PHP Username/Password login help?

General PHP Help
#1

Hi everyone, i’m really struggling with this - been working on it weeks. I’m very close to having everything working correctly. Currently I have a basic HTML page that displays a form:

<form action="login.php" method="POST"> <div align="center">Username: <input type="text" name="uname"> <br> <br> Password: <input type="password" name="pass"> <br> <br> <input type="submit" value="login" name="submit"> </div> </form>

That form calls login.php:

[php]<?php

require (‘sql_connect.php’);
if (isset($_POST[‘submit’])){
$username=mysql_escape_string($_POST[‘uname’]);
$password=mysql_escape_string($_POST[‘pass’]);
if (!$_POST[‘uname’] | !$_POST[‘pass’])
{
echo ("");

exit();
}
$sql= mysql_query(“SELECT * FROM members WHERE username = ‘$username’ AND password = ‘$password’”);
$row= mysql_fetch_assoc($sql);
$url=$row[‘defaultpage’];

if(mysql_num_rows($sql) > 0)
{
$_SESSION[‘username’] = $_POST[‘uname’];
echo ("“);
header($url);
exit();
}
else{
echo (”");
exit();
}
}
else{
}
?>[/php]

This works correctly as of now. In my database, I have a column that depending on who logs in, it will forward them to a specific URL. (notice $url=$row[‘defaultpage’];

My issue is that the page they are accessing. Here is my current code. As the code is RIGHT NOW, they can log in successfully, BUT the page is available externally by entering the URL. Meaning you can bypass logging in. Now, if I uncomment the header(“Location:htmllogin.html”); when entering the correct password it just simply refreshes the page (hince the header) BUT if you try and hit the page, it will redirect the user back to the login page.

[code]

Untitled Document <?php session_start(); $_SESSION['username']=null; if (isset($_SESSION['username'])) { echo 'congratulations you are logged in

'; } else { echo 'oh no you are not logged in

'; //header("Location:htmllogin.html"); } ?>

//ALL MY HTML FOR THE PAGE GOES HERE

[/code]

[b]I know this may be a simple fix, or i’ve either got something backwards. It’s almost like I need the code to say, "if the session contains ‘username’ then jump down to my HTML and bypass the header(location…etc) OR In the FIRST echo statement I need to include all my HTML, then after the HTML is the else with the redirect…

Any help is GREATLY appreciated!![/b]

#2

Well, in your login page that is where you want to set the session variable USERNAME.

First, set it to null or “”…

Then, test for valid username and password.
If not valid, go back to the login page and the session variable stays nothing.
If valid, then set the variable to the username.

Then, in the live page, the first thing to do is to check the variable.
If it is empty, do an alert saying “You are not logged in yet, please do so!” and go to the login page.
If it has a valid username in it, then, display your page.

In that manner, if someone tries to bypass the login, they get sent right back to the login page.

Please remember, the first command in both of these pages needs to be session_start(); or you will
not be able to use the session variable.

Good luck!

#3

isnt it mysql_real_escape_string ()?

that session_start needs to be at the very top of the page, you will get errors once you start using it.

#4

I already mentioned the session_start() issue just before your message?

And, he is not testing for the session variable in the second page and is setting it wrong in the login page.

Sponsor our Newsletter | Privacy Policy | Terms of Service