SitePoint Sponsor

User Tag List

Results 1 to 11 of 11

Thread: PHP login issue

  1. #1
    SitePoint Member
    Join Date
    Aug 2012
    Posts
    1
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    PHP login issue

    i'm new at php and i have made a login page which is connected to mysql database ,where there are data for different employess,and i wanted to know how can everyone that login on page access only his data and the data for other employess are unvisible...Thanks!

  2. #2
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    If someone logs into your page, you should be verifying who they are against known users, probably from a database?

    Is that the case?

    "select id from users where name = 'Isaac Newton'";

    So you know his id is say, 23.

    Is this really your case too?

    If so you can then go on to only select from the database the record which belongs to him.

    "select fruit from foodstuffs where user_id = 23";

    And then display his apple.

  3. #3
    SitePoint Member blogaddition's Avatar
    Join Date
    Sep 2012
    Location
    India
    Posts
    23
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    use the following code for your login page and myaccount page

    <?php
    $username = $_REQUEST['username'];
    $password = $_REQUEST['password'];

    //suppose your database user table name is users and there are three collum in table. id,username,password then run the query to login
    $login = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
    if($login){
    $userdata = mysql_fetch_array($login);
    $user_id = $userdata['id']; //where id is the unique auto incremented id in your users table for each user
    $username = $userdata['username'];
    session_start();
    $_SESSION['user_id'] = $user_id;
    header("Location:myaccount.php");
    }else{
    echo "username or password is incorrect";
    }

    //Now go to the myaccount.php and write the following line on top to authnticate that the logged in user can access the page only
    if(!isset($_SESSION['user_id'])){
    heaer("Location:login.php");
    exit();
    }

    //All the data will be fetched on the basis of $_SESSION['user_id'] and you have to make an additional collum in all tables that will be user_id collum for each user
    //Now fetch the data of logged in user only and leave others
    $user_id = $_SESSION['user_id'];
    $data = mysql_query("SELECT * FROM datatable WHERE user_id='$user_id'");

    ?>

  4. #4
    SitePoint Member blogaddition's Avatar
    Join Date
    Sep 2012
    Location
    India
    Posts
    23
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    When the user logs in his unique id is stored in session and then the data is fetched using that id in whole project. use that id in "Where" condition in all query so then the data for other users will not be shown. And you have to make an additional collum in all your data table for each user and name that collum is "user_id" to make different the data for each user.

  5. #5
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    @blogaddition ; The code you suggested in post #3 is inherently dangerous in that allows an SQL injection attack.

    Perhaps you'd care to rewrite it so that it does not leave anyone reading this thread open to abuse.

  6. #6
    SitePoint Member blogaddition's Avatar
    Join Date
    Sep 2012
    Location
    India
    Posts
    23
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    @Cups :The user that has put this question is new to php. I am not teaching him that how to defend with sql injection. I am just giving him a basic idea of php login script.

  7. #7
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,157
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by blogaddition View Post
    @Cups :The user that has put this question is new to php. I am not teaching him that how to defend with sql injection. I am just giving him a basic idea of php login script.
    @Cups ; is correct, we at Sitepoint like to provide examples, but ones that are meaningful and won't result in bad practices being continued further. He simply asked that you provide a better more secured example which really just needed a few tweaks.

    By changing the following lines:
    PHP Code:
    $username $_REQUEST['username'];
    $password $_REQUEST['password'];
    $user_id $_SESSION['user_id']; 
    To their appropriate more secure ones

    PHP Code:
    $username mysql_real_escape_string($_REQUEST['username']);
    $password mysql_real_escape_string($_REQUEST['password']);
    $user_id mysql_real_escape_string($_SESSION['user_id']); 
    Would introducing the original poster to PDO be better? Definitely.

    @Marsi ;, if you would like to see blogaddition's example using PDO, let me know. I could probably work on that later today.

  8. #8
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    @blogaddition ; as cpradio says, we tend to jump on dangerous examples, especially when given out as advice, unless you provide a very clear warning such as "It is up to you to properly escape the incoming data to protect yourself from SQL injection attacks, I left them out for brevity.".

    But when I think back, I haven't seen that for a while now either.

    Even the basic use of mysql_* functions often prompts replies about "switch to PDO" -- I tend to do that when I can assume that the posters skill level is ready to take that on of course.

  9. #9
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    You don't have to jump to PDO...but really maybe should start with MySQLi functions instead...? MySQLi functions are very similar to that of the older interface. So it should not be that hard to shift.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  10. #10
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,157
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Cups View Post
    Even the basic use of mysql_* functions often prompts replies about "switch to PDO" -- I tend to do that when I can assume that the posters skill level is ready to take that on of course.
    Quote Originally Posted by logic_earth View Post
    You don't have to jump to PDO...but really maybe should start with MySQLi functions instead...?
    I actually did that for the "jump to PDO" crowd, next time I'll remember to add the to signify it as more of an "inside joke"

    In all reality, the point to take away from here is brief examples can usually include SQL Injection prevention. Validating the data could be considered something that would require more time and may be left out for brevity, same with XSS and CSRF protections.

  11. #11
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Its all gravy.

    With the greatest respect to @Marsi ; the question is so basic we can probably assume that jumping to PDO or even mysqli might be a bit much to start off with and to me @cpradio ; 's interjection with the mysql_real_escape_string example was spot on.

    Banging on about SQL injection is now so, so common on here (and elsewhere on the 'net) that it really should be obvious to everyone who visits -- its just that some people don't visit that often - and might come across this thread almost by accident, and as a (PHP) community we still have a duty to keep the message front and centre.

    Hopefully some others who are less aware of SQL injection (or XSS, CSRF) attacks will come across this thread too and be prompted to find out more about protecting themselves and their clients.

    If that sounds like you, fire away with questions, do.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •