Logins and Sessions

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Logins and Sessions

Post by evilmonkey »

Hello. I want to make a user login system, which, after a successful login, all forms will go through that person's name. (Kind of like PHPBB, where after you log in, all messages are posted from your name). I imagine I have to use sessions to do this, but I have no idea how. YES, I have taken a look at the PHP manual, but it's very confusing. Perhaps someone can regurgitate. :D I have a database of registered users. Each user has his own used name and password.

Thanks for the help I am sure to recieve.

Cheers!
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

Take a look in this sticky thread
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

All right, that helps, but I'm still quite unclear. For example, If I want a simple login page, will it look something like this?

Code: Select all

//start the session
session_start();
//this is the user input form
echo "<input type="text" name="username" value="'.$_SESSION['username'].'" /> ";
echo "<input type="password" name="password" />";
echo "<input type="submit" />";
echo "</form>'";
onto the proccessing page:

Code: Select all

require("Connect.php"); //hold the db connection info
session_start();
//call mysql
$query="SELECT * FROM table WHERE username='$_SESSION['username']' AND password='$password'"
$result=mysql_db_query($db, $query, $connection);
if ( $_POST['username'] == '???' && $_POST['password'] == '???' ) { 
   $_SESSION['auth'] = true; 
   $_SESSION['username'] = $_POST['username']; 
   header("Location: page5.php"); 
} else { 
   $_SESSION['auth'] = false; 
   $_SESSION['username'] = ''; 
   header("Location: page3.php"); 
}
I get this far (probably with plenty of errors :wink:). Notice I put in question marks for username and password. How does PHP know if the username and password are in the same row in the database?

Cheers!
User avatar
daven
Forum Contributor
Posts: 332
Joined: Tue Dec 17, 2002 1:29 pm
Location: Gaithersburg, MD
Contact:

Post by daven »

PHP does not know anything about what is in your database. You will have to do a query to check for results.

Code: Select all

<?php
//this is the user input form
echo "<form action="process.php" method="post">";
echo "<input type="text" name="username" value="" /> "; # no need to have the $_SESSION['username'] here.  you want people to enter their info
echo "<input type="password" name="password" />";
echo "<input type="submit" />";
echo "</form>'"; 
?>

Code: Select all

<?php
require("Connect.php"); //hold the db connection info
session_start();
//call mysql
$query="SELECT * FROM table WHERE username='".$_POST['username']."' AND password='".$_POST['password']."'"; #Check the POSTed username, not session
$result=mysql_query($query, $connection); # Use mysql_query, not mysql_db_query.  Look into mysql_connect and mysql_select_db
if (mysql_num_rows($result)==1) { # if 1 result was returned (ie--username/password combo was in DB)
   $_SESSION['auth'] = true;
   $_SESSION['username'] = $_POST['username'];
   header("Location: page5.php");
} else {
   $_SESSION['auth'] = false;
   $_SESSION['username'] = ''; # I would suggest not setting the $_SESSION['username'] at all.  That way you can do checks later with isset()
   header("Location: page3.php");
} 
?>
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Okay, okay, I get it. But just to make sure...this is the login script (just the final one). It's really Daven's script just modified a little:

Code: Select all

<?php
require("connect.php"); //hold the db connection info 
session_start(); 
//call mysql 
$query="SELECT * FROM table WHERE username='".$_POST['username']."' AND password='".$_POST['password']."'"; $result=mysql_query($query, $connection); 
if (mysql_num_rows($result)==1) { 
   $_SESSION['auth'] = true; 
   $_SESSION['username'] = $_POST['username']; 
   header("Location: index.php"); 
} else { 
   $_SESSION['auth'] = false; 
   $_SESSION['username'] = ''; 
   header("Location: login.php"); 
} 
?>
Now if this succeeds, I want the links on index.php to change. For example:

Code: Select all

session_start()
if ($_SESSION['auth']=true) //can I even do this?
{
echo "<A HREF="http://blah.com/somescript.php"> logout </a>";
}
else
{
echo "<A HREF="http://blah.com/someotherscript.php"> login </a>";
}
The above code would be my index.php. Is that the idea, or am I way off?

Cheers!
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

Using a posted variable directly in a query is not sane unless you are guaranteed that stripslashes is on (Global setting not good enough if you are in a shared environment)..

Code: Select all

<?php

$query="SELECT * FROM table WHERE username='".
  mysql_escape_string(stripslashes($_POST['username']))."' AND password='".
  mysql_escape_string(stripslashes($_POST['password']))."'";

?>
.... and yes you can validate $_SESSION['auth'], but do not use single equal-sign as that will assign true to to, == is comparison, === is comparison of both value and data type, I think it is important to use triples when dealing with auth stuff, as a string can evaluate to true if for some reason PHP thinks you are doing a bool comparison..
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Ok, thanks. I'll see what I can do, and if i run into any more problems, I'll come back here.

Cheers!
Post Reply