Page 1 of 1

Members Area

Posted: Fri Apr 06, 2007 7:47 pm
by enemeth
Hi there all !

I got a website that users log into , i have made the pages that are displayed before log in , and have the pages all set up also for after they log in!

the problem is that if you have the path http://www.mysite.com/members/signedin for example, you can get to it by just typing this link , even if you are logged in or out!

How do i get it to display a page to log in if someone just types this link ? i guess what i need is the ability to check each person who gets to these pages if they are logged in or not?

does this make any sense ! lol

Thank you ,

Elaine

Posted: Fri Apr 06, 2007 8:04 pm
by Christopher
Typically you would save one or more values in the session when they have successfully logged-in. Then on each "members" page you would check to see if the right values were set in the session before displaying the page. If the values were not found or not right the the page would redirect to the log-in page.

Posted: Fri Apr 06, 2007 8:05 pm
by dantleech
i guess an easy way to do this would be with a check_login() function,

Code: Select all

<?php
  function check_login()
  {
    if ($_SESSION['logged_in'])
      return;
    else
      die('Sorry, you have to be logged in to access this page. <a href="your_login_url">click here to login</a>');
  }
?>
this assumes that when you log your users in you set $_SESSION['logged_in'] = true;

the top of your restricted pages would then typically look like this

Code: Select all

<?php
  include ('file_with_check_login_function_in_it.php');
  check_login();

  // your code
  // ...
?>

Posted: Fri Apr 06, 2007 8:25 pm
by enemeth
Well i thank you :)

i think that is wonderful and will work great , testing it tomorrow at work !

if i run into any issues i shall log in from work !

Thank you very much again ;)

Elaine

Posted: Sat Apr 07, 2007 8:49 am
by enemeth
where do i place the function check_login() ?

and i do not have it set as you stated : $_SESSION['logged_in'] = true;

should i just add that into my checkuser.php file i have that verifies the users when they log in ?

and do i change the logged _in to username? which is what we basically go by on the site?

Elaine

Posted: Sat Apr 07, 2007 9:10 am
by acpbrian
I normally create 2 files for all my pages. A config.php and a common.php. Between the 2 they have db credentials and commonly used functions that can be called from anypage. So you would put the check login function in your common.php file per-say. Include config.php and common.php for all pages that you create on line #1 and #2. You can even initialize the session and define session variables from within common.php that way if you need to do headers or anything you can be sure that there has not been any output. As far as logging in the user. I normally pull a unique indentification number from the db that was assigned to the user upon signup. I assign that to $_session['uid'] and go from there. That way you can check logged in with something like this.

Code: Select all

<?php
  function check_login(){
    if ($_session['uid']<>"")
      return;
      else
    die("sorry, please login.")
    }
?>
In addition to being able to see if the user is logged in, you can also identify the user in your database and pull information from the data that is specific to the logged in user. All this in one swoop.

There are limitless possibilities.
Hope this helped!

Posted: Sat Apr 07, 2007 10:07 am
by enemeth
Yes very much so !

Thank you i will play around with all this !

Elaine

Posted: Sat Apr 07, 2007 10:25 am
by enemeth
well , im sorry to say i dont no what im doing ! so many errors i dont no where to start ,

i dont no how to implement everything here into what i got already! its sadning! LOL

Posted: Sat Apr 07, 2007 2:04 pm
by aaronhall
The errors and some code would be helpful

Posted: Sat Apr 07, 2007 2:48 pm
by enemeth
ok here it is ,

i got a checkuser.php

Code: Select all

<?php error_reporting(E_ALL);
/* Check User Script */ 
session_start();  // Start Session
include 'db.php'; 
$msg = "You could not be logged in! Either the username and password do not match or you have not validated your membership! Please Try again!";
$msga = "Please enter ALL the information!";
// Conver to simple variables 
$username = $_POST['username']; 
$password = $_POST['password']; 
if((!$username) || (!$password)){
    echo "<script langauge=\"javascript\">alert(\"".$msga."\");</script>"; 
    include 'login.php';
    exit();
}

// Convert password to md5 hash 
$password = md5($password);
// check if the user info validates the db 
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'"); 
$login_check = mysql_num_rows($sql);
if($login_check > 0){ 
    while($row = mysql_fetch_array($sql)){ 
    foreach( $row AS $key => $val ){ 
        $$key = stripslashes( $val ); 
    } 
        // Register some session variables! 
        session_register('first_name'); 
        $_SESSION['first_name'] = $first_name; 
        session_register('last_name'); 
        $_SESSION['last_name'] = $last_name; 
        session_register('email_address'); 
        $_SESSION['email_address'] = $email_address; 
        session_register('special_user'); 
        $_SESSION['user_level'] = $user_level;
        mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");
        header("Location: members/login_success.php"); 
    } 
} else { 
    echo "<script langauge=\"javascript\">alert(\"".$msg."\");</script>"; 
    include 'login.php'; 
} 
?>
now when my users log in , they get the members area, which is good, but so can everyone else on the net if they have the path ! but i cant seem to get it right , i have this so far , which i think i need to put on each individual page? unless i make one main file pointing to the one file !

Code: Select all

<?php include 'headermem.php'; 
$msga = "Please Log in! Thank you !";
if(isset($_SESSION['username'])) {

return;

}

else {
echo "<script langauge=\"javascript\">alert(\"".$msga."\");</script>"; 
    include '../login.php';
    exit();

}

include 'footermem.php'; 
?>
i really appoligize to everyone who is getting frustrated with me !

but once i get it , iwill never forget ! ehhehehe

thanks again,

Elaine

Posted: Sat Apr 07, 2007 2:56 pm
by nickvd
I'd suggest buying a more recent book on php, there are security vulnerabilities in your code.

SQL Injection:

Code: Select all

$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");

Posted: Sat Apr 07, 2007 3:10 pm
by enemeth
ok well i have no clue on these things , i needed code to get users to log in andregister, i found a full code that had all the stuff i needed, i used that ,

do you have another suggestion for a membership log in tutorial? that would be less of a vulnerability?

when you put that there and say it is a risk , i do not see what you see , you have a little more experience than i do, i have only been doing this for like 2 months if!

but one day when im all growed up i probably will see it , but for now , if you can help it would be appreciated ?

Thank you


Elaine ;)

Posted: Sat Apr 07, 2007 3:42 pm
by ol4pr0

Posted: Sat Apr 07, 2007 3:52 pm
by enemeth
well thank you for that link i will read it when i understand most of the things there talking about !


so i guess i will start again and look for some new code !

thanks again

Elaine