Form Checking - Database

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nite4000
Forum Contributor
Posts: 209
Joined: Sun Apr 12, 2009 11:31 am

Form Checking - Database

Post by nite4000 »

Hey all

I need some help with my code. I need to have it do a couple of things when they try to login.

I am going to copy the code i currently have

Code: Select all

if($error != TRUE) {
//look for user and pass
      $r = mysql_query("SELECT * FROM members WHERE username='$user' AND password='$pass' AND login_ip='".$_SERVER['REMOTE_ADDR']."' AND status='Active' LIMIT 1") or error_out("Unable to process login; please try again later.");
		

		
if(@mysql_num_rows($r) > 0) {
        $row = mysql_fetch_array($r, MYSQL_ASSOC);
        $_SESSION['admin_id'] = $row['id'];
		 $_SESSION['admin_acctno'] = $row['acct_num'];
        $_SESSION['admin_user'] = $row['username'];
        $_SESSION['admin_pass'] = $row['password'];
	    $date_login = escape_data(date('Y-m-d H:i:s'), $dbc);
        $ip_login = escape_data($_SERVER['REMOTE_ADDR'], $dbc);
   
   

	//update ip upon login
	    @mysql_query("UPDATE members SET login_ip='$ip_login', last_logged='$date_login' WHERE id='{$row['id']}' LIMIT 1");
		$LOGIN = TRUE;
        unset($row);
      } else {
	
	    $error = TRUE;
        $error_msg .= 'Oops! You have either enter an incorrect username or password or your account has been suspened!';
         
	   }
	 
	   

	      header("Location: verification.php");

    }
		}

Here is the things I need to do

Check for user and pass to see if it exists if it does not exist or if the user and or pass is wrong then show msg on the login form
Check to see if account status is Active. If its suspended then show msg on the login form
When they try to log in have it check their IP address being logged in from against the Banned_ips table if its in the table show msg on login form
I need it to chk the Ip they are logging in from against the Ip_address field in members table and if they are different send them to verification.php otherwise allow the login.


I hope someone can help. I know my code isnt the best but I can fix it once i see how to do it.
Neilos
Forum Contributor
Posts: 179
Joined: Fri Nov 19, 2010 2:07 am

Re: Form Checking - Database

Post by Neilos »

php runs server side so you will only be able to show info if the page is refreshed, if this is the case then you can use your session to store strings and on the form have if statements to display the info if it is redirected from the page where your script is running.

If you want it to update as the user is inputting you can use AJAX or similar.
nite4000
Forum Contributor
Posts: 209
Joined: Sun Apr 12, 2009 11:31 am

Re: Form Checking - Database

Post by nite4000 »

I want the msgs to appear after they press the login button I apoligize for the mess up.
Neilos
Forum Contributor
Posts: 179
Joined: Fri Nov 19, 2010 2:07 am

Re: Form Checking - Database

Post by Neilos »

If your form resides on a page called say;

login_form.php

Make the action of the form call;

login.php

in login.php retrieve the variables from the database, set string variables for each possible error and assign strings for each error (leaving variables set to NULL for unassigned ones) maybe a good idea to set all to null at the start. Then if login fails redirect to the login form.

Place if statements under each part of the form that represent possible errors for that input then use;

Code: Select all

if(isset($_SESSION['error1']) {
echo $_SESSION['error1'];
}
That way when no errors are set, ie the first time they visit, no errors will be shown.

But if they login and get errors then errors will be shown for the parts that generated those errors.

If login succeeds then you redirect to the members area etc...

Users will never see login.php so it will look like the errors just appeared on that page.

Would this work for you?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Form Checking - Database

Post by Celauran »

Does this look about like what you're trying to accomplish?

Code: Select all

/**
 * Don't make the query too restrictive.  If this doesn't return anything, you
 * know it's due to either an incorrect username or password.  Add status and IP
 * conditions into the query and you won't know why it returned no rows.  This 
 * is sufficient to fulfil your first criteria.
 */
$sql = "SELECT * FROM members WHERE username = '$user' AND password = '$password'";
$r = mysql_query($sql);

if (mysql_num_rows($r) > 0)
{
    /**
     * Now that we know username and password were correct, we can worry about
     * their account status.  This satisfies your second criteria.
     */
    $account = mysql_fetch_assoc($r);
    if ($account['status'] != 'Active')
    {
        $error = true;
        $error_msg = "Oops!  This account isn't active.  Please contact an administrator";
    }
    
    /**
     * Now we need another query to check if they're in the banned IP list to 
     * satisfy your third criteria.
     */
    $sql = "SELECT COUNT(*) FROM banned_ip_table WHERE ip = '{$_SERVER['REMOTE_ADDR']}'";
    $res = mysql_query($sql);
    if (mysql_num_rows($res) > 0)
    {
        $error = true;
        $error_msg = "That IP address has been banned.  Please contact an administrator.";
        // Do anything else you need to do.
    }
    
    /**
     * Finally, we want to check if the address they're logging in from matches
     * what's in the members table to satisfy your last criteria.
     */
    if ($account['login_ip'] != $_SERVER['REMOTE_ADDR'])
    {
        header("Location: verification.php");
    }
}
// Username or password were wrong.  Display error.
else
{
    $error = true;
    $error_msg = "Oops!  Invalid username/password combination.";
}
Neilos
Forum Contributor
Posts: 179
Joined: Fri Nov 19, 2010 2:07 am

Re: Form Checking - Database

Post by Neilos »

Using the above example

login_form.php

Code: Select all

<form name="login" action="login.php" method="post">
Username: <input type="text" name="username" />
Password: <input type="password" name="password" />
<?php
if(isset($_SESSION['error_msg3']) {
echo $_SESSION['error_msg3'];
}
?>
<input type="submit" value="Login" />
<?php
if(isset($_SESSION['error_msg1']) {
echo $_SESSION['error_msg1'];
}
if(isset($_SESSION['error_msg2']) {
echo $_SESSION['error_msg2'];
}
?>
</form>
login.php

Code: Select all

$sql = "SELECT * FROM members WHERE username = '$user' AND password = '$password'";
$r = mysql_query($sql);

if (mysql_num_rows($r) > 0)
{
    //Username and Password matched
    $account = mysql_fetch_assoc($r);
    if ($account['status'] != 'Active')
    {
        $error_msg1 = "Oops!  This account isn't active.  Please contact an administrator";
        $_SESSION['error_msg1'] = $error_msg1;
        header("Location: login_form.php");
    }
    
    $sql = "SELECT COUNT(*) FROM banned_ip_table WHERE ip = '{$_SERVER['REMOTE_ADDR']}'";
    $res = mysql_query($sql);
    if (mysql_num_rows($res) > 0)
    {
        $error_msg2 = "That IP address has been banned.  Please contact an administrator.";
        $_SESSION['error_msg2'] = $error_msg2;
        header("Location: login_form.php");
        // Do anything else you need to do.
    }
    
    if ($account['login_ip'] != $_SERVER['REMOTE_ADDR'])
    {
        header("Location: verification.php");
    }

    if (($account['status'] == 'Active') && ($account['login_ip'] == $_SERVER['REMOTE_ADDR']) && (mysql_num_rows($res) == 0))
    {
        //login successful
        header("Location: members.php");
        // Do anything else you need to do.
    {

}
// Username or password were wrong.  Display error.
else
{
    $error_msg3 = "Oops!  Invalid username/password combination.";
    $_SESSION['error_msg3'] = $error_msg3;
    header("Location: login_form.php");
}
something like that.
Neilos
Forum Contributor
Posts: 179
Joined: Fri Nov 19, 2010 2:07 am

Re: Form Checking - Database

Post by Neilos »

Just a note, it could be inefficient to go delving into the database too often. Try getting all needed values for row that matches just the user, then use if() statements to check the db password etc... against the submitted one, that way you'll only go to db once and will know what fails and why.

Remember to hash passwords and escape strings too :wink:
Post Reply