My Login System

[Taakeulv19]

This is probably beating a dead horse here but I have had this issue for about 6 months and I need this crap cleared up.

I have been making a website for a school and for the admin only section I have been using MySQL to hold the adminuser info to login.

I used Jpmaster77 Login script as inspiration for mine slowly picking at what he was trying to accomplish for my own needs, Good OOP PHP programming and markup following XHTML standards with web standards.  Here is my code and I want to ask for any input to get this thing going because I need a product by May.  Thanks guys for all your help in advance .

 

FYI I am using XAMPP to test my product.

 

McFatterNews\admin\include\config.php

<?php
//Variables to help the server admin for quick setting changes
$Database = array("server"=>"localhost", "username"=>"root", "password"=>"Password1", "database"=>"mcfatternews");
$SMTP = array("server"=>"", "username"=>"", "password"=>"", "fromName"=>"", "fromEmail"=>"");
?>

 

 

I get this issue from here:

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\xampp\htdocs\McFatterNews\admin\include\class.database.php on line 9

Access denied for user 'ODBC'@'localhost' (using password: NO)

McFatterNews\admin\include\class.database.php

<?php
include("config.php");

class Database{

//connection variable
var $connection;

function Database(){
	$connection = mysql_connect($Database["server"], $Database["username"], $Database["password"]) or die(mysql_error());
	mysql_select_db($Database["database"], $conn) or die(mysql_error());
}

function checkPass($user, $pass){
	$q = "SELECT password FROM admin WHERE username = '$user'";
	$result = mysql_query($q, $this->connection);

	if(!$result || mysql_numrows($result) < 1){return 1;}

	$userArray = mysql_fetch_array($result);

	if(md5($pass) == $userArray['password']){return 0;}
	else{return 2;}
}

function checkID($user, $id){
	$q = "SELECT session_id FROM admin WHERE username = '$user'";
	$result = mysql_query($q, $this->connection);

	if(!$result || mysql_numrows($result) < 1){return 1;}

	$userArray = mysql_fetch_array($result);

	if($id == $userArray['session_id']){return 0;}
	else{return 2;}
}

function updateAttr($user, $col, $value){
	$q = "UPDATE admin SET ".$col."='$value' WHERE username='$user'";
	return mysql_query($q, $this->connection);
}

function getAttr($user){
	$q = "SELECT * FROM admin WHERE username = '$user'";
	return mysql_query($q, $this->connection);
}
}
?>

 

McFatterNews\admin\include\class.session.php

<?php
include("class.database.php");

class Session{

function Session(){
	$database = new Database;
	session_start();
}

function checkSession($user, $id){
	if($user != '' && $id != ''){
		if($database->checkID($user, $id) == 0){return 0;}
		else{return 1;}
	}
	else{return 1;}
}

function userLogin($user, $pass){
	if($user != '' && $pass != ''){
		if($database->checkPass($user, $pass) == 0){
			session_start();

			updateAttr($user, "session_id", $this->setID());
			$userArray = mysql_fetch_assoc($database->getAttr($user));

			$_SESSION['username'] = $userArray['username'];
			$_SESSION['id'] = $userArray['session_id'];
			$_SESSION['prefix'] = $userArray['prefix'];
			$_SESSION['first_name'] = $userArray['firstname'];
			$_SESSION['last_name'] = $userArray['lastname'];
			$_SESSION['full_name'] = $userArray['fullname'];
			$_SESSION['email'] = $userArray['email'];
			return 0;
		}
		else{return 2;}
	}
	else{return 1;}
}

function setID(){
	$chars = "abcdefghijklmnopqrstuvwxyz0123456789";
	srand((double)microtime()*1000000);
	$pass = '';

	for($i = 0; $i <= 7; $i++){
		$num = rand() % 35;
		$tmp = substr($chars, $num, 1);
		$pass = $pass.$tmp;
	}
	$pass = md5($pass);

	return $pass;
}
}
?>

 

McFatterNews\admin\index.php

<?php
include("include/class.session.php");
$session = new Session;

//Goto main.php if logged in or go to login.php, to login.

if($session->checkSession() == 0){header("LOCATION:main.php");}
else{header("LOCATION:login.php");}
?>

 

 

I know there is no login code here butmy problem is resereved to not being able to connect to mySQL, but I do want to ask how I can put the login script here so that it just reloads the page and reads the script here.  If correct it should go to main.php, if inccorrect, returned to an area of login.php giving the named error.

McFatterNews\admin\login.php

<?php
include("include/class.session.php");
$session = new Session;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>McFatter Tech's Newsletter Webpage</title>
<link href="../stylefile.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="container">
	<div id="banner"><img src="../images/logo_banner.png" alt="McFatter Tech's Newsletter Webpage Banner" width="600" height="25" /></div>

	<div id="menu"><ul><li> </li></ul></div>

	<div id="main">
		<div class="catagoryarea">
			<form action="include/login.php" method="post">
			<fieldset>
				<legend>Login</legend>
				<span><label for="username">Username: </label><input type="text" name="username" id="username" class="textinput" /></span>
				<span><label for="password">Password: </label><input type="password" name="password" id="password" class="textinput" /></span>
				<input type="hidden" name="lastPage" value="<?php echo $_SERVER['PHP_SELF'];?>" />
				<span><input type="submit" name="submit" value="Login" class="buttoninput" /></span>
			</fieldset>
			</form>
		</div>
	</div>
</div>
<div id="footer">
	<p>Copyright © 2007 by <em>McFatter Technical Highschool</em>.  All Rights Reserved.</p>
	<p>Tuesday - February 19, 2008</p>
	<p>
		<a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml10-blue" alt="Valid XHTML 1.0 Strict" height="31" width="88" /></a>
		<a href="http://jigsaw.w3.org/css-validator/"><img src="http://www.w3.org/Icons/valid-css-blue" alt="Valid CSS!" height="31" width="88" /></a>
	</p>
</div>
</body>
</html>

 

McFatterNews\admin\main.php

<?php
include("include/class.session.php");
$session = new Session;

if($session->checkSession() == 0){
?>

HTML for main goes here..

<?php
}
else{header("LOCATION:login.php?error=0");}
?>

 

 

[rhodesa]

Read up on variable scope. Variables inside functions are in there own scope, and have their own values. So when you call this line:

		$connection = mysql_connect($Database["server"], $Database["username"], $Database["password"]) or die(mysql_error());

$Database isn't actually set to anything.

 

You SHOULD pass the $Database variable as an argument to the constructor, but the easy workaround is to just put:

global $Database;

before the mysql_connect() line.

[Taakeulv19]

I tried what you suggested but same problem happened still. I put in the constructor:

<?php
global $Database
$connection = mysql_connect($Database["server"], $Database["username"], $Database["password"]) or die(mysql_error());
mysql_select_db($Database["database"], $conn) or die(mysql_error());
?>

 

Are there any other places I need to put this or what?

[rhodesa]

I wouldn't keep it in the SESSION.

 

In looking at your code, I notice that the Database class is very customized, so I would go with another option. Move your include("config.php"); inside the constructor.

 

Also, there are more problems I see already. Update the top of your Database class to be this:

 

<?php
class Database{

//connection variable
var $connection;

function Database(){
	include("config.php");
	$this->connection = mysql_connect($Database["server"], $Database["username"], $Database["password"]) or die(mysql_error());
	mysql_select_db($Database["database"], $this->connection) or die(mysql_error());
}

 

[Taakeulv19]

Ok from what I see, declaring the include() inside the class makes the config.php file usable in the constructor.

also adding $this->connection makes $connection usable within the class.

Still same problems with not noticing the password.

 

I tried with and without global $Database and no avail.

 

I know PHP developers like to use config files so I know my idea isn't far fetched. 

Is it how the Session class reads it and the scope of variables there and also files that use both these classes?

 

[Taakeulv19]

I also did this to class.session.php

<?php
class Session{

function Session(){
	include("class.database.php");
	$database = new Database;
	session_start();
}
}
?>

[trq]

I think you need some basic understanding of how classes work. based on your last post, you would need something like....

 

<?php
class Session{

  var $database;

  function Session(){
    include("class.database.php");
    $this->database = new Database;
    session_start();
  }
}

?>

 

Still, this isn't what I would call tidy OOP code.

[discomatt]

If you must use global variables, setting the global keyword is a horrible way to do it.

 

Call your variables defined on the global scope within functions/classes using the $GLOBALS superarray

 

ie: echo $GLOBALS['Database']['server'];

 

Even this isn't the best way to do it, because the variables are hard to trace. My preferred method is to use a configuration class... that way if there is an attempt to reference the configuration class and it doesnt exists, a big error is displayed.

 

Also, you can use autoloading ( http://php.net/manual/en/language.oop5.autoload.php ) to help prevent the error from occurring in the first place