Managing Users with PHP Sessions and MySQL

[rfl]

i'm still reading KYank's article about sessions and, at some point, in the accesscontrol script, he wrote, just above the </body> tag:

PHP Code:

<p>Your user ID or password is incorrect, or you are not a
       registered user on this site. To try logging in again, click
       <a href="<?=$PHP_SELF?>">here</a>. To register for instant
       access, click <a href="signup.php">here</a>.</p>

I used that on my page.
The problem is that the a href does NOT point to the very same page, as $PHP_SELF suggests. Actually, i tried printing $PHP_SELF and prints...nothing!
Why?
Note: i use this script as an include; if my page's url is http://mysite/mypage.php, when i hoover the link 'here', it points to http://mysite/. That's the puzzling thing!

[Kevin Yank]

Your register_globals setting in php.ini is set to Off. This script was written with the old default of On in mind. I'll get around to updating it soon, but in the meantime you can read my article, "Write Secure Scripts with PHP 4.2!" for the scoop on how to adapt scripts for register_globals Off.

The short answer is to change $PHP_SELF to $_SERVER['PHP_SELF'].

[rfl]

thanks for that!
i had just found that you used it in newcat script

[Kako]

Only problem im getting is.. 1, i want to use cookies to keep users from having to keep loggin in if they close the web page.
2. dont know how to make users log out... :/

[rfl]

Kako:
About your first point, just follow my posts and KYank's answers to those.

About your point 2, i use this before the <html>:

PHP Code:

<?php 
setcookie('uid', $uid, time()-$expiry, "/" ); 
setcookie('pwd', $pwd, time()-$expiry, "/" );
unset($_SESSION['uid']);
unset($_SESSION['pwd']); 
?>

[Kevin Yank]

Just a note: I have now updated the article to work in PHP 4.2 or later!

[klassicd]

Isn't this the exact same article that he had wrote before?

[Kevin Yank]

Yes it is, but it has been updated to work in PHP 4.2 or later. I've now added a note to this effect at the start of the article to avoid confusion.

[alfie.romeo]

Hello

i'm getting the error below when i click from the email to login. if i enter my name (phil) and password, it's all fine and takes me to the protected page. However, if i sign up as dave and then go to login from the email, it still says welcome phil! obviously the session is still remembering my first details.

It's probably me.....but any ideas?

Notice: Undefined index: uid in c:\inetpub\wwwroot\managing_users_with_php_sessions_and_mysql\accesscontrol.php on line 7

Notice: Undefined index: pwd in c:\inetpub\wwwroot\managing_users_with_php_sessions_and_mysql\accesscontrol.php on line 8

Login Required
You must log in to access this area of the site. If you are not a registered user, click here to sign up for instant access!

User ID:
Password:

[imati0n]

When i try to enter the DB stuff into the database using myPHPadmin I get this error:

SQL-query :
CREATE TABLE user( ID INT PRIMARY KEY AUTO_INCREMENT, userid VARCHAR( 100 ) UNIQUE NOT NULL , PASSWORD CHAR( 16 ) NOT NULL , fullname VARCHAR( 100 ) NOT NULL , email VARCHAR( 100 ) NOT NULL , notes TEXT )
MySQL said:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'user( ID INT PRIMARY KEY AUTO_INCREMENT, userid VARCHAR( 100

---------------------------

Any help would be appreciated =)

[Kevin Yank]

Fixed in the article.

A CREATE TABLE query requires {braces} around the list of column definitions, not (parentheses).

Amazing that this typo went undetected for 2 years in the first edition of the article!

[imati0n]

ah... thanks =)

[imati0n]

Another problem:

Error
SQL-query :
CREATE TABLE user{ID INT PRIMARY KEY AUTO_INCREMENT,
userid VARCHAR( 100 ) UNIQUE NOT NULL ,
PASSWORD CHAR( 16 ) NOT NULL ,
fullname VARCHAR( 100 ) NOT NULL ,
email VARCHAR( 100 ) NOT NULL ,
notes TEXT}
MySQL said:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '{ID INT PRIMARY KEY AUTO_INCREMENT, userid VARCHAR( 100 ) UN

Sorry I'm such a newbie Kevin =/

[Kevin Yank]

Sheesh. The (parentheses) were actually right in the first place. The problem was simply that you needed a space between 'user' (the table name) and the opening parenthesis.

[imati0n]

Sorry =(

[Kevin Yank]

That's OK -- as long as you got it working.

[Anonymous]

I have e-mailed this article to myself which was great!!! However in the e-mail I have got in the section "Related Articles" links look like this
"http://www./article.php?aid=228&pid=0". Perhaps you might want to fix this.

(I use Safary and Mail om mac os x)

Also in this " Comments box" - if single quotation was inserted - you willll get a mysql error. Your site is too good to have such small errors.
Thanks

[rfl]

i'm using this article in the joke site. So i've the site ok, and then i protected the pages with the accesscontrol file include. Now, i had this idea: add a check box so that the user can add a cookie with username+passord to remember.
the code: (in the accesscontrol.php include)

PHP Code:

<form method="post" action="<?=$PHP_SELF?>">
<table>
<tr>
<td align="right">Nome:</td>
<td><input type="text" name="uid" size="8"></td>
</tr>
<tr>
<td align="right">Palavra passe:</td>
<td><input type="password" name="pwd" SIZE="8"></td>
</tr>
<tr><td align="right">Guardar os meus dados</td> <td><input type="checkbox" name="cookieuser" unchecked /></td> 
</tr>
<tr>
<td></td>
<td><input type="submit" value="Login"></td>        
</tr>
</table>
</form>

Then, at the top of the same file, i have:

PHP Code:

<!--accesscontrol.php-->
<?php session_start();
$checkbox=$_POST['cookieuser'];
 if (isset($checkbox)) {
    $expiry = 60*60*24*365;
    setcookie('uid', $uid, time()+$expiry, "/"); 
    setcookie('pwd', $pwd, time()+$expiry, "/");
}
    $uid=(isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid']);
    $pwd=(isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd']);
 
  include("common.php");
 include("db.php");
...

What is happening is that, IF the user CHECKS the checkbox, then when she changes page, the script looses her ID!
(i've another include that welcomes the user with her username (id)).
If the checkbox is not checked, then everything is ok.
What's happening?

[website]

silly as it is, checkbox return 'on' (at least with IE6) when submitted, that might be confusing you?
And wouldn't you need

PHP Code:

    setcookie('uid', $_POST['uid'], time()+$expiry, "/" );
    setcookie('pwd', $_POST['pwd'], time()+$expiry, "/" ); 


?

Hope this helps

[rfl]

Thanks for helping
of course i need it, but i had the lines with the cookie stuff bellow the session lines;
but it still is in the same mood: keeps losing the id!
i noticed that: when checked, the echo returns on, but when unchecked returns nothing.
I still dont know why all this is happening

[rfl]

i got it!
right after the 2 includes, i wrote:

PHP Code:

if ($_COOKIE['uid']) { 
   $uid=($_COOKIE['uid']);
   $pwd=($_COOKIE['pwd']);
} 


[jrporter]

I was interested by the following, at the end of the article:

<LI>Members-only access to non-HTML files. Since PHP is equally capable of sending HTML and binary information, you could create a pass-through script that would only retrieve the requested file if a correct $uid/$pwd combination was found in the current session.

Can you indicate briefly how to do this? it would be really useful to control access to files of various types via PHP without relying on, in my case, Windows accounts and IIS authentication.

[Rick]

Great article - has been really helpful to me in the past

[hillsy]

Hello

i'm getting the error below when i click from the email to login. if i enter my name (phil) and password, it's all fine and takes me to the protected page. However, if i sign up as dave and then go to login from the email, it still says welcome phil! obviously the session is still remembering my first details.

It's probably me.....but any ideas?

Notice: Undefined index: uid in c:\inetpub\wwwroot\managing_users_with_php_sessions_and_mysql\accesscontrol.php on line 7

Notice: Undefined index: pwd in c:\inetpub\wwwroot\managing_users_with_php_sessions_and_mysql\accesscontrol.php on line 8

Login Required
You must log in to access this area of the site. If you are not a registered user, click here to sign up for instant access!

User ID:
Password:

Hmmm - I'm getting exactly the same. Is it some kind of obscure PHP setting where warnings are turned up too high or something? The code seems to work OK - it just throws this "notice"...

Anyone got any ideas?

BTW I'm liking this whole PHP thing - easier to get to terms with than ASP IMO (though still not up with CF )

<edit>
I just turned off the option to report notices in php.ini

Is there a way to do this programmatically?
</edit>

[website]

I am not familiar with this tutorial but you could do

PHP Code:

if (!isset($somevar['uid']))
  $somevar['uid'] = '';//or 0 if it is INT 


the same goes for pwd.

It is simply complaining that you are using variable that may or may not have been set in the script, a good practice is to always set the variables before you use them. Example of bad practice

PHP Code:

//here $string has not been set
foreach($array as $key => $val) {
  $string .= $key . ' = ' . $val;//this would work but the below example is 'better' IMO
} 


and then the 'correct method'

PHP Code:

$string = '';
foreach($array as $key => $val) {
  $string .= $key . ' = ' . $val;
} 


Some may find this unneccisary but I think this should always be done.