc6b664f1722

When the user goes to login to the website you have to md5 their password and check it against the hash in the database:

// Have to use the same salt phrase
$salt = "ThisIsMySecretMD5Phrase"

// User enters their username: test  and password: default123
$username = $_POST['username'];
$password = $_POST['password'];

// Encrypt password that user is trying to login with
$password = md5(md5($password).md5($salt));

// Query the users database
$strqry = "SELECT * FROM users WHERE username = '{$username}' AND password = '{$password}'";
$query = mysql_query($strqry) or die("MySQL Error: <br /> {$strqry} <br />". mysql_error());

// If found - found is set to 1 as long as it doesnt find multiple instances;)
$found = mysql_num_rows($query);
if($found >0) {
  echo "Password/Username matches!";
  //Continue script or move them onto the members section
} else {
  echo "Password or Username do not match those on file.";
  // Have them re-enter the password or....
}


#9 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 03 May 2006 - 05:52 PM

valadate the username and password.

If the username or password exist let them choose another.

if(! $username || $password) {
echo"sorry username tacken!":
<br>
<a href="http://what ever.com>Go Back Try Agin</a>
<br>
exit;
}


Also for emails ok

if(!eregi("^[a-z0-9_]+@[a-z0-9\-]+\.[a-z0-9\-\.]+$",$email)) {
echo"sorry not a valid email address";
<br>
<a href="http://what ever.com>Go Back Try Agin</a>
<br>

exit;
}

i Thort i have a go lol all the best.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#10 madman

madman
  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 07 June 2006 - 05:44 AM

Hi Crayon,

I have followed all of your directions but am having a problem. When I fill in a bogus login and pass, it sends me to the authenticate.php page and it is blank. Should I see that as a website viewer? I've checked several times and my login and password for the database are correct, so I don't understand why it just stopped on me. Any ideas? I really appreciate your knowledge of this! I am very new to php!!

Thank you!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users