Page 1 of 1

Logins and Sessions

Posted: Thu Mar 13, 2003 7:25 pm
by evilmonkey
Hello. I want to make a user login system, which, after a successful login, all forms will go through that person's name. (Kind of like PHPBB, where after you log in, all messages are posted from your name). I imagine I have to use sessions to do this, but I have no idea how. YES, I have taken a look at the PHP manual, but it's very confusing. Perhaps someone can regurgitate. :D I have a database of registered users. Each user has his own used name and password.

Thanks for the help I am sure to recieve.

Cheers!

Posted: Thu Mar 13, 2003 7:48 pm
by Stoker
Take a look in this sticky thread

Posted: Thu Mar 13, 2003 9:06 pm
by evilmonkey
All right, that helps, but I'm still quite unclear. For example, If I want a simple login page, will it look something like this?

Code: Select all

//start the session
session_start();
//this is the user input form
echo "<input type="text" name="username" value="'.$_SESSION['username'].'" /> ";
echo "<input type="password" name="password" />";
echo "<input type="submit" />";
echo "</form>'";
onto the proccessing page:

Code: Select all

require("Connect.php"); //hold the db connection info
session_start();
//call mysql
$query="SELECT * FROM table WHERE username='$_SESSION['username']' AND password='$password'"
$result=mysql_db_query($db, $query, $connection);
if ( $_POST['username'] == '???' && $_POST['password'] == '???' ) { 
   $_SESSION['auth'] = true; 
   $_SESSION['username'] = $_POST['username']; 
   header("Location: page5.php"); 
} else { 
   $_SESSION['auth'] = false; 
   $_SESSION['username'] = ''; 
   header("Location: page3.php"); 
}
I get this far (probably with plenty of errors :wink:). Notice I put in question marks for username and password. How does PHP know if the username and password are in the same row in the database?

Cheers!

Posted: Fri Mar 14, 2003 8:28 am
by daven
PHP does not know anything about what is in your database. You will have to do a query to check for results.

Code: Select all

<?php
//this is the user input form
echo "<form action="process.php" method="post">";
echo "<input type="text" name="username" value="" /> "; # no need to have the $_SESSION['username'] here.  you want people to enter their info
echo "<input type="password" name="password" />";
echo "<input type="submit" />";
echo "</form>'"; 
?>

Code: Select all

<?php
require("Connect.php"); //hold the db connection info
session_start();
//call mysql
$query="SELECT * FROM table WHERE username='".$_POST['username']."' AND password='".$_POST['password']."'"; #Check the POSTed username, not session
$result=mysql_query($query, $connection); # Use mysql_query, not mysql_db_query.  Look into mysql_connect and mysql_select_db
if (mysql_num_rows($result)==1) { # if 1 result was returned (ie--username/password combo was in DB)
   $_SESSION['auth'] = true;
   $_SESSION['username'] = $_POST['username'];
   header("Location: page5.php");
} else {
   $_SESSION['auth'] = false;
   $_SESSION['username'] = ''; # I would suggest not setting the $_SESSION['username'] at all.  That way you can do checks later with isset()
   header("Location: page3.php");
} 
?>

Posted: Fri Mar 14, 2003 5:54 pm
by evilmonkey
Okay, okay, I get it. But just to make sure...this is the login script (just the final one). It's really Daven's script just modified a little:

Code: Select all

<?php
require("connect.php"); //hold the db connection info 
session_start(); 
//call mysql 
$query="SELECT * FROM table WHERE username='".$_POST['username']."' AND password='".$_POST['password']."'"; $result=mysql_query($query, $connection); 
if (mysql_num_rows($result)==1) { 
   $_SESSION['auth'] = true; 
   $_SESSION['username'] = $_POST['username']; 
   header("Location: index.php"); 
} else { 
   $_SESSION['auth'] = false; 
   $_SESSION['username'] = ''; 
   header("Location: login.php"); 
} 
?>
Now if this succeeds, I want the links on index.php to change. For example:

Code: Select all

session_start()
if ($_SESSION['auth']=true) //can I even do this?
{
echo "<A HREF="http://blah.com/somescript.php"> logout </a>";
}
else
{
echo "<A HREF="http://blah.com/someotherscript.php"> login </a>";
}
The above code would be my index.php. Is that the idea, or am I way off?

Cheers!

Posted: Fri Mar 14, 2003 9:02 pm
by Stoker
Using a posted variable directly in a query is not sane unless you are guaranteed that stripslashes is on (Global setting not good enough if you are in a shared environment)..

Code: Select all

<?php

$query="SELECT * FROM table WHERE username='".
  mysql_escape_string(stripslashes($_POST['username']))."' AND password='".
  mysql_escape_string(stripslashes($_POST['password']))."'";

?>
.... and yes you can validate $_SESSION['auth'], but do not use single equal-sign as that will assign true to to, == is comparison, === is comparison of both value and data type, I think it is important to use triples when dealing with auth stuff, as a string can evaluate to true if for some reason PHP thinks you are doing a bool comparison..

Posted: Sun Mar 16, 2003 9:11 pm
by evilmonkey
Ok, thanks. I'll see what I can do, and if i run into any more problems, I'll come back here.

Cheers!