Well first let me state you are using obsolete mysql_ statements, I would either use either mysqli_ or PDO (my recommendation).
Second there’s a more elegant way of checking a user’s credentials. Here’s basically what I do though not exactly.
First when the users logs in I do this :
[php]<?php
function login($data) {
$db_options = array(
/* important! use actual prepared statements (default: emulate prepared statements) /
PDO::ATTR_EMULATE_PREPARES => false
/ throw exceptions on errors (default: stay silent) /
, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
/ fetch associative arrays (default: mixed arrays) */
, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO(‘mysql:host=’ . DATABASE_HOST . ‘;dbname=’ . DATABASE_NAME . ‘;charset=utf8’, DATABASE_USERNAME, DATABASE_PASSWORD, $db_options);
/*
* Checkout password_hash() : http://php.net/manual/en/function.password-hash.php
* and
* password_verify() : http://php.net/manual/en/function.password-verify.php functions for a better and easier way
* of doing passwords
*/
/* Setup the Query for reading in login data from database table */
$query = 'SELECT id, username, password, security_level, first_name, last_name, email, home_phone, cell_phone, gender, birthday FROM users WHERE username=:username';
try {
$stmt = $pdo->prepare($query); // Prepare the query:
$stmt->execute([':username' => $data['username']]); // Execute the query with the supplied user's parameter(s):
} catch (Exception $ex) {
die("Failed to run query: " . $ex->getMessage()); // Do Not Use in Production Website - Log error or email error to admin:
}
$stmt->setFetchMode(PDO::FETCH_OBJ);
$user = $stmt->fetch();
if ($user) {
$loginStatus = password_verify($data['password'], $user->password); // Check the user's entry to the stored password:
unset($data['password'], $user->password); // Password(s) not needed then unset the password(s)!:
} else {
return FALSE;
}
if ($loginStatus) {
$_SESSION['user'] = $user; // Set the session variable of user:
return TRUE;
} else {
return FALSE;
}
}
$result = login($data);
if ($result) {
echo “You have successfully logged in!”;
}
[/php]
Notice I have a column in the database table called security_level then I can have something like public, member, admin as the values of that column.
Then in my configuration file that I put at the top of every php page I have following code in it:
utilities.inc.php (this is what I call mine), I have seen config.php and others.
[php]session_start();
/* Use $user for sessions variable */
$user = isset($_SESSION[‘user’]) ? $_SESSION[‘user’] : NULL;[/php]
I’m lazy when it comes to writing variables, well not exactly lazy but rather I like to make it easier for myself. Instead of writing $_SESSION['user]->security_level all the time, I can simply write $user->security_level. Also notice you don’t to check if the variable is set (isset) or not, for it assigns NULL to the variable if the user isn’t logged in.
Then I can simply do this to see if a user has or hasn’t have access to a page like so:
[php]/* First part check to see if user is logged in and then it checks the security_level of the user */
if ($user && ($user->security === ‘member’ || $user->security_level === ‘admin’)) {
echo "Welcome " . $user->username . “!
\n”;
} else {
header(“Location: index.php”); // redirect user back to home page:
exit(); // Not necessarily needed, but it’s good coding practice to have it:
}[/php]
Obviously not a full working script(s), but hopefully it will help. John
!!! anyway i faced this problem after sending the query, i don’t get any result at all, only a blank page ??
!!! anyway i faced this problem after sending the query, i don’t get any result at all, only a blank page ??
maybe i’m just dump … i’ll try it