Page 1 of 2
Login script doesnt work... can someone look this over?
Posted: Fri Mar 17, 2006 10:56 am
by Citizen
Code: Select all
<?php session_start(); ?>
<!-- Content -->
<h1>Log in</h1>
<?php
$dbh=mysql_connect ("localhost", "xxx", "xxx") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("xxx");
echo "Connected";
$sql="SELECT * FROM `accounts` WHERE name = '$username' AND passworddb = '$password'";
$result=mysql_query($sql) or die(mysql_error());
$number = mysql_num_rows($result);
if ($number == "1") {
$_SESSION['password'] = '$password';
$_SESSION['username'] = '$username';
?>
<p>
You are logged in as <b><?php echo '$username' ?></b>.
<a href="http://www.">Click here</a> to get started.
<?
}
else {
if($submit) {
$error = "";
?>
<p>Login failed. Please correct your username or password and try again. If you have forgotten your username or password, contact an administrator.</p>
<?php
}
?>
<!-- Form Info -->
<form name="login" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<table border="0" cellpadding="0">
<tr>
<td><p>Name:</p></td>
<td><input type="text" name="username" size="20"></td>
</tr>
<tr>
<td><p>Password:</p></td>
<td><input type="password" name="password" size="20"></td>
</tr>
<tr>
<td><input type="submit" value="Log in." name="submit"></td>
</tr>
</table>
</form>
<?php
}
?>
Posted: Fri Mar 17, 2006 11:00 am
by captainpete
Where are the $password and $username variables being assigned?
Don't you need to test to see if the form has been submitted and then use $_Post to assign the variables?
Posted: Fri Mar 17, 2006 11:02 am
by Citizen
The values for the username and password are supposed to come from the form.
Posted: Fri Mar 17, 2006 11:12 am
by captainpete
Citizen wrote:The values for the username and password are supposed to come from the form.
I think you need to add something like this...
Code: Select all
if(isset($_POST['submit'])){
$username = $_POST['username'];
$password = $_POST['password'];
#Code for connecting to the database
}else{
#Display the form
}
Posted: Fri Mar 17, 2006 11:34 am
by Citizen
Still not working with this code:
Code: Select all
<?php
if(isset($_POST['submit'])){
$username = $_POST['username'];
$password = $_POST['password'];
}
$dbh=mysql_connect ("localhost", "xxx", "xxx") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("visitsha_vs1");
echo "Connected";
$sql="SELECT * FROM `accounts` WHERE `name` = '$username' AND `passworddb` = '$password'";
$result=mysql_query($sql) or die(mysql_error());
$number = mysql_num_rows($result);
if ($number == "1") {
$_SESSION['password'] = '$password';
$_SESSION['username'] = '$username';
?>
<p>
You are logged in as <b><?php echo '$username' ?></b>.
<a href="http://www.visitshark.com/start.php">Click here</a> to get started.
<?
}
else {
if($submit) {
$error = "";
?>
<p>Login failed. Please correct your username or password and try again. If you have forgotten your username or password, contact an administrator.</p>
<?php
}
?>
<!-- Form Info -->
<form name="login" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<table border="0" cellpadding="0">
<tr>
<td><p>Name:</p></td>
<td><input type="text" name="username" size="20"></td>
</tr>
<tr>
<td><p>Password:</p></td>
<td><input type="password" name="password" size="20"></td>
</tr>
<tr>
<td><input type="submit" value="Log in." name="submit"></td>
</tr>
</table>
</form>
<?php
}
?>
When I login, it echos "Logged in as $username" instead of actually showing the username.

Posted: Fri Mar 17, 2006 11:44 am
by pickle
Variables encapsulated in single quotes are not parsed, only those encapsulated in double-quotes. In this case though, you don't need quotes at all. Get rid of them on that line and it should work fine.
Posted: Fri Mar 17, 2006 11:51 am
by Citizen
pickle wrote:Variables encapsulated in single quotes are not parsed, only those encapsulated in double-quotes. In this case though, you don't need quotes at all. Get rid of them on that line and it should work fine.
I'm not sure what you mean. All variables should have double quotes or just when I'm setting the variable?
Posted: Fri Mar 17, 2006 12:00 pm
by pickle
is just as valid, and IMO better than:
I only use double quotes when I'm outputing a string and I don't want to keep jumping in & out. IE:
Code: Select all
echo "My username is $username";
//rather than
echo 'My username is '.$username;
Posted: Fri Mar 17, 2006 12:14 pm
by Citizen
Thanks, it now echoes correctly.
But there's still the problem of passing the variable to the session and calling it later. When I log in and click "click here to continue", it doesnt login and prompts me to login again.
The link is
http://visitshark.com/login.php
UN: test1
PW: test1
When you click to continue, the login fails and you have to re-login.
Here is the source:
Login:
Code: Select all
<?php session_start(); ?>
<!-- Content -->
<h1>Log in</h1>
<?php
if(isset($_POST['submit'])){
$username = $_POST['username'];
$password = $_POST['password'];
}
$dbh=mysql_connect ("localhost", "xxx", "xxx") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("xxx");
echo "Connected";
$sql="SELECT * FROM `accounts` WHERE `name` = '$username' AND `passworddb` = '$password'";
$result=mysql_query($sql) or die(mysql_error());
$number = mysql_num_rows($result);
if ($number == "1") {
$_SESSION['password'] = '$password';
$_SESSION['username'] = '$username';
?>
<p>
You are logged in as <b><?php echo $username ?></b>.
<a href="http://www.visitshark.com/start.php">Click here</a> to get started.
<?
}
else {
if($submit) {
$error = "";
?>
<p>Login failed. Please correct your username or password and try again. If you have forgotten your username or password, contact an administrator.</p>
<?php
}
?>
<!-- Form Info -->
<form name="login" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<table border="0" cellpadding="0">
<tr>
<td><p>Name:</p></td>
<td><input type="text" name="username" size="20"></td>
</tr>
<tr>
<td><p>Password:</p></td>
<td><input type="password" name="password" size="20"></td>
</tr>
<tr>
<td><input type="submit" value="Log in." name="submit"></td>
</tr>
</table>
</form>
<?php
}
?>
The next page that doesn't login correctly:
Code: Select all
<?php session_start(); ?>
<!-- Connect to the database -->
<?php
$dbh=mysql_connect ("localhost", "xxx", "xxx") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("xxx");
?>
<!-- Login Session -->
<?php
$username = $_SESSION['username'];
$password = $_SESSION['password'];
$sql="SELECT * FROM `accounts` WHERE name = '$username' AND passworddb = '$password'";
$result=mysql_query($sql);
$number = mysql_num_rows($result);
if ($number == "1") {
$row = mysql_fetch_array($result);
$mypoints = $row["points"];
$mcredits = $row["maxpoints"];
$totalgiven = $row["totalgiven"];
$totalreceived = $row["totalreceived"];
?>
<!-- find random user and website -->
<?php
$sql="SELECT * FROM `accounts` WHERE points > 1 ORDER BY RAND() LIMIT 1";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$selaccount = $row["account_id"];
echo '
<table width="100%" height="70" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="468" height="70" rowspan="4">
<!-- BANNER AND LINK -->
<a href="http://www.visitshark.com/start.php?lastaccount='.$selaccount.'" target="_top">Click Here to Proceed</a>
<!-- /BANNER AND LINK -->
</td>
<td height="60" rowspan="3">2</td>
<td width="200" height="10">Credits: '.$mypoints.'/'.$mcredits.'</td>
</tr>
<tr>
<td width="200" height="10">Total Visits Given: '.$totalgiven.'</td>
</tr>
<tr>
<td width="200" height="10">Total Visits Recieved: '.$totalreceived.'</td>
</tr>
<tr>
<td height="10">6</td>
<td width="200" height="10"><a href="http://www.visitshark.com" target="_top">Back to the Index</a></td>
</tr>
</table>
';
?>
<!-- close login session -->
<?php
}
else {
echo "<p>You must log in to use this part of the site.<br><br>
<p>Click here to <a href='http://www.visitshark.com/login.php'>Log in.</a></p>";
}
?>
<!-- /close login session -->
</body>
</html>
Posted: Fri Mar 17, 2006 12:24 pm
by pickle
- In both pages, call
Code: Select all
echo '<pre>';
print_r($_SESSION);
echo '</pre>';
To see what is actually being stored in the session.
- The password in your db should be encrypted. Run it through a hash like md5() or sha1() to provide at least some level of security.
- You should never store the password anywhere other than the password store. You should create a session id when they first login, then store that in the $_SESSION. On subsequent pages, check if that session exists in a special session_id table, rather than effectively re-authenticating them.
Posted: Fri Mar 17, 2006 1:01 pm
by Citizen
What do I change on my code to make the passwords secure?
Posted: Fri Mar 17, 2006 1:06 pm
by pickle
Just what I said:
Make sure you run the password through md5() or sha1() before you store it in the database. Use that same hash function when the person is logging in. If you store the hashed password in $_SESSION, rather than the plaintext password, it'll be much better.
Posted: Fri Mar 17, 2006 1:34 pm
by Citizen
Thanks.
Also, here's the results of printing the session:
Login Page when you first load it:
Login Page after you login:
If I refresh the login page:
Code: Select all
Array
(
[password] => test1
[username] => test1
)
The next page after you login:
Here is the code for each page...
Login Page:
Code: Select all
<?php session_start(); ?>
<?php include('http://www.visitshark.com/php/topheader.php'); ?>
<title>VisitShark - Sharing Visits With Other Webmasters</title>
<meta name="description" content="" />
<?php include('http://www.visitshark.com/php/header.php'); ?>
<?php include('http://www.visitshark.com/php/top.php'); ?>
<!-- Content -->
<h1>Log in</h1>
<?php
echo '<pre>';
print_r($_SESSION);
echo '</pre>';
?>
<?php
if(isset($_POST['submit'])){
$username = $_POST['username'];
$password = $_POST['password'];
}
$dbh=mysql_connect ("localhost", "xxx", "xxx") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("xxx");
echo "Connected";
$sql="SELECT * FROM `accounts` WHERE `name` = '$username' AND `passworddb` = '$password'";
$result=mysql_query($sql) or die(mysql_error());
$number = mysql_num_rows($result);
if ($number == "1") {
$_SESSION['password'] = $password;
$_SESSION['username'] = $username;
?>
<p>
You are logged in as <b><?php echo $username ?></b>.
<a href="http://www.visitshark.com/start.php">Click here</a> to get started.
<?
}
else {
if($submit) {
$error = "";
?>
<p>Login failed. Please correct your username or password and try again. If you have forgotten your username or password, contact an administrator.</p>
<?php
}
?>
<!-- Form Info -->
<form name="login" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<table border="0" cellpadding="0">
<tr>
<td><p>Name:</p></td>
<td><input type="text" name="username" size="20"></td>
</tr>
<tr>
<td><p>Password:</p></td>
<td><input type="password" name="password" size="20"></td>
</tr>
<tr>
<td><input type="submit" value="Log in." name="submit"></td>
</tr>
</table>
</form>
<?php
}
?>
<!-- /Content -->
<?php include('http://www.visitshark.com/php/bottom.php'); ?>
<?php include('http://www.visitshark.com/php/footer.php'); ?>
The next page:
Code: Select all
<?php session_start(); ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>VisitShark.com</title>
<meta name="description" content="" />
<style type="text/css">
<!--
body {
margin-left: 5px;
margin-top: 1px;
margin-right: 0px;
margin-bottom: 0px;
}
-->
</style>
</head>
<body>
<?php
echo '<pre>';
print_r($_SESSION);
echo '</pre>';
?>
<!-- Connect to the database -->
<?php
$dbh=mysql_connect ("localhost", "xxx", "xxx") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("xxx");
?>
<!-- Login Session -->
<?php
$username = $_SESSION['username'];
$password = $_SESSION['password'];
$sql="SELECT * FROM `accounts` WHERE name = '$username' AND passworddb = '$password'";
$result=mysql_query($sql);
$number = mysql_num_rows($result);
if ($number == "1") {
$row = mysql_fetch_array($result);
$mypoints = $row["points"];
$mcredits = $row["maxpoints"];
$totalgiven = $row["totalgiven"];
$totalreceived = $row["totalreceived"];
?>
<!-- find random user and website -->
<?php
$sql="SELECT * FROM `accounts` WHERE points > 1 ORDER BY RAND() LIMIT 1";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$selaccount = $row["account_id"];
echo '
<table width="100%" height="70" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="468" height="70" rowspan="4">
<!-- BANNER AND LINK -->
<a href="http://www.visitshark.com/start.php?lastaccount='.$selaccount.'" target="_top">Click Here to Proceed</a>
<!-- /BANNER AND LINK -->
</td>
<td height="60" rowspan="3">2</td>
<td width="200" height="10">Credits: '.$mypoints.'/'.$mcredits.'</td>
</tr>
<tr>
<td width="200" height="10">Total Visits Given: '.$totalgiven.'</td>
</tr>
<tr>
<td width="200" height="10">Total Visits Recieved: '.$totalreceived.'</td>
</tr>
<tr>
<td height="10">6</td>
<td width="200" height="10"><a href="http://www.visitshark.com" target="_top">Back to the Index</a></td>
</tr>
</table>
';
?>
<!-- close login session -->
<?php
}
else {
echo "<p>You must log in to use this part of the site.<br><br>
<p>Click here to <a href='http://www.visitshark.com/login.php'>Log in.</a></p>";
}
?>
<!-- /close login session -->
</body>
</html>
Posted: Fri Mar 17, 2006 2:11 pm
by pickle
Sorry, I'm stumped. Maybe there's some php.ini setting you need to set up in order for sessions to work. I have no idea about that though.
Posted: Fri Mar 17, 2006 2:14 pm
by Citizen
Is there another way to do sessions? Basically, all i need it to do have them log in and have the script remember the username and password from page to page.
Edit: oops. I think it has something to do with the frame that its on. Both the frame source and the page within the frame use session variables. I'll look into it and post the results.