Page 1 of 2
user login script
Posted: Mon Oct 08, 2007 3:18 pm
by monkeymafia
Hi
i am a php newbie
i have a simple table using MySQL called members which stores memberid and password. i have created a simple html form with username and password fields and got the following php script to check whether the user exists.
Code: Select all
<?php
session_start();
mysql_connect("localhost", "??", "??") or die(mysql_error());
echo "Connected to MySQL<br />";
mysql_select_db("name") or die(mysql_error());
echo "Connected to Database";
if(isset($_POST['submit'])) {
if(mysql_num_rows(mysql_query("SELECT memberid, password FROM members WHERE memberid = '".$_POST['username']."' && password = '".$_POST['password']."' ")) > 0) {
if(mysql_num_rows(mysql_query("SELECT id FROM members WHERE memberid = '".$_POST['username']."' && password = '".$_POST['password']."' ")) > 0 ) {
$_SESSION['logged'] = true;
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
echo "<font color='green'>You have succsfully logged in!</font>";
}else{ //if the username and password aren't from the same account but does exist
echo "<font color='red'>Incorrect login! Please try again</font>";
}
}else{ //username/password doesn't exist
echo "<font color='red'>Username/Password doesn't exist!</font>";
}
}
?>
this works and displays the succesfully logged in message if the right user and pass is entered.
question is how do i direct the successful login to their own page. i.e their account page? instead of just displaying a message saying successfull login. and once the user has logged in to their account what kind of function will i need so that the persons account page is only unique to them?
any help would be greatly appreciated. many thanks
Posted: Mon Oct 08, 2007 3:23 pm
by s.dot
Something like..
Code: Select all
header('Location: http://www.example.com/userpage.php?userId=' . $userId);
exit;
Which won't work in your example, unless you take out the database connection messages. No text can be sent to the browser prior to the code above.
Posted: Mon Oct 08, 2007 3:48 pm
by monkeymafia
hey
thanks for the reply that works exactly how i wanted!
but im not sure how the code actually works
theres an arrow in the link you posted is that meant to be there?
thanks again
Posted: Mon Oct 08, 2007 3:52 pm
by s.dot
The arrow is just a part of this forum for external links. It's not meant to be in your code.
The code works by sending a header that the browser should go to a different location.
You could look at the
header() function in the manual for more information.

Posted: Mon Oct 08, 2007 4:03 pm
by monkeymafia
alright
many thanks for the help.
Posted: Mon Oct 08, 2007 5:18 pm
by Stryks
Why not just save the $userId to the session and just do a redirect to userpage.php.
It just saves the hassle of checking if someone is logged on and if they have the same session ID (in case a logged in user decides to alter the id from the URL, etc etc).
Just a thought.
Posted: Mon Oct 08, 2007 6:03 pm
by califdon
I agree with
Stryks that it makes sense to use a Session Variable, otherwise as soon as you go to another page, you will lose the login information. Also, you can simplify the code, and more importantly, avoid multiple queries to the database, by structuring your code differently. Something along the lines of:
Code: Select all
session_start();
$memberid=$_POST['memberid'];
$pwd=$_POST['password'];
// now you can check the POST variables for possible code injection...
mysql_connect(.....) or die(mysql_error());
mysql_select_db(.....) or die(mysql_error());
if (isset($_POST['submit'])) {
$sql="SELECT memberid, password FROM members WHERE memberid='$memberid' AND password='$pwd' ";
if ($row=mysql_fetch_assoc($result)) {
extract($row);
if ($password == $pwd) {
echo "Welcome back, $memberid<br />";
// ... or whatever you want to do when the login in successful -- like set a $_SESSION variable
} else {
echo "Incorrect Password. Try again<br />";
}
} else {
echo "Incorrect Login. Try again<br />";
}
}
In other words, make
one attempt to query the database and, if successful, get all the data you will need to validate the user.
A couple of other points:
By first assigning the $_POST variables to regular variables, you can (and
should!) test them to see that they don't contain malicious code injection before using them (I didn't take the trouble to do that above).
I also didn't attempt to answer your other question about sending the user to his/her account page. There are several ways to approach that, and I don't want to confuse the issue by trying to do everything here. Personally, I recommend using Ajax to validate the user's login, then you can just do a clean redirect with
document.location='.....'. That has the disadvantage, though, of not working if the browser doesn't support Javascript, or more likely, the user has Javascript disabled.
Posted: Tue Oct 09, 2007 12:13 pm
by monkeymafia
I thought the usersid was being held in the session with the following code:
Code: Select all
$_SESSION['logged'] = true;
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
i seem to be mistaken then, what is this peice of code doing?
Posted: Tue Oct 09, 2007 12:21 pm
by Zoxive
monkeymafia wrote:I thought the usersid was being held in the session with the following code:
Code: Select all
$_SESSION['logged'] = true;
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
i seem to be mistaken then, what is this peice of code doing?
Setting just what it says its setting. `logged` boolean as True, `username` as POST['username'] and `password` as POST['password'].
Basically everything Except the Users ID.
Posted: Tue Oct 09, 2007 12:43 pm
by monkeymafia
but username is the userid isnt it?
because username is the name of the username text box, thus the members ID
Posted: Wed Oct 10, 2007 1:59 am
by Stryks
Well ... in your case it appears to be.
I cant speak for everyone, but for myself, I tend to have a auto increment primary key in the users table, and I use this primary key for internal reference to the user. I guess there is nothing stopping you doing it your way though.
I guess my point was that if you are saving the userid (or whatever you use internally to identify a user) to the session, then passing it in the URL is kind of redundant. You take the trouble of passing it as a $_GET variable, when it's already in $_SESSION.
(probably less important for the password - assuming you are planning on saving and checking a hash of the submitted value. You are aren't you?)
In case it didn't catch your eye last time it was mentioned, you MUST validate that username and password data before passing it to your database. In fact, I would advise that you validate it before you do anything with it, and definitely before it goes into the session.
If you need clarification or help with code, don't be shy.
Cheers.
Posted: Wed Oct 10, 2007 6:21 pm
by monkeymafia
thanks for the good advice! i will have to do alot more background reading. thanks again
Posted: Wed Oct 10, 2007 6:28 pm
by mrkite
monkeymafia wrote:
Code: Select all
$_SESSION['logged'] = true;
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
Please don't store the user's password in a session variable. That means it's sitting in plaintext in your /tmp directory. Very bad practice.
Posted: Wed Oct 10, 2007 7:50 pm
by Stryks
mrkite makes a good point.
In fact, theres not a lot of purpose in carrying the password around in your session anyhow. Your session tells you the user is logged an, and it will continue to show that as long as the session doesn't time out or get destroyed. Once either of these things happen, then the password is gone, along with the rest. It's not like keeping it there will allow an automatic re-login.
I cant think of any other reason why you'd need a persons password once they have logged in. And as I mentioned before, the users password should be saved as a hash (md5 is not a bad choice) and then the submitted value should be hashed and used for comparison.
As a general rule, try to minimize the time a password stays as plain text. md5 it, log the user in, and then discard. The less you handle it, the less risk you carry of exposing the password and breaking your users trust.
Posted: Thu Oct 11, 2007 5:35 am
by Mordred
*cough* *cough* SQL injection *cough*