Page 1 of 1

multimember access

Posted: Fri Nov 17, 2006 2:43 pm
by dbdvd7
I currently have a login form on my website, but I need to have each member go to different sections of my site. What would be the easiest way to accomplish this while still being secure. I am not using .htaccess but php. I can successfully get them to the member page but need to redirerct them base on the user name. the ext is the extension saved in MySQL that I need to forward them to. any suggestions? Heres the member.php

Code: Select all

<?

	require('main.php');

    session_start();

    if (!isset($_SESSION['uid'])) {
       $_SESSION['uid'] = $_REQUEST['uid'];
       $_SESSION['pwd'] = $_REQUEST['pwd'];
    }

    $uid = $_SESSION['uid'];
    $pwd = $_SESSION['pwd'];

	db_connect();

	$res = mysql_query("SELECT * FROM users WHERE uid='$uid' AND pwd='$pwd' and status='active'");
	$re  = mysql_fetch_array($res);

    if(mysql_num_rows($res) != 0) {

	  

      echo "<br><b>Logging Into Your Account - - -</b>";
      
      
	} else {

	include(INC_DIR."header.php");
    unset($_SESSION['uid']);
    unset($_SESSION['pwd']);

    echo "<br><b>Login Failed</b> Try Again!";
	include(INC_DIR."login.php");

	}
	
	$result = mysql_query("SELECT * FROM users WHERE uid='$uid' AND pwd='$pwd'");
	
	while($row = mysql_fetch_array($result))
	
		{
		echo $row['ext'];
		}


	
	db_disconnect();




?>

Posted: Fri Nov 17, 2006 2:47 pm
by John Cartwright
Why are you storing the password in a session? Bad idea. Infact, don't invoke his session until he has become authenticated.
he ext is the extension saved in MySQL that I need to forward them to
Not quite sure what this means, but I think your looking for header()

Code: Select all

while($row = mysql_fetch_array($result))
{
   header('Location: http://domain.com/'. $row['ext']);
}
Edit | fixed parse error

Posted: Fri Nov 17, 2006 2:54 pm
by dbdvd7
The password is stored on the server called up in a session. All users are placed on the server by me. Im rather new to this, is this not safe.

Posted: Fri Nov 17, 2006 2:57 pm
by John Cartwright
Sessions are used to carry information between multiple page requests. You are doing a single page request, so why store their password if you are using it in the same request. Infact, you should never store their password in plain text, be it in a session or in a database. You should hash all your passwords using an encryption (md5, sha1, sha256, sha512) and check against your hashed password with the database password.

Also, I forgot to mention in the last post when inserting user values into your query, at minimum pass your variable through mysql_real_ecape_string() to prevent SQL injection attacks.

Posted: Fri Nov 17, 2006 3:30 pm
by dbdvd7
Basically I will have different people logging in to view multiple pages of content. Each user has different content and doesn't need to look at other users stuff. I will hash passwords once I get this running right and prevent injections. For some reason that header script won't work, it brings up a parse error/ syntax error. Any other ideas, thanks for any feedback

Posted: Fri Nov 17, 2006 3:35 pm
by feyd
Jcart's code is missing a closing parenthesis on that line.

Posted: Fri Nov 17, 2006 6:49 pm
by evilchris2003
headers need to be implemented before anything else in a script or they will fail