newbie - seeking help with database security and logins

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
ThE_eNd
Forum Newbie
Posts: 3
Joined: Thu Dec 04, 2003 5:07 am
Contact:

newbie - seeking help with database security and logins

Post by ThE_eNd »

Hello to everyone!

First of all, this is my first post, i am not familiar with this forum, and i hope i am posting in the right place.

Should there be any other forum dealing with newbies, and they are really patient, kind and helpful :wink: lemme know.

I just started learining php and mysql. I am working on an apache server with the latest php and mysql version.
All's fine with the connection to the database, i can make queries, i can have people fill in forms to add to the database.

What i want to do is create a form for a username and password.

What i need is a form that allows the user to access the information i have about him in the data base.
That is John Doe logs in with John and Pass and he gets in return the data from the database. How do i do that? Or where do i learn about that.

I am using Dreamweaver Mx 2004 for this and they have something similar for this, but the php code they use generates errors and the login does not work as supposed to.

Thank you
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

There are various bits to learning how to do this, accessing data posted from forms in PHP and then selecting data from a database and also comparing data in databases, then you'll need to move on to learning about sessions so that people don't have to log in again when they move to another page.

The best place to start would be with a tutorial, as although it may not show you the exact product you're after it can help you with understanding the basic principles, try places like:
http://www.devshed.com
http://www.phpcomplete.com
http://www.phpbuilder.com

If you're having problems with specific bits then come back here and post again and we'll do our best to help you get it working.

Mac
ThE_eNd
Forum Newbie
Posts: 3
Joined: Thu Dec 04, 2003 5:07 am
Contact:

here's the code

Post by ThE_eNd »

Ok, i am using dreamweaver and i use the server behaviour they call "login". What that is supposed to do is: take the data submited by a simple form (username password) and match it against a table with usernames and passwords, if it finds a match then send the user to a page otherwise send him to another page.

These are the errors i get:

Code: Select all

Warning: session_start(): open(/tmp\sess_6b62b0fd63a8ab2c8013809d33abd8d1, O_RDWR) failed: No such file or directory (2) in c:\!work\teste_php\access2.php on line 3

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at c:\!work\teste_php\access2.php:3) in c:\!work\teste_php\access2.php on line 3

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at c:\!work\teste_php\access2.php:3) in c:\!work\teste_php\access2.php on line 3
[username] and [password] fields

Code: Select all

Warning: Unknown(): open(/tmp\sess_6b62b0fd63a8ab2c8013809d33abd8d1, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0
And this is the code in the page.

Code: Select all

<?php require_once('Connections/ameritrex.php'); ?>
<?php
// *** Start the session
session_start();
// *** Validate request to log in to this site.
$FF_LoginAction = $HTTP_SERVER_VARS&#1111;'PHP_SELF'];
if (isset($HTTP_SERVER_VARS&#1111;'QUERY_STRING']) && $HTTP_SERVER_VARS&#1111;'QUERY_STRING']!="") $FF_LoginAction .= "?".htmlentities($HTTP_SERVER_VARS&#1111;'QUERY_STRING']);
if (isset($HTTP_POST_VARS&#1111;'username'])) &#123;
  $FF_valUsername=$HTTP_POST_VARS&#1111;'username'];
  $FF_valPassword=$HTTP_POST_VARS&#1111;'password'];
  $FF_fldUserAuthorization="";
  $FF_redirectLoginSuccess="erori.htm";
  $FF_redirectLoginFailed="index.html";
  $FF_rsUser_Source="SELECT username_db, pass_db ";
  if ($FF_fldUserAuthorization != "") $FF_rsUser_Source .= "," . $FF_fldUserAuthorization;
  $FF_rsUser_Source .= " FROM passes WHERE username_db='" . $FF_valUsername . "' AND pass_db='" . $FF_valPassword . "'";
  mysql_select_db($database_ameritrex, $ameritrex);
  $FF_rsUser=mysql_query($FF_rsUser_Source, $ameritrex) or die(mysql_error());
  $row_FF_rsUser = mysql_fetch_assoc($FF_rsUser);
  if(mysql_num_rows($FF_rsUser) > 0) &#123;
    // username and password match - this is a valid user
    $MM_Username=$FF_valUsername;
    session_register("MM_Username");
    if ($FF_fldUserAuthorization != "") &#123;
      $MM_UserAuthorization=$row_FF_rsUser&#1111;$FF_fldUserAuthorization];
    &#125; else &#123;
      $MM_UserAuthorization="";
    &#125;
    session_register("MM_UserAuthorization");
    if (isset($accessdenied) && true) &#123;
      $FF_redirectLoginSuccess = $accessdenied;
    &#125;
    mysql_free_result($FF_rsUser);
    session_register("FF_login_failed");
	$FF_login_failed = false;
    header ("Location: $FF_redirectLoginSuccess");
    exit;
  &#125;
  mysql_free_result($FF_rsUser);
  session_register("FF_login_failed");
  $FF_login_failed = true;
  header ("Location: $FF_redirectLoginFailed");
  exit;
&#125;
?>
and

Code: Select all

<form action="<?php echo $FF_LoginAction?>" method="POST" name="access" id="access">

Any suggestions?
Thank you[/google]
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

I suggest you not using DW for any "code generating"
me too i m a noob and beleive me.. it's WAY better to start typing your own code.. or else you ll never be able to debug anything...

and well what knowledge you have..
can you create a table (using phpmyadmin for exemple)
if you can well try to connect to your db (database) and just try to view your result

if you never programmed in any language that may take you some times.. i ll post a code on how to connect to a DB.
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

Code: Select all

<?php
$host = "yourhost"; //for exemple "localhost"
$user = "user";  //user that is needed to connect to your database
$pswd = "password";  //password for your database

/*http://ca3.php.net/manual/en/index.php it's the php manual VERY usefull when you don t understand a function like mysql_connect or else */

/*now im connectoing to my db (the or die mean if it dien s t work you gonna echo soimething*/

$connect = mysql_connect($host, $user, $pswd) 
	or die("Could not connect: " . mysql_error());
/*now i'm selecting the name of my db*/
$database = mysql_select_db('mydb') 
	or die(MySQL_Error());

/*this is the mysql [b]query[/b] right now i m SELECTING everything from mytable (whatever is your table name)*/
$sql = "SELECT * FROM mytable";
/*i'm putting my query (i selecting everything from my table) into the variable $result */
$result = mysql_query($sql) or die(MySQL_Error());


/*this is more complicated i put it so you can copy past it just to see if your code will work tell me first if you understand the first part*/

for ($i = 0; $rows = mysql_fetch_row($result); $i++)
	{
		if ($rows[1] == $_POST["user"] && $rows[2] == $_POST["password"])
		{
		print "<meta http-equiv="refresh" content="0; url=../ident.php" />";
		}else{
		print "loser";
		}
	}
mysql_close($connect);
?>
well tell me if you understand or not....
Chambrln
Forum Commoner
Posts: 43
Joined: Tue Dec 02, 2003 10:45 am
Location: Oregon

Post by Chambrln »

It looks like the errors you are getting are all a result of the first error which looks like it is just saying there is no session_save folder either created or specified in your php.ini. You need to look in php.ini for the session section and find out what folder you are trying to save sessions to. Then go see if it is created and what permissions it has.
ThE_eNd
Forum Newbie
Posts: 3
Joined: Thu Dec 04, 2003 5:07 am
Contact:

Post by ThE_eNd »

Thank you Draco_03

I seem to grasp the very basic commands in sql and php but when it gets more complicated i'm lost. (well i graduated letters so i know nothing about mathemathics or the way it works and i am learning php for a week now)

I understand perfectly the first part of the code, but you lost me on the second:

Code: Select all

for ($i = 0; $rows = mysql_fetch_row($result); $i++) 
   &#123; 
      if ($rows&#1111;1] == $_POST&#1111;"user"] && $rows&#1111;2] == $_POST&#1111;"password"]) 
      &#123; 
      print "<meta http-equiv="refresh" content="0; url=../ident.php" />"; 
      &#125;else&#123; 
      print "loser"; 
      &#125; 
   &#125; 
mysql_close($connect); 
?>
Thank you for your help!
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

okay now the second part
first, you need to have a form in a page.. and in the form you put
action="pagewhere you put the code i gave you" so if your page where you put your code is named aaa.php u ll have something like (assuming it s in the same folder as your form page

Code: Select all

&lt;form name="whatever" method="post" action="aaa.php" /&gt;
okay...
In a table you have rows and colomn each row is a different "entry" and each colomn is like the different "value" of the row..

exemple : i can have

TABLE --------- $row[0] --------- $row[1] --------- $row[2] <-- u ll understand later this
user ---------ID --------- user --------- password
------------ 1 ------------ John Doe ------------ 911
------------ 2 ------------ Bush------------ 411

etc etc

okay now usually i want to display what information i have in a row (or in a colomn.
so what i m doiing in my for is looping through my rows...
Okay in every of my table i use an primary key (id) that is unique and that auto-increment itself.. so every row has a number, and this number is never duplicated..

k i ll explain now

Code: Select all

<?php
/* okay now i create a for (look in phpmanual for the function for).*/
/* my second argument :  a content for my variable (wich is $rows)  */
/* mysql_fetch_row($result) --> that mean i fetch the row corresponding to my query (wich is everything from my table so i get everything from my actual row)*/
/* Since i'm in a for i create a variable that start at 0 and i increment it*/
/* So now the first line tell that for each row in my table starting at 0 get every info of that row*/


for ($i = 0; $rows = mysql_fetch_row($result); $i++)
   {

/* okay the if here.. is very simple i have a form with 2 entry a user and a password and i went to chek if what he entered the one that MATCHED what i have in my db */
/* the $_POST['name of your form field'] is the code in php to retreive whatever value a user entered in a form field (or chekbox or any form object)*/
/* the && mean and so i make a if.. if the value of the field user equals whatever i have in my database ($row[1]) AND if the password he entered match the password i have in my db ($row[2])*/
/*so you understand i created a var named $row and since it s a db and i use mysql_fetch_row i putted every thing in $row but it showed like an array so that mean since i have 3 colomn (id user and password) so saying $row[1] means the colomn user */
      if ($rows[1] == $_POST["user"] && $rows[2] == $_POST["password"])
      {
/* finally if it s BOTH user and pass correspond i send them at whatever page i wish (using meta refresh.. it s html)*/
      print "<meta http-equiv="refresh" content="0; url=../ident.php" />";
      }else{
/* well else the your a loser */
      print "loser";
      }
   }
/* take the habit of always closing connection*/
mysql_close($connect); 
?>
Draco_03
Forum Regular
Posts: 577
Joined: Fri Aug 15, 2003 12:25 pm
Location: Montreal, Canada

Post by Draco_03 »

i made one mistake
TABLE --------- $row[0] --------- $row[1] --------- $row[2] <-- u ll understand later this
user ---------ID --------- user --------- password
------------ 1 ------------ John Doe ------------ 911
------------ 2 ------------ Bush------------ 411
should be this

TABLE --------- $row[0] --------- $row[1] --------- $row[2] <-- u ll understand later this
member ---------ID --------- user --------- password
------------ 1 ------------ John Doe ------------ 911
------------ 2 ------------ Bush------------ 411

the name of the table is member
:)
Post Reply