session handling code

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

camhabib
Forum Commoner
Posts: 37
Joined: Tue Aug 16, 2005 8:36 pm
Location: Boston, MA

session handling code

Post by camhabib »

I'm trying to create a secure part of a website using cookies. I have created a login page which brings up an html page. At the top of that html page, and ever page that I want secure, there is a link to run this script like

Code: Select all

<?php
include "login.php";
?>
The only problem is that even if you use the wrong username and password the page still comes up as normal. I want to make it so that only people that I manually add through the phpmyadmin can access and view pages with that include statement on it. Any suggestions?

"login.php":

Code: Select all

<?php

session_start();

if (! isset($_session['name'])) {
if (isset ($_post['username']))
{

$username = $_post['username'];
$password = $_post['password'];

$username="abc";
$password="abc";
$database="mysql";
mysql_pconnect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");

$query = "SELECT FROM user_handle.user WHERE username='$username' AND password='$password'";
$result = mysql_query($query);

if (mysql_numrows($result) == 1)
{
echo "Sorry but you are not authorized to view this page";
}
}
else {
include "admin.html";
}
}
else {
}
?>
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

ermm..wouldn't the number of results equaling one be a good thing????
camhabib
Forum Commoner
Posts: 37
Joined: Tue Aug 16, 2005 8:36 pm
Location: Boston, MA

Post by camhabib »

Yes, I believe your right on that one, it should be a "!=", however, when I type in the right password using that code it should give me that echo, but it doesn't. I definitely think I'm missing something in that script.
redmonkey
Forum Regular
Posts: 836
Joined: Thu Dec 18, 2003 3:58 pm

Post by redmonkey »

Code: Select all

$username = $_post['username'];
$password = $_post['password'];

Code: Select all

$username="abc";
$password="abc";
Seems you end up checking to see if anyone is using the database username and password.
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

no it shouldn't.unless you got someone in the database with username abs and password abc it should go to the else:-D because whatever is written into username and pass from the post is over written by your assignment to abc abc.
camhabib
Forum Commoner
Posts: 37
Joined: Tue Aug 16, 2005 8:36 pm
Location: Boston, MA

Post by camhabib »

Wow, looks like I forgot to change the two variables to something different. here is the updated script, which still will not block anyone out:

Code: Select all

<?php

session_start();

if (! isset($_session['name'])) {
if (isset ($_post['username']))
{

$person = $_post['username'];
$pwd = $_post['password'];

$username="abc";
$password="abc";
$database="mysql";
mysql_pconnect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");

$query = "SELECT FROM user_handle.user WHERE username='$person' AND password='$pwd'";
$result = mysql_query($query);

if (mysql_numrows($result) != 1)
{
echo "Sorry but you are not authorized to view this page";
}
}
else {
include "admin.html";
}
}
else {
}
?>
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

Code: Select all

"SELECT FROM user_handle.user WHERE username='$person' AND password='$pwd'";
should be

Code: Select all

"SELECT user_handle FROM user WHERE username='$person' AND password='$pwd'";
or something like that
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

change ..

Code: Select all

if (mysql_numrows($result) != 1)
{
echo "Sorry but you are not authorized to view this page";
}
}
else {
include "admin.html";
}
to..

Code: Select all

if (mysql_num_rows($result) == 1)
{
include ("admin.html");
}
else
{
echo ("Sorry but you are not authorize to view this page.");
}
you had a typo on mysql_num_rows :-D
edit: and what the guy above me said.

ONE LAST EDIT: $_post DOES NOT EQUAL $_POST. :-D
camhabib
Forum Commoner
Posts: 37
Joined: Tue Aug 16, 2005 8:36 pm
Location: Boston, MA

Post by camhabib »

Alright, so, this is the code as it stands now:

Code: Select all

<?php

session_start();

if (! isset($_SESSION['name'])) {
if (isset ($_POST['username']))
{

$person = $_POST['username'];
$pwd = $_POST['password'];

$username="abc";
$password="abc";
$database="mysql";
mysql_pconnect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");

$query = "SELECT name FROM user_handle.user WHERE username='$person' AND password='$pwd'";
$result = mysql_query($query);

if (mysql_num_rows($result) == 1) 
{ 
include ("admin.html"); 
} 
else 
{ 
echo ("Sorry but you are not authorize to view this page."); 
} 
}
?>
The link to this code on the html page is

Code: Select all

<?php 
require("login.php");
?>
The login screen comes up but now no matter what you type in, the correct password or username, it comes up with a blank screen.
Last edited by camhabib on Sat Oct 08, 2005 7:58 pm, edited 1 time in total.
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

read the last edit on my above post..try changing that first..
camhabib
Forum Commoner
Posts: 37
Joined: Tue Aug 16, 2005 8:36 pm
Location: Boston, MA

Post by camhabib »

Changed it and still nothing. How do I know if its actually creating a cookie or not? I also set the SID myself and didn't let the computer set it. As it stands the password is "test" username is "test" and the SID is "test".
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

another error..holy hell man....we gotta get you a beginning PHP book:-D I'm just copying my connect and select DB code..compaer to yours..

Code: Select all

$dbhost= 'localhost';
$dbuser= 'user';
$dbpass= 'pass';

$conn= mysql_connect($dbhost,$dbuser,$dbpass) or die ('Error connecting to the database.');

$dbname='database';
mysql_select_db($dbname);
see the errors in yours?
camhabib
Forum Commoner
Posts: 37
Joined: Tue Aug 16, 2005 8:36 pm
Location: Boston, MA

Post by camhabib »

Shoot, sad thing is I already went through the beginners book. Still doesn't want to work though, that white screen is killing me.
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

i think your missing a closing } for the first or second if statement.
camhabib
Forum Commoner
Posts: 37
Joined: Tue Aug 16, 2005 8:36 pm
Location: Boston, MA

Post by camhabib »

mickd wrote:i think your missing a closing } for the first or second if statement.
Yep, once again another error. Code in its current revision:

Code: Select all

<?php

session_start();

if (! isset($_SESSION['name'])) {
if (isset ($_POST['username']))
{

$person = $_POST['username'];
$pwd = $_POST['password'];

$username="abc";
$password="abc";
$database="mysql";
mysql_connect($database,$username,$password);
@mysql_select_db($databse) or die("Unable to connect to database. Please contact the webmaster for further assistance.");

$query = "SELECT name FROM user_handle.user WHERE username='$person' AND password='$pwd'";
$result = mysql_query($query);

if (mysql_num_rows($result) == 1) 
{ 
include ("admin.html"); 
} 
} else 
{ 
echo ("Sorry but you are not authorize to view this page."); 
} 
}

?>
White screen is no more but now it just displays the "Sorry but you are not authorize to view this page." no matter correct or incorrect password.
Post Reply