SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Wizard tgavin's Avatar
    Join Date
    Feb 2003
    Location
    FL
    Posts
    1,051
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Login script woes

    Relative newbie here...

    I have a 3-part login partially created with Adobe GoLive using Dynamic Content (this probably won't matter though).

    Step 1 consists of a straight-forward HTML login page (login.html).
    Step 2 consists of an PHP action script (loginAction.php)
    Step 3 consists of a menu page that allows users to edit their information (menu.php).

    For the most part, this works. The problem I am having is that I want the user to login using username and password, but I want the session to be controlled by userID (PK). So that when somebody logs in they see their OWN information dynamically displayed in forms, tables, etc.. It's basically a personal site manager.

    My main concern is not the scripts that follow, but to allow users to view their own information ONLY. This is not a membership site where everybody gets to see the same information...

    I'm not stuck on using this script. I just want to get this thing working so I can get paid! :) If you have something that's smaller and easier but does the same thing, please share the wealth!

    Here is the login.html form:

    Code:
    <form action="loginAction.php" method="post">
    Username: <input type="text" name="username(1)" size="24">
    Password: <input type="password" name="password(1)" size="24">
    <input type="submit" value="Sign in">
    <input type="hidden" name="action" value="registered">
    </form>
    onto the loginAction.php script

    PHP Code:
    <?php require_once("../config/include/utils.runtime6.php"?>
    <?php 
    require_once("../config/include/mysql.runtime6.php"?>
    <?php 
    // GoLive Content Source
    $userRec WrapMySQLDatabaseResults("myDB""SELECT * FROM users 
    WHERE username = '" 
    $_POST["username(1)"] . "'","block=1","userRec");
    ?>
    <?php
    // Clear all session values if by chance a session exists
    $_SESSION=array();
    // Force main variables to default values in case of hack attempt.
    $role='';
    $fullname='User search not conducted.';
    // This will be a string that can be placed at the bottom of
    // each page after login
    $footer ='User not validated. System Administrator should be alerted!';
    // errorMsg will get passed back if login fails. Note urlencode assures
    // it will pass thru clean.
    $errorMsg=urlencode('User search was not validated.');
    // This procedure expects an action variable posted from the form, no 
    // gets or other values looked at!
    if(isset($_POST['action'])) {
    // use from request, you could add actions like guest access, logout etc.
    // It comes from a hidden field in the login form
    $action=$_POST['action'];
    } else {
    //force to error page, hack attempt?
    //Your may want to set up an alternate error page for major errors.
    //If this is from your page, there should be an action 8-(
    $errorMsg=urlencode("Major login error. Not all variables present.");
    Redirect("login.php?errorMsg=$errorMsg");
    exit;
    }
    // This tests for values from the form. 'registered' action means the 
    // user should be in the table.
    // If you were to have a guest login, your form would have the action 
    // 'guest' and additional logic.
    if($_POST['username(1)']=="" && $_POST['password(1)']="" && $action=="registered") {
    // no login values try again
    $errorMsg=urlencode("You must enter a login name and password. Please try again.");
    // Note: login.php will display errorMsg, index.html will not.
    Redirect("login.php?errorMsg=$errorMsg");
    exit;
    }
    // Was a user match found in the users table? NoRecords is a CSW function.
    if(NoRecords($userRec)) {
    //no existing user found, set main variables to values in case of hack attempt.
    $footer='UNAUTHORIZED USER! Please alert administrator immediately.';
    $fullname='Unauthorized User';
    $role='Access Denied';
    $errorMsg=urlencode('No user found for name and password entered. Please try again.');
    // Send user back to login to try again. login.php will display the errorMsg to tell user.
    Redirect("login.php?errorMsg=$errorMsg");
    exit;
    } else {
    // User found check the password
    if($_POST['password(1)']!=$userRec->Value("password")){
    // OOPS! wrong password return with error, remember only from post array.
    $footer='UNAUTHORIZED USER! Please alert administrator immediately.';
    $fullname='Unauthorized User';
    $role='Access Denied';
    $errorMsg=urlencode('No user found for name and password entered. Please try again.');
    // Send user back to login and try again. login.php will display the errorMsg to tell user.
    Redirect("login.php?errorMsg=$errorMsg");
    exit;
    }
    // Otherwise process user information
    // Fullname will be put into the session for future recall
    $fullname $userRec->Value("firstname").' '.$userRec->Value("lastname");
    if(
    $userRec->Value("role")=="No Access" || $userRec->Value('role')=="") {
    // This user denied access, make up error report
    $role="No Access";
    $footer=$fullname." access rights has been revoked. Please contact administrator.";
    $errorMsg=urlencode("Access priviledges for ".$fullname." have been revoked! Contact Administrator.");
    // Send user back to login to try again. login.php will display errorMsg to user.
    Redirect("login.php?errorMsg=$errorMsg");
    exit;

    if(
    $userRec->Value("role")=="No Access" || $userRec->Value('role')=="") {
    // This user denied access, make up error report
    $current_user='No Current User';
    $role="No Access";
    $footer=$fullname." access rights has been revoked. Please contact administrator.";
    $errorMsg=urlencode("Access priviledges for ".$fullname." have been revoked! Contact Administrator.");
    // Send user back to login to try again. login.php will display errorMsg to user.
    Redirect("login.php?errorMsg=$errorMsg");
    exit;

    else 
    {
    // User is allowed access
    // footer is a handy line to place at the end of each page. Will help if problems in other pages.
    // date is a php function returning the current time.
    $footer $fullname.' logged in as '.$userRec->Value("role").' at '.date('h:i a, l');
    $errorMsg='';
    // update user rec for login
    // I like to record user access in the user record for analysis. 
    // The count of logins and last login are recorded here.
    $newCount=$userRec->Value('logincount')+1;
    // Note, you can easily connect to your db using GL6's library calls yourself.
    $dbLink GL_mysql_connect('myDB');
    // We'll use the php's query function here. NOW() is a mySQL function for setting to current server time.
    // This query does not use the CSW from GL, but notice the similarities.
    $theResult mysql_query("UPDATE users set lastlogin=NOW(), logincount=".$newCount.
    where userID='"
    .$userRec->Value('userID')."'",$dbLink);
    // This one checks for a error in the last statement.
    if(mysql_errno()) {
    //could not update record abort
    $errorMsg=urlencode("ERROR! Could not update your last login info into user table. Please try again.");
    Redirect("login.php?errorMsg=$errorMsg");
    exit;
    }
    // Now assign values to new session variables in order to avoid requeries
    // We haven't called session_start() yet, we'll do it now for sure. Usually 
    // its the first thing on a page.
    session_start();
    // All the values in version 4.2x+ of PHP use superglobal storage. Forcing to 
    // array() erases anything there already.
    $_SESSION=array();
    // These assignments put the values we want to pass between pages into the 
    // user's session, add your other items here.
    $_SESSION['footer']=$footer;
    $_SESSION['fullname']=$fullname;
    //force role to be from DB
    $_SESSION['role'] = $userRec->Value('role');
    $_SESSION['current_user']=$userRec->Value('userID');
    // PHP will automatically keep this user's values separate from others using PHPSESSID
    // If you have compiled php with transid enabled, php automatically adds the session 
    // info to your urls.
    // If not, you must add them yourself. A call to phpinfo() will display your setting.
    Redirect('menu.php');
    exit;
    }
    }
    ?>
    now for the menu.php header

    PHP Code:
    <?php require_once("../config/include/utils.runtime6.php"?>
    <?php 
    require_once("../config/include/mysql.runtime6.php"?>
    <?php
    session_start
    ();
    if(!isset(
    $_SESSION['role']) || $_SESSION['role']=='') {
    $errorMsg=urlencode("When attempting to access this page I was unable to determine 
    your access rights. You have been logged out."
    );
    $_SESSION=array();
    Redirect("login.php?errorMsg=$errorMsg");
    exit;
    }
    if(
    $_SESSION['role']=="Administrator" || $_SESSION['role']=="Viewer") {
    } else {
    $errorMsg=urlencode("You do not have access privileges to view this page. You have been logged out.");
    $_SESSION=array();
    Redirect("login.php?errorMsg=$errorMsg");
    exit;
    }
    ?>
    <meta http-equiv="content-type" content="text/html;charset=ISO-8859-1">
    <?php // GoLive Content Source
    $users WrapMySQLDatabaseResults("myDB""select * from users where 
    userID =" 
    .pageParameter($_SESSION['current_user'],"-1"). """block=1","users");
    ?>
    If anybody has a clue on how to help me out - or if you have a simpler way - a virtual 12 pack is definately in order!!!

    TIA!
    Last edited by tgavin; Feb 11, 2003 at 21:46.

  2. #2
    SitePoint Wizard tgavin's Avatar
    Join Date
    Feb 2003
    Location
    FL
    Posts
    1,051
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Got it working!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •