SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 35

Thread: User sessions

  1. #1
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    User sessions

    Can someone point me in a good starting place in order to figure out how to allow users to register names and passwords and be able to modify their table. (one database, different table for each user)
    ]

  2. #2
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't think that a separate table for each user would be the best way to go. Depending on the amount of data you're storing for each user, you might want a couple user tables which are linked by shared IDs or something (RDBMS). Anyway, there are already quite a few user management scripts out there, so you might want to check out The PHP Resource Index or Hotscripts.

  3. #3
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only problem with using other scripts is that its sometimes hard to modify them for your own needs. Expecially the more complex ones. The reason I need user sessions has to do with people registering things online.

    The point of having the user is so they can modify the data they insert incase something changes or they messed up. I'm basically making what use to be hand written paperwork (this is for a marching bnad I'm in) able to be done online. So the user (with my permission) is assigned a user name and a password. Then they are granted access to the documentation section of the website where they can register online, fill out fundraiser sheets, etc. Its very very simple stuff, and I think using a script may be too complex for my needs.

    Even once I get past the user session part, the hard part (for me at least) is how do I make an interface that allows them to change data that they have entered into the database?
    ]

  4. #4
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why don't you post your database layout and we'll work from there.

  5. #5
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I dont have a layout yet but lets say we have the following:

    Database (for a specific document): mplionhe_registration:

    Tables: 1 for each user (tables need to be created when a user hits the submit button for the current document: example- http://www.mplionhearts.com/phptesting/document1.php )

    List of tables:
    Jack Jakobson
    Bob Smith
    Jon Tulips
    Rob Robinson

    Example table: Jack Jakobson

    ||| Name________||| Parade ||| Championship ||| Steak Fry |||
    ||| Jack Jakobson ||| _____1 |||__________1 |||________1 |||
    ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||


    This way I can just create a PHP file that calls the database and displays all the tables like that. Do you see what I'm getting at? So if Jack Jakobson wanted to have 2 parade tickets instead of one, he'd be able to login and change that value.
    ]

  6. #6
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Look, you don't want a table for each user. You want one table called 'users' that's going to hold information about all the users. It might look something like this:
    Code:
    +--------------+----------------------+------+-----+---------+----------------+
    | Field        | Type                 | Null | Key | Default | Extra          |
    +--------------+----------------------+------+-----+---------+----------------+
    | id           | smallint(5) unsigned |      | PRI | NULL    | auto_increment |
    | email        | varchar(128)         |      |     |         |                |
    | password     | varchar(32)          |      |     |         |                |
    | name         | varchar(100)         |      |     |         |                |
    | parade       | tinyint(3) unsigned  |      |     | 0       |                |
    | championship | tinyint(3) unsigned  |      |     | 0       |                |
    | steak_fry    | tinyint(3) unsigned  |      |     | 0       |                |
    +--------------+----------------------+------+-----+---------+----------------+
    7 rows in set (0.01 sec)
    You're going to use the person's email address as a unique identifier. The password field is going to hold the MD5 hash of the user's password.

  7. #7
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ah yeah that makes a lot more sense, and will make life easier. However I still need help on how to allow users to edit their information? I know this probably is harder to explain so if you can direct me to a website or something that will help me, I'd be very thankful.

    Thanks!
    -Bryan
    ]

  8. #8
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What do you need help with? Authenticating users or pulling and updating data?

  9. #9
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well Both, authenticating the users (which I will have a list of all of them, they wont need to register themselves, probably...) and then allowing them to access and update their data....
    ]

  10. #10
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's an updated table description and the SQL statement to create it. More is coming later.
    Code:
    +--------------+---------------------+------+-----+---------+-------+
    | Field        | Type                | Null | Key | Default | Extra |
    +--------------+---------------------+------+-----+---------+-------+
    | username     | varchar(128)        |      | PRI |         |       |
    | password     | varchar(32)         |      |     |         |       |
    | name         | varchar(100)        |      |     |         |       |
    | parade       | tinyint(3) unsigned |      |     | 0       |       |
    | championship | tinyint(3) unsigned |      |     | 0       |       |
    | steak_fry    | tinyint(3) unsigned |      |     | 0       |       |
    +--------------+---------------------+------+-----+---------+-------+
    6 rows in set (0.02 sec)
    
    
    CREATE TABLE `users` (
      `username` varchar(128) NOT NULL default '',
      `password` varchar(32) NOT NULL default '',
      `name` varchar(100) NOT NULL default '',
      `parade` tinyint(3) unsigned NOT NULL default '0',
      `championship` tinyint(3) unsigned NOT NULL default '0',
      `steak_fry` tinyint(3) unsigned NOT NULL default '0',
      PRIMARY KEY  (`username`),
      UNIQUE KEY `username` (`username`)
    ) ENGINE=InnoDB DEFAULT CHARSET=latin1;

  11. #11
    shauno7's Avatar
    Join Date
    Jul 2004
    Posts
    91
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Looks like you guys got the main structure of the base down. But anyway, just in case you need another reference you can check out this tutorial . It shows you how to create everything from the tables in the databse to the user modification of their profiles. It is very simple to follow with all the source code available to you.

    Hope it helps...

    Shaun.

  12. #12
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks shauno7. I'll be posting some code shortly.

  13. #13
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was looking in a book at Barnes and Noble today and it had ways for users to modify data n their tables (I can do this easy) but having them be able to do it to their own areas is different and more complex. I'll check out that tutorial and more. Just so you know setting up the tables isnt my problem its having people fill out a form and then that data going into the table (that is easy, ive shown that ican do that) but having them able to login in and modify is really what this entire thread was about. We are definately getting there tho, and I'll look at that tutorial shortly.
    ]

  14. #14
    SitePoint Wizard
    Join Date
    Oct 2001
    Location
    Tucson, Arizona
    Posts
    1,858
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I wouldn't follow that tutorial too closely if I were you. The code is a little outdated and it isn't exactly written using "best practice." It might work, but it's gonna be ugly.

    Also, if we hadn't hashed out the table structure beforehand, we wouldn't have had any idea about how the thing is going to work. Computer science is about 80% planning, 10% coding, and 7% checking email. The other 3% gets lost in frequent trips to the coffeemaker.

  15. #15
    SitePoint Addict JNKlein's Avatar
    Join Date
    Sep 2004
    Location
    New York, NY
    Posts
    258
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Its important to remember the difference between allowing a user to modify "their entry in the table" and allowing a user to access a script that does the modifying for them. You don't want the users of your website having access to your database! Thats where PHP should come in

  16. #16
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmmm so, should I create a modifying page for each database? Well I guess i kind of have to lol.

    So wait, can this be done?

    So bob here logs in with user: Bob James password: Password and the Script then finds his data, by matching his name. If two match then he is allowed to modify is data.

    The modifying script has to know what row to modify though, so it will use the $name field as a variable and have the username that he logged in as fill in the $name field so the user isnt allowed to change other peoples data, did that make any sense lol.
    ]

  17. #17
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi MS,

    Here is some code you might want to modify and use:

    It looks very procedural and I haven't spent much time with security issues, but anyways I am pretty sure that it should get you started:


    you will create say... your 'login' table.
    Code:
    CREATE TABLE `login` (
      `userID` mediumint(11) unsigned NOT NULL auto_increment,
      `username` varchar(25) NOT NULL,
      `password` varchar(50) NOT NULL,
      PRIMARY KEY  (`userID`)
    )
    Here is a simple login script:
    PHP Code:

    <?php 
    session_start
    (); 

    //get the data used to authenticate users 

    $username trim(addslashes($_POST['username'])); 
    //without encryption:
    $password trim(addslashes($_POST['password'])); 
    //with encryption 
    //$password = md5($_POST['password']); 

    //if you use encryption. make sure that you will first record your user password like this:
    //$password = md5($_POST['password']); 

    //perform the query to see if you have a matching result 

    $sql mysql_query
    "SELECT userID 
    , username 
    , password 
    FROM login 
    WHERE username = '
    $username
    AND password = '
    $password'"
    or die(
    '<p>Unable to query the database at this time.<br />Error: ' mysql_error() . '</p>'); 
    $row mysql_fetch_array($sql); 

    if(
    mysql_num_rows($sql) == 1// if there is one matching result, then get some data to be displayed on your pages for the user logged in. 

        
    $_SESSION['userID'] = $row['userID']; 
        
    $_SESSION['username'] = $row['username']; 
        
    $_SESSION['loggedin'] = TRUE// Setting session var 'loggedin' to true--> check it on top of each you want to be protected. 
           
        
    header('Location:http://www.yoursite.com/welcome.php'); // redirects to the welcome page if everything is ok. always use absolute URL!! 
        
    exit; 
           
    }else{ 
        
    header('Location:http://www.yoursite.com/error.php'); // Redirect to error page. 
        
    exit; 

    ?>
    Then use this code on top of each page you want to be protected:
    PHP Code:

    if ($_SESSION['loggedin'] == TRUE) { 
    //display page 

    else { 
    //redirect to another page, like index or login... 



    for a much more complex auth system, check out this article:

    http://www.sitepoint.com/article/ant...access-control

    just in case, here is the login form:
    Code:
    <form action="checklogin.php" method="post">
    username: <input type="text" name="username" size="10" />
    password: <input type="password" name="password" size=10 />
    <input type="submit" value="go" />
    </form>
    now if you need to add new users, use the table shown above, and use the below code.
    here is the form:
    Code:
    <form action="addnewmember.php" method="post">
    username: <input type="text" name="username" size="10" />
    password: <input type="password" name="password" size=10 />
    <input type="submit" value="go" />
    </form>
    here is the addnewmember.php relevant code:
    PHP Code:
    $username trim(addslashes($_POST['username'])); 
    //without encryption: 
    $password trim(addslashes($_POST['password'])); 
    //with encryption 
    //$password = md5($_POST['password']); 


    //perform the query to see if you have a matching result 

    $sql mysql_query
    "INSERT INTO
    login
    SET 
    username = '
    $username' '
    , password = '
    $password' ' 
    LIMIT 0,1"

    or die(
    '<p>Unable to query the database at this time.<br />Error: ' mysql_error() . '</p>'); 
    Tip:
    redirect your users to an error management page. In the long run, you'll love a page like this one.

    PHP Code:
    else{ 
        
    header('Location:http://www.yoursite.com/error.php?e=wrong_login'); // Redirect to error page. 
        
    exit; 

    and at the top of error.php
    PHP Code:
    $error $_GET['e'];
    if (
    $error 'wrong_login') {
    $error_message 'A problem occured during your registration process. Please try again.';

    And in the body of your page.

    PHP Code:
    echo ($error_message); 
    that way you can manage multiple errors only in one page.
    If you have more than one error to manage in the near future, then use the switch statement instead of multiple ifs.

    if you get that, allowing your users to modify their data will be very easy. All you'll have to do is to select their data based on their login info, let them edit it in a form, then update the database with the submitted data using an update query. You'll find the row to edit using a WHERE clause (WHERE username = ... AND password=... ).

    that's it pretty much.

    'hope that helped

  18. #18
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That definately will help!!! I just came from 6 hours of rehearsal and I have 9 more tomorrow followed by 6 more on wenseday concluding with the Fiesta Bowl National Band Championship on thursday and the parade on friday. So I'm extremely busy but I'll fiddle with the code tonight and tomorrow night if I have time nad see what I can come up with .
    ]

  19. #19
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also, check this excellent article:

    http://www.sitepoint.com/article/use...sessions-mysql

    it's a must-read

  20. #20
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm I tried out the code, its kinda working.... and I thank you a ton for tha however its redirecting me even tho my password and username i type in are exactly the same as I have them inserted into the table. So why would it be redirecting me as if I typed it in wrong?

    heres the code:
    PHP Code:
    <?php

     $db 
    "mplionhe_documents"// name of database
    $user "mplionhe"// username for database
    $password "password"// password for database 

     // make the connection
    $link mysql_connect("localhost"$user$password);
    if (!
    $link) die ("cant connect to mysql");

     
    //select the database once connected.
    mysql_select_db($db$link) or die ("cannot connect to $db");
    session_start();

    //get the data used to authenticate users

    $username trim(addslashes($_POST['username']));
    //without encryption:
    $password trim(addslashes($_POST['password']));
    //with encryption
    $password md5($_POST['password']);

    //if you use encryption. make sure that you will first record your user password like this:
    //$password = md5($_POST['password']);

    //perform the query to see if you have a matching result

    $sql mysql_query(
    "SELECT userID
    , username
    , password
    FROM Login
    WHERE username = '
    $username'
    AND password = '
    $password'
    LIMIT 0,1"
    )
    or die(
    '<p>Unable to query the database at this time.<br />Error: ' mysql_error() . '</p>');
    $row mysql_fetch_array($sql);

    if(
    mysql_num_rows($sql) == 1// if there is one matching result, then get some data to be displayed on your pages for the user logged in.
    {
        
    $_SESSION['userID'] = $row['userID'];
        
    $_SESSION['username'] = $row['username'];
        
    $_SESSION['loggedin'] = TRUE// Setting session var 'loggedin' to true--> check it on top of each you want to be protected.
           
        
    header('Location:http://www.mplionhearts.com/'); // redirects to the welcome page if everything is ok. always use absolute URL!!
        
    exit;
           
    }else{
        
    header('Location:http://www.mplionhearts.com/events.php'); // Redirect to error page.
        
    exit;
    }
    ?>
    ]

  21. #21
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi

    First: did you encrypt your password when you inserted it in the db? Because you can't have these two lines, it doesn't make that much sense:
    PHP Code:
    //without encryption:
    $password trim(addslashes($_POST['password']));
    //with encryption
    $password md5($_POST['password']); 
    In other words, when looking at your password in your db, does it rather look like:

    'mypassword'

    or

    'hs83g4857fhdj392hd83gd743hdfj9H92'

    ?

    If it looks like the first one (and I bet it does), just use this line:
    PHP Code:
    //without encryption:
    $password trim(addslashes($_POST['password'])); 
    and erase (or comment out) this one:
    PHP Code:
    //with encryption
    $password md5($_POST['password']); 
    If your password looks like my second example (a 32 chars hash), then make sure that you type your actual password, and not the 32 chars string.

    Anyways, looking back at my code, here are some improvements. There was an obvious mistake: LIMIT the result to one row and then check if the result is equal to one row ( )

    PHP Code:
    <?php

    $db 
    "mplionhe_documents"// name of database
    $user "mplionhe"// username for database
    $password "password"// password for database

    // make the connection
    $link mysql_connect("localhost"$user$password);
    if (!
    $link) die ("cant connect to mysql");

    //select the database once connected.
    mysql_select_db($db$link) or die ("cannot connect to $db");
    session_start();

    //get the data used to authenticate users

    $username trim(mysql_real_escape_string($_POST['username']));
    //without encryption:
    $password trim(mysql_real_escape_string($_POST['password']));
    //with encryption
    $password md5($_POST['password']);

    //if you use encryption. make sure that you will first record your user password like this:
    //$password = md5($_POST['password']);

    //perform the query to see if you have a matching result

    $sql mysql_query(
    "SELECT userID
    , username
    , password
    FROM Login
    WHERE username = '
    $username'
    AND password = '
    $password'")
    or die(
    '<p>Unable to query the database at this time.<br />Error: ' mysql_error() . '</p>');
    $row mysql_fetch_array($sql);

    if(
    mysql_num_rows($sql) != 1// if there is one matching result, then get some data to be displayed on your pages for the user logged in.
    {
         
        
    header('Location:http://www.mplionhearts.com/events.php'); // Redirect to error page.
        
    exit;

    }else{

    $_SESSION['userID'] = $row['userID'];
        
    $_SESSION['username'] = $row['username'];
        
    $_SESSION['loggedin'] = TRUE// Setting session var 'loggedin' to true--> check it on top of each you want to be protected.
        

    }
    ?>
    voilą

    Once again, this code is to get you started. You should check a the article by Harry F whose link I posted above.

  22. #22
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah I read through that article, great article. Also I noticed the limit you put in there and I thought it didnt make sense but I trusted that it was right lol. Yeah I dont know why I didnt remove one of the password options, I was thinking that both could stick in there and it would just use which ever one it applies to. I'll make some modifications when I get home.
    ]

  23. #23
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've looked through that article and somehow find myself having trouble creating pages that only members can go into once logged in? Don't I need to create a very similar PHP file that verifies that the user is infact valid based on the information he has submitted and have the php include it at the top of each page? Also how do I terminate sessions after a period of time.
    ]

  24. #24
    gimme the uuuuuuuuuuu duuudie's Avatar
    Join Date
    Feb 2004
    Location
    Switzerland
    Posts
    2,253
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes you will have to include your login check at the top of every page you want to be protected. You can make some very simple checks from setting an 'isloggedin' session to true once the password and username have been submitted and accepted, then checking at the top of your secured pages that this session is set to true (if not --> redirect to login page) to more complicated checks like the example provided in Harry F's Php Anth Vol II first chapter (available online).

    Sessions should end after a while, depending on your server settings. It's however highly recommended that you don't only rely on this. Use the session_destroy() and session_unset() functions to control the logout of your members.


  25. #25
    Evil Genius MilchstrabeStern's Avatar
    Join Date
    Nov 2003
    Location
    Arizona
    Posts
    1,131
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Somehow i still manage to be confused because i cant get it to work... do i need to alter the code that I include at the top of each page or what? Because if I inclused the same file that checkslogin (the file is called checklogin.php) then I end up with errors, what exactly do i need at the top of each page?
    PHP Code:
    <?php

    $db 
    "mplionhe_documents"// name of database
    $user "mplionhe"// username for database
    $password "password"// password for database

    // make the connection
    $link mysql_connect("localhost"$user$password);
    if (!
    $link) die ("cant connect to mysql");

    //select the database once connected.
    mysql_select_db($db$link) or die ("cannot connect to $db");
    session_start();

    //get the data used to authenticate users

    $username trim(mysql_real_escape_string($_POST['username']));
    //without encryption:
    $password trim(mysql_real_escape_string($_POST['password']));


    //if you use encryption. make sure that you will first record your user password like this:
    //$password = md5($_POST['password']);

    //perform the query to see if you have a matching result

    $sql mysql_query(
    "SELECT userID
    , username
    , password
    FROM Login
    WHERE username = '
    $username'
    AND password = '
    $password'")
    or die(
    '<p>Unable to query the database at this time.<br />Error: ' mysql_error() . '</p>');
    $row mysql_fetch_array($sql);

    if(
    mysql_num_rows($sql) != 1// if there is one matching result, then get some data to be displayed on your pages for the user logged in.
    {
         
        
    header('Location:http://www.mplionhearts.com/events.php'); // Redirect to error page.
        
    exit;

    }else{

        
    $_SESSION['userID'] = $row['userID'];
        
    $_SESSION['username'] = $row['username'];
        
    $_SESSION['loggedin'] = TRUE// Setting session var 'loggedin' to true--> check it on top of each you want to be protected.
        
    }
    ?>
    ]


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •