Managing Users with PHP Sessions and MySQL

[Jump]

PHP Code:

<?php // accesscontrol.php

include("common.php");
include("db.php");
$expiry = 60*60*24*365; // 365 days

session_start();
setcookie('uid', $uid, time()+$expiry, "/");
setcookie('pwd', $pwd, time()+$expiry, "/");


if(!isset($uid)) {
  ?>
  <html>
  <head>
  <title> Please Log In for Access </title>
  <LINK REL=STYLESHEET TYPE="text/css" HREF="stocksol.css">
  </head>
  <body>
  <h1> Login Required </h1>
  <p>blahblah  .., <a href="signup.php">click here</a> blah .</p>
  <p><form method="post" action="<?=$PHP_SELF?>">
    Pilot Name: <input type="text" name="uid" size="8"><br>
    Password: <input type="password" name="pwd" SIZE="8"><br>
    <input type="submit" value="Log in">
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

session_register("uid");
session_register("pwd");


dbConnect("dbname");
$sql = "SELECT * FROM user WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
  error("A database error occurred while checking your ".
        "login details.\nIf this error persists, please ".
        "contact .");
}

if (mysql_num_rows($result) == 0) {
  session_unregister("uid");
  session_unregister("pwd");
setcookie('uid', $uid, time()-$expiry, "/");
setcookie('pwd', $pwd, time()-$expiry, "/");


  ?>
  <html>
  <head>
  <title> Access Denied </title>
  <LINK REL=STYLESHEET TYPE="text/css" HREF="stocksol.css">
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your Pilot Name or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$PHP_SELF?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}

$username = mysql_result($result,0,"userid");
$squad = mysql_result($result,0,"squad");
$faction = mysql_result($result,0,"faction");
$userlvl = mysql_result($result,0,"userlvl");
?>

[Kevin Yank]

Hmm... could be that the cookie registration is overriding the cookie deregistration. Try this:

PHP Code:

<?php // accesscontrol.php

include("common.php");
include("db.php");
$expiry = 60*60*24*365; // 365 days

session_start();

if(!isset($uid)) {
  ?>
  <html>
  <head>
  <title> Please Log In for Access </title>
  <LINK REL=STYLESHEET TYPE="text/css" HREF="stocksol.css">
  </head>
  <body>
  <h1> Login Required </h1>
  <p>blahblah  .., <a href="signup.php">click here</a> blah .</p>
  <p><form method="post" action="<?=$PHP_SELF?>">
    Pilot Name: <input type="text" name="uid" size="8"><br>
    Password: <input type="password" name="pwd" SIZE="8"><br>
    <input type="submit" value="Log in">
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

session_register("uid");
session_register("pwd");

dbConnect("dbname");
$sql = "SELECT * FROM user WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
  error("A database error occurred while checking your ".
        "login details.\nIf this error persists, please ".
        "contact .");
}

if (mysql_num_rows($result) == 0) {
  session_unregister("uid");
  session_unregister("pwd");
  setcookie('uid', $uid, time()-$expiry, "/");
  setcookie('pwd', $pwd, time()-$expiry, "/");


  ?>
  <html>
  <head>
  <title> Access Denied </title>
  <LINK REL=STYLESHEET TYPE="text/css" HREF="stocksol.css">
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your Pilot Name or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$PHP_SELF?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}
else {
  setcookie('uid', $uid, time()+$expiry, "/");
  setcookie('pwd', $pwd, time()+$expiry, "/");
}

$username = mysql_result($result,0,"userid");
$squad = mysql_result($result,0,"squad");
$faction = mysql_result($result,0,"faction");
$userlvl = mysql_result($result,0,"userlvl");
?>

[Jump]

Well that stoped the page from locking up. Only time will tell if it keeps me logged in. Thanks alot.

[lupulet]

I was so confused why i keep getting ugly errors for a simple session_start() ... But after i read this topic...gotcha...it needed to be in the first line...thx

and by the way, kevin, thanks for "managing user..." article

[phredrum]

Kevin,
In the reply that gets eMailed, from signup.php

Your personal login ID and password are as
follows:

userid: $newid
password: $newpass

You aren't stuck with this password! Your can
change it at any time after you have logged in.

You didn't include the code and, altho it's probably simple, I couldn't find anything after a LOT of searching. Do you have an example just lyin' around?

Thanx,
Phred

[Kevin Yank]

Simple just-lying-around code submitted for your inspection:

PHP Code:

<?
include('accesscontrol.php');

if ($chgpw == ""):
html_header(); // Print standard page header
?>
<p>This page will become a little more functional later,
 but for now you can change your password if you wish:</p>
<form action="<?=$PHP_SELF?>" method=post>
<center>
<table border=0 cellpadding=0 cellspacing=0>
<tr>
    <td align=right><p>New password: <input
 type=password name=newpw></td>
</tr>
<tr>
    <td align=right><p>Retype: <input type=password
 name=newpw2></td>
</tr>
<tr>
    <td align=right><input type=submit name=chgpw
 value="   OK   "></td>
</tr>
</table>
</form>
<?
else:
    if ($newpw != $newpw2) {
        error_message("The two password fields did
 not match! Please try again.");
    }
    if ($newpw == "") {
        error_message("You did not provide a
 password. Please try again.");
    }
    $sql = "UPDATE user SET password=PASSWORD('$newpw')
 WHERE userid='$userid'";
    if (mysql_query($sql)):
    // Update the password in the user's session
    $userpassword=$newpw;
    html_header();
    ?>
    <p><STRONG>Password change successful!</STRONG></p>
    <p>Your password has been changed! Click
 <a href="index.php">here</a> to return to the main page of
 the Web site.</p>
    <?
    else:
        error_message("A database error occurred
 while processing your request.\\nIf the problem persists,
 please contact [email]you@email.com[/email].\\n".
 mysql_error());
    endif;
endif;
html_footer();
?>

[jason dickey]

hi there,

i'm a beginner trying to get some experience with php and mysql.

when i try the script mentioned in the article i don't get sent to the appropriate page after a successful login. it looks to me like i'm getting stuck in the login script and i don't know why. other than that everything works fine.

if anybody has any suggestions i'd greatly appreciate it.

jason

[johnn]

Since you don't post your code, I guess you probably use the latest PHP version. If so, you need to use for example, use $_GET['name'] instead of $name, since the register global was turned off. This is very common error, numerous of beginner threads posted about this.

[thoresson]

Hi,

I'm trying to understand sessions, and have made some progress. I'm at the moment trying to get Kevin Yank's login-script up and running, but without 100 percent success.

I've made some modifications to the script, to have it work under PHP 4.2.2.

The script is split up in two major parts: bilder.php, which is the main script, and accesscontrol.php, which should check wether a valid username and password are entered or is already entered.

The first time bilder.php is run, everything works fine. accesscontrol.php gets called, and since I've not logged in, a log in-form is displayed. I enter a valid username and password, which is checked in a MySQL-table and get the green light.

But then the scripts forget that I've already logged in, and presents the log in-form over and over again.

PHP Code:

<?php

# bilder.php

include ("db_functions.php");
include ("html_functions.php");
include ("accesscontrol.php");
include ("bilder_functions.php");

session_start();

define ("INITIAL_PAGE", 0);
define ("LOGOUT", 1);



# start

$title = "bilder";
$header = " ";
html_begin ($title, $header);

# if $action is empty, show the start page

if (empty($action)) 
    $action = INITIAL_PAGE;
if(isset($_REQUEST["action"])) {
    $action = $_REQUEST["action"];
}

# examine $action

switch ($action) 
    {
    case INITIAL_PAGE:
        accesscontrol();
        menu();
        break;

    case LOGOUT:
        accesscontrol();
        logout();
        break;
    
    default:
        die("Unknown action: $action");
}


html_end();
?>

PHP Code:

<?php
function accesscontrol() {
    

# accesscontrol.php - include-file to control that user is logged in

session_start();

# check if either $_POST['uid'] or $_SESSION['uid'] is set

if(!isset($_POST['uid']) AND !isset($_SESSION['uid'])) {
$title = "log in";
$header = " ";
html_begin ($title, $header);
?>
<H2>You are not logged in.</H2>
<p> To see the pictures you need a username and a password. If you don't have these, send a <A HREF="mailto:listor@thoresson.net">mail</A>. </p>
<p> <FORM METHOD="POST" ACTION="<?=$_SERVER['PHP_SELF']?>">
<TABLE>
        <TR>
            <TD>Name:</TD>
            <TD><input name=uid type=text maxlength=20 size=15></TD>
        </TR>
        <TR>
            <TD>Password: </TD>
            <TD><input name=pwd type=password maxlength=10 size=15></TD>
        </TR>
        <TR>
            <TD></TD>
            <TD><input type=submit name=skicka value=" OK "> <input type=reset value="Clear"></TD>
        </TR>
</TABLE>
</FORM>
</p>
<?php
    html_end();
    exit;
}

# if either $_POST['uid'] or $_SESSION['uid'] is set, here is where one end up

$_SESSION['uid'] = $_POST['uid'];
$_SESSION['pwd'] = $_POST['pwd'];
$uid = $_SESSION['uid'];
$pwd = $_SESSION['pwd'];

# db_connect is my own function to connect to my database

db_connect ("XXX", "YYY", "ZZZ");

$sql = "SELECT * FROM users WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if(!$result) {
    error("An error occured while your username and password were processed.\\n");
}

if(mysql_num_rows($result) == 0) {
    unset($_SESSION['uid']);
    unset($_SESSION['pwd']);

$title = "log in - error";
$header = " ";
html_begin ($title, $header);
?>
<H2> Log in failure! </H2>
<p> Your username or password was wrong. <A HREF="<?=$_SERVER['PHP_SELF']?>">Try again</A>.
<?php
html_end();
exit;
}
$_SESSION['username'] = mysql_result($result,0,"fullname");
}
?>

My non-educated guess is that there is something wrong with the line if(!isset($_POST['uid']) OR !isset($_SESSION['uid'])). Also, at the moment I have a session_start(); in both files. Right or wrong?


Best regards,

Anders

[johnn]

Hello,

I haven't tried 'action', action is an input field? Really? If not you probably need to create a hidden field 'action'. Anyway, this line

PHP Code:

if (empty($action)) 
    $action = INITIAL_PAGE; 


$action is always empty. Edit:
As I posted above your post, you need $_GET['action'] if pass variable in a query string. If you use hidden field with POST form then use $_POST['action']

[thoresson]

Originally posted by johnn
$action is always empty.

I'm using lines like this:

PHP Code:

 printf("<A HREF=\"%s?action=%d\">", $_SERVER['PHP_SELF'], LOGOUT); 


in the function menu(). It does work in other scripts I've build with the similiar syntax. Was I just lucky than, and should do it some other way?

Needless to say(?), I just a few weeks in to PHP.

Best regards,

Anders

[johnn]

Ok, then you passed it in the query string before I didn't see it, then to use it in the script you passed it to, use $_GET['action']

[thoresson]

But from what I can tell it isn't the action-parameter that's the problem, but rather that the session variables isn't set the right way.

Is this line ok?

PHP Code:

if(!isset($_POST['uid']) OR !isset($_SESSION['uid'])) 


To me it looks like that that IF-rule doesn't "see" when $_SESSION['uid'] is set.

[thoresson]

I've rebuilt accesscontrol.php to check variables in three steps:

1) If $_POST['uid'] is set, validate against the MySQL DB and if ok register session variables in $_SESSION

2) If $_SESSION['uid'] is set, validate against the MySQL DB.

3) If neither $_POST['uid'] or $_SESSION['uid'] is set, show the login form.

Like this:

PHP Code:

<?php

function accesscontrol() {
    

# accesscontrol.php - include-file to control that user is logged in

session_start();

# check if $_POST['uid'] is set - validate and register session-variables 

if(isset($_POST['uid'])) {

    $_SESSION['uid'] = $_POST['uid'];
    $_SESSION['pwd'] = $_POST['pwd'];
    $uid = $_SESSION['uid'];
    $pwd = $_SESSION['pwd'];

# db_connect is my own function to connect to my database

    db_connect ("anders", "aze75", "samp_db");

    $sql = "SELECT * FROM users WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
    $result = mysql_query($sql);
    if(!$result) {
        error("An error occured while your username and password were processed.\\n");
    }

    if(mysql_num_rows($result) == 0) {
        unset($_SESSION['uid']);
        unset($_SESSION['pwd']);

    $title = "log in - error";
    $header = " ";
    html_begin ($title, $header);
    ?>
    <H2> Log in failure! </H2>
    <p> Your username or password was wrong. <A HREF="<?=$_SERVER['PHP_SELF']?>">Try again</A>.
    <?php
    html_end();
    exit;
}
    $_SESSION['username'] = mysql_result($result,0,"fullname");
    $_SESSION['logged_in'] = true;

}


# check if $_SESSION['uid'] is set - validate

if(isset($_SESSION['uid'])) {

    $uid = $_SESSION['uid'];
    $pwd = $_SESSION['pwd'];

# db_connect is my own function to connect to my database

    db_connect ("anders", "aze75", "samp_db");

    $sql = "SELECT * FROM users WHERE userid = '$uid' AND password = PASSWORD('$pwd')";
    $result = mysql_query($sql);
    if(!$result) {
        error("An error occured while your username and password were processed.\\n");
    }

    if(mysql_num_rows($result) == 0) {
        unset($_SESSION['uid']);
        unset($_SESSION['pwd']);

    $title = "log in - error";
    $header = " ";
    html_begin ($title, $header);
    ?>
    <H2> Log in failure! </H2>
    <p> Your username or password was wrong. <A HREF="<?=$_SERVER['PHP_SELF']?>">Try again</A>.
    <?php
    html_end();
    exit;
}
}

# if neither $_POST['uid'] or $_SESSION['uid'] is set, here is where one end up

else {

$title = "log in";
$header = " ";
html_begin ($title, $header);
?>
<H2>You are not logged in.</H2>
<p> To see the pictures you need a username and a password. If you don't have these, send a <A HREF="mailto:listor@thoresson.net">mail</A>. </p>
<p> <FORM METHOD="POST" ACTION="<?=$_SERVER['PHP_SELF']?>">
<TABLE>
        <TR>
            <TD>Name:</TD>
            <TD><input name=uid type=text maxlength=20 size=15></TD>
        </TR>
        <TR>
            <TD>Password: </TD>
            <TD><input name=pwd type=password maxlength=10 size=15></TD>
        </TR>
        <TR>
            <TD></TD>
            <TD><input type=submit name=skicka value=" OK "> <input type=reset value="Clear"></TD>
        </TR>
</TABLE>
</FORM>
</p>
<?php
    html_end();
    exit;
}
}
?>

Now everything seems to work just fine.

But another question: At the moment I've got a session_start() both in accesscontrol.php and in the main script bilder.php. Is that needed?

Best regards,

Anders

[epollux]

I am fairly new to PHP & Web development. I found the article really interesting and really liked the PHPSELF idea.

With the techinique you are suggesting the database get accessed everysingle time the user go to a page (this in order to check that the username/password combination is correct).

I would have thought that it could be possible to store in the sessions variables (with session_register) that the user has logged on and therefore no further check is needed.

I would appreciate people's comments on this.

Cheers!

[thoresson]

I've been thinking about that, me too. I thought that it might add extra security to check the username and password everytime, instead of storing a variable, say $_SESSION['loggedin'] = true.

But perhaps it doesn't, but just add an extra burdon on the database?

[Kevin Yank]

Checking the user's credentials in the database for every request ensures that if you remove a user's access rights while they're logged in, they will be kicked off the site immediately.

If you cache the loged-in state in a session variable as you suggest, anyone who has even momentary access to your site can keep that access so long as they keep their session alive.

The choice is yours, but in my experience it's not worth sacrificing a bit of security to save a single database query.

[lauriek]

Ooh this is tricky stuff! I'm completely new to PHP and MYSQL, have just finished going through Kevin's book for the first time, and I am trying to set up this access control bit. I seem to be having the same problem as thoresson, but I thought I'd got round it yesterday. My problem is that I have two PC's I'm developing on and PHP seems to be setup slightly differently on each. I have the following access control script -

PHP Code:



<?php

session_start();

include("common.php");
include("db.php");

$uid=$_POST['uid'];
if($uid=="") {
    $uid=$_SESSION['uid'];
}
$openpwd=$_POST['pwd'];
if($openpwd=="") {
    $openpwd=$_SESSION['pwd'];
}

//echo $uid;

$salt=substr($openpwd, 0, 2);
$cryptpwd=crypt($openpwd, $salt);
$pwd=$openpwd;

$thispage=$PHP_SELF;
if($thispage=="") {
    $thispage=$_SERVER['PHP_SELF'];
}

if(!isset($uid)) {

    ?>

<html>
<head>
<title> Please Log In for Access </title>
<link rel="stylesheet" href="/local.css">
<link rel="stylesheet" href="moviedb.css">
</head>
<script language="Javascript">
<!--

grabUrl=document.location.search.substring(1);
if(grabUrl!="") {
    var urlParams=new Array();
    var urlParamSets=grabUrl.split("&");
    for(f=0;f<urlParamSets.length;f++) {
        thisParamSet=urlParamSets[f];
        var thisParam=thisParamSet.split("=");
        thisParamName=thisParam[0];
        thisParamValue=thisParam[1];
        if(urlParams.length==0) {
            nextItem=0;
            nextValue=1;
        } else {
            nextItem=urlParams.length+1;
            nextValue=urlParams.length+2;
        }
        urlParams[nextItem]=thisParamName;
        urlParams[nextValue]=thisParamValue;
    }
} else { urlParams=""; }

// -->
</script>
<body>
<?php
include "header.inc";

//echo "Supplied UID - $uid <br>\n";
//echo "Supplied openpass - $openpwd <br>\n";
//echo "Supplied cryptpass - $cryptpwd <br>\n";
//echo "Supplied salt - $salt <br>\n";

?>

<p> <font class=title><b>Login Required </b></font></p>
<p>You must log in to access this area of the site. If you are
not a registered user, <a href="useradd.php">click here</a>
to sign up for instant access!</p>

<p><form method="post" action="<?=$thispage?>">

<script language="Javascript">
<!--
for(f=0;f<urlParams.length;f=f+2) {
    g=f++;
    opHtml="<input type='hidden' name='"+urlParams[g]+"' value='"+urlParams[f]+"'>"
//    alert(opHtml);
    document.writeln(opHtml);
}

// -->
</script>

<table border=0>
<tr>
<td align=right>User ID:</td><td><input type="text" name="uid" size="20"></td>
</tr>
<tr>
<td align=right>Password:</td><td><input type="password" name="pwd" SIZE="20"></td>
</tr>
<tr><td colspan=2 align=center><input type="submit" value="Log in"></td></tr>
</table>

</form></p>

<?php
include "trailer.inc";
 ?>
</body>
</html>

<?php

exit;

}

$_SESSION['uid']=$uid;
$_SESSION['pwd']=$pwd;

//session_register("uid");
//session_register("pwd");

dbConnect("moviesowned");
$sql = "SELECT * FROM users WHERE EmailAddress = '$uid' AND password = '$cryptpwd'";
$result = mysql_query($sql);
if (!$result) {
    error("A database error occurred while checking your " . "login details.\\nIf this error persists, please " . "contact [email]kevin@sitepoint.com[/email].");
}

if (mysql_num_rows($result) == 0) {
    session_unregister("uid");
    session_unregister("pwd");

    ?>

<html>
<head>
<title> Access Denied </title>
<link rel="stylesheet" href="moviedb.css">
<link rel="stylesheet" href="/local.css">
</head>
<body>
<?php include "header.inc"; ?>

<h1> Access Denied </h1>

<?php

echo "Supplied username - !" . $uid . "!<br>\n";
echo "Supplied password - !" . $openpwd . "!<br>\n";
echo "Supplied salt - !" . $salt . "!<br>\n";
echo "Crypted password - !" . $cryptpwd . "!<br>\n";

?>

<p>Your user ID or password is incorrect, or you are not a
registered user on this site. To try logging in again, click
<a href="<?=$thispage;?>">here</a>. To register for instant
access, click <a href="useradd.php">here</a>.</p>

<?php include "trailer.inc"; ?>
</body>
</html>

<?php

exit;
}

$username = mysql_result($result,0,"UserName");

?>

Which was working fine on one PC yesterday, but I've transferred all my scripts to another PC and now the uid is not being kept between pages. I have put in some debug echos so I can see whats happening and the funny thing is that the pwd is being kept between pages but the uid is being lost. I am pulling out my hair trying to see whats wrong! Any pointers much appreciated!

To clarify, I have to log in to each and every page which includes this accesscontrol script, the UID is lost between pages, somehow the PWD is remembered!

Laurie

[Kevin Yank]

Without actually runnning the script myself, it certainly all looks like it should work.

[lauriek]

I've fixed it, I don't understand how but its working! I changed this bit -

PHP Code:


$uid=$_POST['uid'];
if($uid=="") {
    $uid=$_SESSION['uid'];
} 


to this -

PHP Code:


$uid=$_SESSION['uid'];
if($uid=="") {
    $uid=$_POST['uid'];
} 


and now it works okay! Can anyone advise the url of a good tutorial about these different variables - _GET, _SESSION, _POST etc?

Thanks!

Laurie

ps Kevin, thanks for the excellent book, I struggled to get anything working in the past with php and mysql but now things are starting to come together!!

[Kevin Yank]

See my article, "Write Secure Scripts with PHP 4.2!"

[kld]

Here's a curious bit of garbage that appears at the top of the page occasionally (not every time) following an exit from a page that destroys the current session (a "logout" page that has a "session_destroy(); at the top):

------------------------
HTTP/1.1 200 OK Date: Sat, 21 Dec 2002 01:47:24 GMT Server: Apache/1.3.22 (Unix) mod_perl/1.26 mod_throttle/2.11 PHP/4.1.0 FrontPage/4.0.4.3 mod_ssl/2.8.5 OpenSSL/0.9.6b X-Powered-By: PHP/4.1.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=15, max=999 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html d0c
-------------------------

I'm sure I'll get to the bottom of it eventually, probably something ignorant I'm doing with my session, but does anyone happen to know what this is? Is it an expired session throwing up all over the place? Just guessing at this point...meanwhile I'm doing some more reading...

Thanky,
kate (...and reaching for the sponge mop...)

[prendo]

Thanks to Kevin for the book and the Managing Users with Sessions tutorial. As a complete novice I feel like I've come a long way with PHP in the last few days.

I just have a couple of small problems with the signup.php script. Everything works fine except when I try to submit the form with either blank fields or with an existing user name. It should result in an error message using the common.php include file but this doesn't happen.

Can anyone see any errors with my script (see below). Greatly appreciate any help with this.

PHP Code:


<?php // signup.php

include("common.php");
include("db.php");

if (!isset($submitok)):    
// Display the user signup form    
?>        
<html>    
<head><title>New User Registration</title></head>    
<body>
        <p><font color=orangered size=+1><TT><B>*</B></TT></font>
               indicates a required field</p>
               <form method=post action="<?=$PHP_SELF?>">
               <table border=0 cellpadding=0 cellspacing=5>
                            <tr>
                                <td align=right>
                                    <p>User ID</p>
                                </td>
                                <td>
                                    <input name=newid type=text maxlength=100 size=25>
                                    <font color=orangered size=+1><TT><B>*</B></TT></font>        
                                </td>
                            </tr>
                            <tr>
                                <td align=right>
                                    <p>Full Name</p>
                                </td>
                                <td>
                                    <input name=newname type=text maxlength=100 size=25>
                                    <font color=orangered size=+1><TT><B>*</B></TT></font>
                                </td>
                            </tr>
                            <tr>
                                <td align=right>
                                    <p>E-Mail Address</p>
                                </td>
                                <td>
                                    <input name=newemail type=text maxlength=100 size=25>
                                    <font color=orangered size=+1><TT><B>*</B></TT></font>
                                </td>
                            </tr>
                            <tr valign=top>
                                <td align=right>
                                    <p>Other Notes</p>
                                </td>
                                <td>
                                    <textarea wrap name=newnotes rows=5 cols=30></textarea>
                                </td>
                            </tr>
                            <tr>
                                <td align=right colspan=2>
                                    <hr noshade color=black>
                                    <input type=reset value="Reset Form">
                                    <input type=submit name="submitok" value="   OK   ">
                                </td>
                            </tr>
                        </table>
                        </form>
</body>
</html>                        
                        
<?php
else:    // Process signup submission    
dbConnect('db71423777');

if ($newid=="" or $newname=="" or $newemail=="") {        
error("One or more required fields were left blank.\\n".              
"Please fill them in and try again.");    }

// Check for existing user with the new id    
$sql = "SELECT COUNT(*) FROM user WHERE userid = '$newid'";    
$result = mysql_query($sql);    
if (!$result) {            
    error("A database error occurred in processing your ".              
        "submission.\\nIf this error persists, please ".              
        "contact [email]info@danielprendergast.co.uk[/email] ERROR 1");    
}    
if (@mysql_result($result,0,0)>0) {        
    error("A user already exists with your chosen userid.\\n".              
        "Please try another.");    
}

$newpass = substr(md5(time()),0,6);

$sql = "INSERT INTO user SET              
userid = '$newid',              
password = PASSWORD('$newpass'),              
fullname = '$newname',              
email = '$newemail',              
notes = '$newnotes'";    
if (!mysql_query($sql))        
error("A database error occurred in processing your ".              
"submission.\\nIf this error persists, please ".              
"contact [email]info@danielprendergast.co.uk[/email] ERROR 2");

// Email the new password to the person.    
$message = "G'Day!
Your personal account for the Project Web Site
has been created! To log in, proceed to the
following address:
    [url]index.php[/url]
Your personal login ID and password are asfollows:
    userid: $newid    password: $newpass
You aren't stuck with this password! You can
change it at any time after you have logged in.
If you have any problems, feel free to contact me at
<info@danielprendergast.co.uk>.
-Daniel Prendergast Project Webmaster";
    mail($newemail,"Your Password for the Project Website",         
    $message, "From:Daniel Prendergast <info@danielprendergast.co.uk>");
?>    

<html>    
<head><title> Registration Complete </title></head>    
<body>    
<p><strong>User registration successful!</strong></p>    
<p>Your userid and password have been emailed to       
<strong><?=$newemail?></strong>, the email address       
        you just provided in your registration form. To log in,       
        click <a href="members.php">here</a> to return to the login       
        page, and enter your new personal userid and password.</p>    
</body>    
</html>    

<?php
endif;
?>

Also, I'm new to sessions and cookies but have managed to adapt the script to store the user id for longer periods of time than a single session. Could anyone tell me how to remove the stored session ids from my system(I need to do this to help me test the scripts). I've tried clearing the cookies folder and system cache but the script is still logging me in automatically.

Thanks

[Kevin Yank]

To begin with, you have some double quotes in your email message string that are not correctly escaped with backslashes. You can see in the code highlighting above how this prevents PHP from seeing where the message actually ends.

[thomlin]

Hi all,

first of all let me thank Kevin for his great article.

My problem is that I always get the same error message from the Apache Server (1.3.27, PHP 4.2.2, running at localhost on a Windows2000 workstation), saying: "Forbidden
You don't have permission to access /OST/HTML_Seiten/< on this server".

I created different files for the projects i am working on in my document-root htdocs. One of them is called "OST". In OST i have different files for HTML-pages (HTML_Seiten), php-scripts, images, and css.

It seems to me that php can't handle the <?php-tag announcing the following php-code.

Here is the line which causes all the trouble:

<form method=post action="<?php echo $_SERVER['PHP_SELF']; ?>">

Anybody has a clue what I missed and would like to help me?

Cheers,

thomlin