multimember access

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
dbdvd7
Forum Newbie
Posts: 18
Joined: Fri Nov 17, 2006 2:33 pm

multimember access

Post by dbdvd7 »

I currently have a login form on my website, but I need to have each member go to different sections of my site. What would be the easiest way to accomplish this while still being secure. I am not using .htaccess but php. I can successfully get them to the member page but need to redirerct them base on the user name. the ext is the extension saved in MySQL that I need to forward them to. any suggestions? Heres the member.php

Code: Select all

<?

	require('main.php');

    session_start();

    if (!isset($_SESSION['uid'])) {
       $_SESSION['uid'] = $_REQUEST['uid'];
       $_SESSION['pwd'] = $_REQUEST['pwd'];
    }

    $uid = $_SESSION['uid'];
    $pwd = $_SESSION['pwd'];

	db_connect();

	$res = mysql_query("SELECT * FROM users WHERE uid='$uid' AND pwd='$pwd' and status='active'");
	$re  = mysql_fetch_array($res);

    if(mysql_num_rows($res) != 0) {

	  

      echo "<br><b>Logging Into Your Account - - -</b>";
      
      
	} else {

	include(INC_DIR."header.php");
    unset($_SESSION['uid']);
    unset($_SESSION['pwd']);

    echo "<br><b>Login Failed</b> Try Again!";
	include(INC_DIR."login.php");

	}
	
	$result = mysql_query("SELECT * FROM users WHERE uid='$uid' AND pwd='$pwd'");
	
	while($row = mysql_fetch_array($result))
	
		{
		echo $row['ext'];
		}


	
	db_disconnect();




?>
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Why are you storing the password in a session? Bad idea. Infact, don't invoke his session until he has become authenticated.
he ext is the extension saved in MySQL that I need to forward them to
Not quite sure what this means, but I think your looking for header()

Code: Select all

while($row = mysql_fetch_array($result))
{
   header('Location: http://domain.com/'. $row['ext']);
}
Edit | fixed parse error
Last edited by John Cartwright on Fri Nov 17, 2006 3:45 pm, edited 1 time in total.
dbdvd7
Forum Newbie
Posts: 18
Joined: Fri Nov 17, 2006 2:33 pm

Post by dbdvd7 »

The password is stored on the server called up in a session. All users are placed on the server by me. Im rather new to this, is this not safe.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Sessions are used to carry information between multiple page requests. You are doing a single page request, so why store their password if you are using it in the same request. Infact, you should never store their password in plain text, be it in a session or in a database. You should hash all your passwords using an encryption (md5, sha1, sha256, sha512) and check against your hashed password with the database password.

Also, I forgot to mention in the last post when inserting user values into your query, at minimum pass your variable through mysql_real_ecape_string() to prevent SQL injection attacks.
dbdvd7
Forum Newbie
Posts: 18
Joined: Fri Nov 17, 2006 2:33 pm

Post by dbdvd7 »

Basically I will have different people logging in to view multiple pages of content. Each user has different content and doesn't need to look at other users stuff. I will hash passwords once I get this running right and prevent injections. For some reason that header script won't work, it brings up a parse error/ syntax error. Any other ideas, thanks for any feedback
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Jcart's code is missing a closing parenthesis on that line.
User avatar
evilchris2003
Forum Contributor
Posts: 106
Joined: Sun Nov 12, 2006 6:43 am
Location: Derby, UK

Post by evilchris2003 »

headers need to be implemented before anything else in a script or they will fail
Post Reply