Page 1 of 3

PHP login help!

Posted: Mon Mar 12, 2007 12:37 pm
by jamiller
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hello all! This is my first post here. Let me also note that I'm very new to PHP but want to learn more because of it's integration with Flash. Anyways, on to my question.

So I'm building a login for my website with Flash. In my sql database I have a table with username, password, and most importantly, for this question, page. This value I'm hoping will allow the user to login and be redirected to this predefined page on my site. So for test purposes my value for "page" on the database is "admin.php."

Here is the portion of my code that redirects:

Code: Select all

mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");


$myusername=$_POST['username'];
$mypassword=$_POST['pass'];

$sql="SELECT * FROM $tbl_name WHERE Username='$myusername' and Password='$mypassword'";
$result=mysql_query($sql);


$count=mysql_num_rows($result);

$dbarray = mysql_fetch_array($result);

if($count==1)
{
	session_register("myusername");
	session_register("mypassword");
	if($myusername == "myusername")
	{
		header("location:".$page);
	}
}
else 
{
	header("location:index.php?badlogin=true");
}

***EDIT: Ok, this is the whole thing except for the info to connect to the database***


Right now when I login with the correct credentials I get redirected to "checklogin.php" which is the name of this php page. Any ideas?

Again, I'm new to PHP so if there is any other information you need to help, let me know.

Thanks!


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Mon Mar 12, 2007 12:44 pm
by RobertGonzalez
You are going to have to show more code. Specifically where $page is set. Also, stay away from session_register. You should be using the $_SESSION superglobal array to assign session vars.

But show some more code.

Posted: Mon Mar 12, 2007 12:53 pm
by jamiller
Everah wrote:You are going to have to show more code. Specifically where $page is set. Also, stay away from session_register. You should be using the $_SESSION superglobal array to assign session vars.

But show some more code.
Ok, I edited the post to show all the code. And thanks for the $_SESSION comment. Will do.

Posted: Mon Mar 12, 2007 1:01 pm
by Begby
jamiller wrote: Ok, I edited the post to show all the code.
lies!

Posted: Mon Mar 12, 2007 1:02 pm
by jamiller
Begby wrote:
jamiller wrote: Ok, I edited the post to show all the code.
lies!
??

Posted: Mon Mar 12, 2007 1:03 pm
by Begby
jamiller wrote:
Begby wrote:
jamiller wrote: Ok, I edited the post to show all the code.
lies!
??
You didn't add in the part where you show where $page gets set. :lol:

Posted: Mon Mar 12, 2007 1:04 pm
by feyd
Are the following variables defined?
  • $host
  • $username
  • $password
  • $db_name
  • $tbl_name
  • $page
---

Side notes:
  • Quotes around a variable is rarely required.
  • The following may shed some light if replacing your current mysql_query() call.

    Code: Select all

    mysql_query($sql) or die(mysql_error());
  • Your query is susceptible to SQL injection. At minimum, use mysql_real_escape_string() on $myusername and $mypassword.
  • session_register() shouldn't be used as already said
  • header() based redirection should always use a full URL. Currently, you are using relative ones. This is a standards compliance issue.

Posted: Mon Mar 12, 2007 1:34 pm
by jamiller
feyd wrote:Are the following variables defined?
  • $host
  • $username
  • $password
  • $db_name
  • $tbl_name
  • $page
---

Side notes:
  • Quotes around a variable is rarely required.
  • The following may shed some light if replacing your current mysql_query() call.

    Code: Select all

    mysql_query($sql) or die(mysql_error());
  • Your query is susceptible to SQL injection. At minimum, use mysql_real_escape_string() on $myusername and $mypassword.
  • session_register() shouldn't be used as already said
  • header() based redirection should always use a full URL. Currently, you are using relative ones. This is a standards compliance issue.
Yes those variables are defined. I realized that $page wasn't so I defined it:

Code: Select all

$page = $dbarray['page'];
Still not working tho. Do I have the syntax in the "header" code correct?

Code: Select all

header("location:".$page);
This was all working correctly when I used:

Code: Select all

if($count==1)
{
	session_register("myusername");
	session_register("mypassword");
	if($myusername == "admin")
	{
		header("location:admin.php");
	}
}
else 
{
	header("location:index.php?badlogin=true");
}
I just didn't want to have to enter in every user this way...

Posted: Mon Mar 12, 2007 1:53 pm
by volka
This scripts looks very much like the one in viewtopic.php?t=64851 . Coincidence?

Posted: Mon Mar 12, 2007 1:57 pm
by jamiller
volka wrote:This scripts looks very much like the one in viewtopic.php?t=64851 . Coincidence?
lol. I got this code from a php login tutorial. It appears to be the exact same tutorial except he has changed the session to $_SESSION, which I have not yet done, but will.

Posted: Mon Mar 12, 2007 2:02 pm
by volka
In any case this tutorial is outdated and does not care about sql injections.
I suggest looking somewhere else when looking for a tutorial.

Posted: Mon Mar 12, 2007 2:21 pm
by jamiller
volka wrote:In any case this tutorial is outdated and does not care about sql injections.
I suggest looking somewhere else when looking for a tutorial.
Ok. Like I said, I'm very new to PHP. I'm a designer by trade, not a programmer. Got any good links for good tutorials. All PHP looks the same to me at this point. I do want to learn PHP and learn it the right way but I just don't have anything to go on.

Thanks

Posted: Mon Mar 12, 2007 2:36 pm
by jamiller
So I echoed $page and I am getting the right page value from the database. I am doing something wrong in the redirection I believe.

Code: Select all

header("location:"$page);
I'm almost there I can smell it. I realize this may be outdated code and I will correct this to the best of my ability once I get this working.

Posted: Mon Mar 12, 2007 2:39 pm
by RobertGonzalez
It should be:

Code: Select all

<?php
header('Location: http://www.mysite.com/' . $page);
?>
As per HTTP spec, the redirect header should always be a full URI, as feyd mentioned earlier.

Posted: Mon Mar 12, 2007 2:47 pm
by jamiller
Everah wrote:It should be:

Code: Select all

<?php
header('Location: http://www.mysite.com/' . $page);
?>
As per HTTP spec, the redirect header should always be a full URI, as feyd mentioned earlier.
I'm guessing this is a lost cause. I've done what you said with the full url and still no luck. I just can't figure out how the echo is returning the correct values but my redirect isn't working.

Thanks anyways