SitePoint Sponsor

User Tag List

Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 59

Thread: Login

  1. #26
    SitePoint Guru mwolfe's Avatar
    Join Date
    Mar 2005
    Posts
    912
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    typically to find if a user info is valid to login, you need a username and a password to compare against the database.. instead of focusing on your code i'll focus on a general example so you can see what happens..

    we have a table named users, it contains 3 fields the user_id, the username, and password. The password should be md5 encrypted, or another encryption of your choice.. md5 is built in to php and doesnt require any extra libraries to use or anything.

    now when a user types in the username and password in the login page and presses submit, your form should process that input as i explained above..

    you need to escape the username so that if they tried to use any sql injection attemps they will fail. use mysql_escape_string or mysql_real_escape_string to escape mysql data.

    so at this piont it would look like this
    PHP Code:
    if (isset($_POST['submit'])) {
      
    $username mysql_escape_string($_POST['username']);
      
    $password md5($_POST['password']);

    //Now we do the query
      
    $query "SELECT user_id FROM users WHERE username = '$username' AND 
    password='
    $password'";
    $result mysql_query($query);
    if (
    mysql_num_rows($result) > 0){
      
    header('protectedpage.php');
    }

    Now i didnt mess with sessions or anything like that in the above snippet. You can modify the above code to store the userid and password in the session if its correct..
    mostly i was just showing you the basics of what happens when a user logs in.. you pretty much just check if a record matching the username AND password that the user entered exists in the database.
    It looks like you were trying to do figure it out by looping through each row of your user table and then testing in php... that is why they invented SQL though, so you could have the database take care of all of that..

  2. #27
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To avoid confusion, users is my username data in the MySQL db and pass is the value of password in the MySQL db.
    It would be less confusing to call them username and password then

    All you need to do is check the user exists, if so set the session and redirect, you don't even need to fetch anything out of the database, so something simple like this should do you:
    PHP Code:
    if(isset($_POST['user']) && isset($_POST['pass']))
    {
      
    $username mysql_escape_string($_POST['username']);
      
    $password md5($_POST['password']);

      
    $query "SELECT COUNT(*) AS total FROM helpdesk  
       WHERE users='
    $username' AND pass='$password'";
      
    $res mysql_nm_rows($query) or die(mysql_error());
      if(
    mysql_num_rows($res) == 1)
      {
        
    session_start();
        
    $_SESSION['user'] = $username;
        
    header("Location: index2.php");
        exit;
       } else {
        
    header("Location: index.php?login=false");
        exit;
       }

    You don't need $_SESSION['auth'] == "true"; as you know they're logged in if $_SESSION['user'] is set. I'd even get rid of the rather pointless mysql class that's just providing an extra layer of confusion

    Edit:

    Yeah, what mwolfe said

  3. #28
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oof. So close.

    Fatal error: Call to undefined function: mysql_nm_rows() in /home/demiur/public_html/demo/helpdesk/login.php on line 10
    Only error!

  4. #29
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry, a typo, should be:
    $res = mysql_num_rows($query) or die(mysql_error());

  5. #30
    SitePoint Guru mwolfe's Avatar
    Join Date
    Mar 2005
    Posts
    912
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yeah the mysql class should come in later when you have a better handle on working with php and sql.

    And I agree with markl999 completely, i was going to throw in COUNT(*) instead of mysql_num_rows but i didnt want to confuse things. When you select COUNT(*) you are selecting the count for the number of rows returned so you never have to call mysql_num_rows function in php.. you simply get the result of the query and check if its greater than 0 (or == 1). Technically it should never be greater than one because usernames should be unique in your table.

  6. #31
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Damn. Now I get this.

    Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/demiur/public_html/demo/helpdesk/login.php on line 12

  7. #32
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh yeah, one minor thing i forgot, and that's to execute the query

    PHP Code:
    $query "SELECT COUNT(*) AS total FROM helpdesk  
       WHERE users='
    $username' AND pass='$password'";
    $res mysql_query($query) or die(mysql_error());
    if(
    mysql_num_rows($res) == 1

  8. #33
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Warning: mysql_query(): Access denied for user: 'demiur@localhost' (Using password: NO) in /home/demiur/public_html/demo/helpdesk/login.php on line 11

    Warning: mysql_query(): A link to the server could not be established in /home/demiur/public_html/demo/helpdesk/login.php on line 11
    Access denied for user: 'demiur@localhost' (Using password: NO)
    ???

    Here is the current code if it helps.

    PHP Code:
    <?php

    require("util.php");

    if(isset(
    $_POST['user']) && isset($_POST['pass']))
    {
      
    $username mysql_escape_string($_POST['username']);
      
    $password md5($_POST['password']);

      
    $query "SELECT COUNT(*) AS total FROM helpdesk WHERE users='$username' AND pass='$password'";
      
    $res mysql_query($query) or die(mysql_error());
      if(
    mysql_num_rows($res) == 1
      {
        
    session_start();
        
    $_SESSION['user'] = $user2;
        
    header("Location: index2.php");
        exit;
       } else {
        
    header("Location: index.php?login=false");
        exit;
       }
    }

    ?>

  9. #34
    Spacebug Beansprout's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You need to put in your username/password info in mysql_connect()...
    Thermal Degree - web design with standards! (View our portfolio)
    Vidahost - shared and reseller linux hosting with real support
    Use my free file uploader!
    5.99 .com/net/org/biz/us/name domains; 2.99 .info!

  10. #35
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, i left off your connection details, i didn't know you wanted the full blown script, but here goes:
    PHP Code:
    <?php

    if(isset($_POST['user']) && isset($_POST['pass']))
    {
      
    mysql_connect('localhost''dbuser''dbpass') or die(mysql_error());
      
    mysql_select_db('demiur_helpdesk') or die(mysql_error());
      
      
    $username mysql_escape_string($_POST['username']);
      
    $password md5($_POST['password']);

      
    $query "SELECT COUNT(*) AS total FROM helpdesk  
       WHERE users='
    $username' AND pass='$password'";
      
    $res mysql_query($query) or die(mysql_error());
      if(
    mysql_num_rows($res) == 1)
      {
        
    session_start();
        
    $_SESSION['user'] = $username;
        
    header("Location: index2.php");
        exit;
      }
      else
      {
        
    header("Location: index.php?login=false");
        exit;
      }
    }

    ?>

  11. #36
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    THANK YOU ALL! It works! It is beautiful!

    Ack. Spoke too soon. Well, not really. The problem now is, how do I use that code to protect my pages?

    The other problem is, no matter what I type for a password, it always lets you in.

  12. #37
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nvm. The code works. You have no diea how dumb I feel. I modified $username to $user2 in the query but not when it grabs data from the form.

  13. #38
    Spacebug Beansprout's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Edit: Cool
    Thermal Degree - web design with standards! (View our portfolio)
    Vidahost - shared and reseller linux hosting with real support
    Use my free file uploader!
    5.99 .com/net/org/biz/us/name domains; 2.99 .info!

  14. #39
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Edit: crud!

    PHP Code:
    <?php

    if(isset($_POST['user']) && isset($_POST['pass']))
    {
      
    mysql_connect('localhost''demiur_helpdesk''me1234') or die(mysql_error());
      
    mysql_select_db('demiur_helpdesk') or die(mysql_error());
      
      
    $username mysql_escape_string($_POST['user']);
      
    $password md5($_POST['pass']);

      
    $query "SELECT COUNT(*) AS total FROM helpdesk WHERE users='$username' AND pass='$password'";
      
    $res mysql_query($query) or die(mysql_error());
      if(
    mysql_num_rows($res) == 1)
      {
        
    session_start();
        
    $_SESSION['user'] = $username;
        
    $_SESSION['auth'] == "true";
        
    header("Location: index2.php");
        exit;
      }
      else
      {
        
    header("Location: index.php?login=false");
        exit;
      }
    }

    ?>
    No matter what you type, it always lets you in! Also, I need a way to make the protected pages protected. What do I have it check? Also, it doesnt detect the session user correctly. So it doesn't display. And, my logout code doesnt work.

    Logout:

    PHP Code:
    <?php

    //logout

    //redirect
    header("Location:index.php?logout=1");

    //destroy the session
    session_destroy();
    session_unset();

    ?>
    What's going wrong will ALL the code?!

  15. #40
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, in the logout page you're redirecting before destroying a session that doesn't exist
    PHP Code:
    //logout
    session_start();
    session_destroy();
    header("Location:index.php?logout=1");
    exit; 
    No matter what you type, it always lets you in!
    Again, my fault, the query always returns one row, what you want is:
    PHP Code:
    $query "SELECT COUNT(*) AS total FROM helpdesk  
       WHERE users='
    $username' AND pass='$password'";
      
    $res mysql_query($query) or die(mysql_error());
      
    $row mysql_fetch_array($res) or die(mysql_error());
      if(
    $row['total'] == 1)
      {
        
    session_start();
        
    $_SESSION['user'] = $username;
        
    header("Location: index2.php");
        exit;
      }
      else
      {
        
    header("Location: index.php?login=false");
        exit;
      } 
    ..but i'm tired so there might be errors there too

  16. #41
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, now it never lets me in. My password is always wrong.

    Also, what about protecting the pages that need to be protected?

  17. #42
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, now it never lets me in. My password is always wrong.
    I'll take a wild stab and guess you're not actually md5'ing the database passwords ?
    To debug it put:
    echo $query; exit;

    right before the line:
    $res = mysql_query($query) or die(mysql_error());

    That will show you the query, so then compare the username and password in the query with the one in the database, see if they match. This code is presuming you're md5'ing passwords in the database, you'll know if you are as every password in the database will be 32 characters long

    Also, what about protecting the pages that need to be protected?
    Shall we come back to that once you can login ok?

  18. #43
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    YESSSSSSSSSSSS! I just didnt input it as MD5. Thanks so much for your help this far. I gots one more level to go. Now, I have two problems. One, I want it to display $_SESSION['user']. But, when I login, it just shows blank space. Two, how do I protect the pages that I need protected?

    EDIT: Aah! Crud! Whatever password I type in, it lets me in!

  19. #44
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One, I want it to display $_SESSION['user']. But, when I login, it just shows blank space.
    I presume you mean it's blank in index2.php ? If so then make sure you have session_start(); at the top of index2.php

    Two, how do I protect the pages that I need protected?
    PHP Code:
    <?php
    session_start
    ();
    //protected page
    if(!isset($_SESSION['user']))
    {
        
    //redirect to your login page
        
    header("Location: index.php?login=false");
        exit;
    }
    //rest of page goes here

  20. #45
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    EDIT: Aah! Crud! Whatever password I type in, it lets me in!
    Now that i wouldn't expect, paste the login code you currently have.

  21. #46
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok.

    PHP Code:
    <?php

    if(isset($_POST['user']) && isset($_POST['pass']))
    {
      
    mysql_connect('localhost''demiur_helpdesk''me1234') or die(mysql_error());
      
    mysql_select_db('demiur_helpdesk') or die(mysql_error());
      
      
    $username mysql_escape_string($_POST['user']);
      
    $password md5($_POST['pass']);

     
    $query "SELECT COUNT(*) AS total FROM helpdesk  
       WHERE users='
    $username' AND pass='$password'";
      
    $res mysql_query($query) or die(mysql_error());
      
    $row mysql_fetch_array($res) or die(mysql_error());
      if(
    $row['total'] == 1)
      {
        
    session_start();
        
    $_SESSION['user'] = $username;
        
    header("Location: index2.php");
        exit;
      }
      else
      {
        
    header("Location: index.php?login=false");
        exit;
      }
     }

    ?>
    I noticed something interesting though. When I changed the password to a different one, MD5ing it, I couldn't login with that password, but I could with the old one. At that time, it only let the old password work, not the new one. That kinda bugs me.

  22. #47
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The code look ok to me, sounds more like a database problem, can you post the structure of the demiur_helpdesk table ? (including column types and sizes)

  23. #48
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ID+++++++users++++++pass
    1++++++++weasel++++0
    2++++++++noinu+++++50
    The passwords are MD5 encrypted. The server did it, not me. I honest to god have no idea why mine is 0. My friends login doesnt even work when I type it in.

  24. #49
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The passwords are MD5 encrypted
    No they're not
    An MD5 password will be 32 characters long. The pass column should be a CHAR(32)

  25. #50
    designer
    Join Date
    Dec 2004
    Location
    Over the hill and through the woods...
    Posts
    306
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ah, I will fix that. uhm, what sql command should I use to change it?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •