Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Help with PHP Login script (sessions and validation).

  • 17-03-2014 4:55pm
    #1
    Registered Users, Registered Users 2 Posts: 537 ✭✭✭


    I need some help with a login script.

    I have a page called login.php and the code is:

    <?php
    session_start();
    //post the data
    $email = $_POST;
    $password = $_POST;

    if ($email&&$password){

    $connect = mysql_connect("*******", "****", "***") or die ("Couldn't connect to the DB"); //connect to the DB!
    mysql_select_db("****")or die("Couldn't find the database");

    $query = mysql_query("SELECT * FROM **** WHERE email='$email'");

    $numrows = mysql_num_rows($query);

    if($numrows!==0){
    while($row = mysql_fetch_assoc($query)){
    $dbemail = $row;
    $dbpassword = $row;
    }

    if($email==$dbemail&&sha1($password)==$dbpassword){

    @$_SESSION = 'email';

    header('Location: usercpanel.php');
    }else{
    header('Location:index.php');
    }
    }
    }
    ?>

    basically what i want to happen is if the users details are correct, start a session and on the user control panel page, if the session is active allow the user to view the page.

    What am i doing wrong. (By the way i know that mysql is outdated, but feck it, if someone wants to point me to some resources to help with mysqli please go ahead).

    Thanks in advance


Comments

  • Registered Users, Registered Users 2 Posts: 159 ✭✭magooly


    What happens right now?

    Also your app is wide open to SQL injection


  • Registered Users, Registered Users 2 Posts: 537 ✭✭✭sw33t_r3v3ng3


    magooly wrote: »
    What happens right now?

    Also your app is wide open to SQL injection

    I know, i want to get the whole system working first and then ill go about security as i have no knowledge of security but want to learn!


  • Registered Users, Registered Users 2 Posts: 159 ✭✭magooly


    Can you try setting a login session var and using this check on every page.

    Something like...


    # if already logged in
    if(isset($_SESSION))
    {
    header('Location:index.php');
    }
    else
    {
    header('Location: logout.php');
    }
    exit;
    }

    if($_SERVER == 'POST')
    {# login attempt
    $login_result=do_login();
    if ($login_result == 1)
    {
    session_begin();
    header('Location:index.php');
    exit;
    }
    }


    function do_login()
    {#process login
    $username = trim($_POST);
    $password = trim($_POST);
    $sql ="SELECT id FROM login WHERE username='$username' AND password = '$password' ";
    $conn=dbconnect();
    $pg_result=pg_query($conn, $sql);
    if (pg_num_rows($pg_result) >0)
    {#valid user
    $row = pg_fetch_assoc($pg_result);
    $loginid = $row;
    }
    else
    {#invalid_username
    return -1;
    }
    }

    function session_begin()
    {
    $_SESSION["login"] = true;
    $_SESSION["username"] = trim($_POST);
    }


  • Registered Users, Registered Users 2 Posts: 537 ✭✭✭sw33t_r3v3ng3


    magooly wrote: »
    Can you try setting a login session var and using this check on every page.

    Something like...


    # if already logged in
    if(isset($_SESSION))
    {
    header('Location:index.php');
    }
    else
    {
    header('Location: logout.php');
    }
    exit;
    }

    if($_SERVER == 'POST')
    {# login attempt
    $login_result=do_login();
    if ($login_result == 1)
    {
    session_begin();
    header('Location:index.php');
    exit;
    }
    }


    function do_login()
    {#process login
    $username = trim($_POST);
    $password = trim($_POST);
    $sql ="SELECT id FROM login WHERE username='$username' AND password = '$password' ";
    $conn=dbconnect();
    $pg_result=pg_query($conn, $sql);
    if (pg_num_rows($pg_result) >0)
    {#valid user
    $row = pg_fetch_assoc($pg_result);
    $loginid = $row;
    }
    else
    {#invalid_username
    return -1;
    }
    }

    function session_begin()
    {
    $_SESSION["login"] = true;
    $_SESSION["username"] = trim($_POST);
    }


    Thanks very much for the help, would you be able to explain it (sorry im newish at this!)


  • Registered Users, Registered Users 2 Posts: 159 ✭✭magooly


    Well the idea is to store a variable in the session that will indicate that the user has logged in correctly. This is a cookie that will stay alive until the user closes the browser or a timeout of 30 mins of inactivity. So if the Session array contains the login var and its value is true then you allow access to the site.

    The first block above redirects the user to a logout page if the user is not logged in.

    The second block checks if the user has filled out a form(user and pw) and pressed submit, it then calls a method do_login and waits for the result.

    The 3rd block is the method to query the db and it should return 1 for success but I forgot to add that

    The last block sets the 2 session vars in the browsers session after trimming the value submitted.

    Can I recommend you download Joomla for examples around this kind of login management code, its opensource so you will easily see all the code you will need.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 537 ✭✭✭sw33t_r3v3ng3


    magooly wrote: »
    Well the idea is to store a variable in the session that will indicate that the user has logged in correctly. This is a cookie that will stay alive until the user closes the browser or a timeout of 30 mins of inactivity. So if the Session array contains the login var and its value is true then you allow access to the site.

    The first block above redirects the user to a logout page if the user is not logged in.

    The second block checks if the user has filled out a form(user and pw) and pressed submit, it then calls a method do_login and waits for the result.

    The 3rd block is the method to query the db and it should return 1 for success but I forgot to add that

    The last block sets the 2 session vars in the browsers session after trimming the value submitted.

    Can I recommend you download Joomla for examples around this kind of login management code, its opensource so you will easily see all the code you will need.

    Most of it makes sence, if i was to paste it into my login.php page what would i need to change ?


  • Registered Users, Registered Users 2 Posts: 6,289 ✭✭✭Talisman


    Have a read through this post: Learn php tutor needed #40 - It's some code I wrote for a tutorial some months ago and covers everything you need.


  • Registered Users, Registered Users 2 Posts: 1,987 ✭✭✭Ziycon


    I would suggest you look at using mysqli instead of mysql if your learning as mysqli supports/improved object-oriented interface, prepared statements, multiple statements, transactions, enhanced debugging capabilities and embedded server support to name but a few.

    Also the mysql extension is deprecated from php 5.5.0 and will be removed in the near future.


  • Technology & Internet Moderators Posts: 28,830 Mod ✭✭✭✭oscarBravo


    I know, i want to get the whole system working first and then ill go about security as i have no knowledge of security but want to learn!

    I can understand why you'd approach things that way, but I strongly recommend against it.

    Put it this way: if you were planning to build a boat, do you think it would be a good idea to make something that floats, and then worry about stopping leaks, rather than build a boat that's watertight to start with?

    You're clearly just starting to learn some of this stuff. If you learn to think about security as one of the core design criteria instead of something you try to bolt on later, you'll be doing yourself a big favour.


  • Registered Users, Registered Users 2 Posts: 537 ✭✭✭sw33t_r3v3ng3


    oscarBravo wrote: »
    I can understand why you'd approach things that way, but I strongly recommend against it.

    Put it this way: if you were planning to build a boat, do you think it would be a good idea to make something that floats, and then worry about stopping leaks, rather than build a boat that's watertight to start with?

    You're clearly just starting to learn some of this stuff. If you learn to think about security as one of the core design criteria instead of something you try to bolt on later, you'll be doing yourself a big favour.

    i see where your coming from, is there anywhere in particular i can check out to learn mysqli ?

    I thing theres a lack of tutorials and documentation out there !!


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 537 ✭✭✭sw33t_r3v3ng3


    One more thing thats getting me is sessions. I want to validate the users input and if it is correct, set a session and redirect them to their profile. what is the problem here:

    if($email==$dbemail&&sha1($password)==$dbpassword){
    session_start();
    $_SESSION;
    header('Location: usercpanel.php');
    }else{
    header('Location:index.php');
    }

    // i have more code, its just not necessary for my question
    // should session_start(); be on the top of the page

    Thanks!


Advertisement