PHP / MySQL Login Problem

will7 · 04-09-2005, 10:28 AM

OK, to cut a long story short. I am trying to make a login system and am having troubles. I can make it so it logs in fine, but, here is the problem:

Say a user logs in and their protected page is called client1.php. Now, when they login to access their page, if they type other secret pages filenames into their browser, they can access them with their login info. So, if client1 accessed his page (client1.php), he could also access client2's page by typing the exact filename lets say client2.php) into the browser. Now, I know there has to be a way of stopping this from happening!

I think it can be done with sessions, but am not sure how. This is the code I have so far:

login.php:

PHP Code:

  //Connect to database

 
$dbh=mysql_connect ("BLANK", "BLANK", "BLANK") or die ('I cannot connect to the database because: ' . mysql_error());

mysql_select_db ("BLANK"); 

 
session_start();

$username = $_POST['username'];

$password = $_POST['password'];

 
$query = "SELECT * FROM users where username='$username' and password='$password'";

????: NamePros.com http://www.namepros.com/programming/81425-php-mysql-login-problem.html
$result = mysql_query($query);

 
if (mysql_num_rows($result) != 1) 

{

    header("Location: notfound.html");

}

 
else

{

session_start(); 

????: NamePros.com http://www.namepros.com/showthread.php?t=81425
$_SESSION['auth'] = ("$lastName");

header("Location: $lastName.php"); 

}

?>

And for will.php (with "will" being what is in the "name" field for). Note: This is what I placed at the top of the page before the HTML, there is the HTML code for the page below it.

PHP Code:

  <?php 

session_start(); 

if ($_SESSION['auth']!='will') 

{ 

    header("Location: notfound.html"); 

} 

?>

So, where have I gone wrong and how do I achieve what I am trying to do. I brought this thread over from WebDesignForums.net:

http://www.webdesignforums.net/showt...336#post162336

So, I dunno if any of the info in that thread helps you. I brought it over to Namepros coz there are a lot more people that come online so a higher chance of quick replies.

Thanks in advance, hope you understand my question.

Will.

adamquaile · 04-09-2005, 10:44 AM

Just a couple of things that might help you work out your problem. First of all, at one time, I had a login page with PHP and MySQL, but I went abou the whole thing a diferent way...

I had just one login page, for every user and displayed similar but individual pages for each person. Then on every other page that required a person to be logged in on, I just checked that they were with sessions. I don't know exactly how you're structuring your site, but the general idea was something like this:

I had all the info about each person in a row of a MySQL table, or in some cases, in a file. Every time a person accessed this one page (lets call it login.php) their name and password was checked aginst the table. If these details were correct then a session variable was set, and they were allowed to see their area. Every other page from that point was was only available to that user if they had the session variables set. Any specific data needed was then got at the time it was required.
????: NamePros.com http://www.namepros.com/showthread.php?t=81425

Hope that helps, but let me know if it doesn't...

will7 · 04-09-2005, 10:51 AM

OK. Well, I have my main site, and then a seperate page for each web design client. These are the password protected pages. I have set sessions, but it just checks for the session and if it's on, they seem to be able to access any page.

It used to be that if they typed in the exact filename then they could access it without logging in, but, with the help of sessions I stopped that. But, I can't seem to get this problem I have now sorted out.

Any more help anyone?

gulfinet · 04-09-2005, 11:12 AM

Hi,

This is a common problem and you're right, sessions are the way to go...

The procedure is:

1. User logs in (login.php)
2. create PHP session for user with his ip, expiring in say 20 mins
3. every page the users then visits must check that he has access to it first before displaying itself.

That's the theory, now the practical:

login.php:

PHP Code:

  <?php 

$username = $_POST['username']; 

$password = $_POST['password']; 

 
if (verify_user(username, $password)) { // checks user/pass from mysql

  $url = lookup_client_page($username); // returns client1.php, client2.php,..

  session_start(); 

  session_register("username"); 

  session_register("isloggedin"); 

  $_SESSION['username'] = $username; 

  $_SESSION['isloggedin'] = "true"; 

????: NamePros.com http://www.namepros.com/showthread.php?t=81425
  header("Location: $url"); 

} else {

  // we couldn't find user/pass combo... Show error msg..

  echo '<h3>Invalid user/pass</h3>';

}

?>

Show login form at the bottom of login.php:

HTML Code:

<form action="login.php" method="post"> 
Username: <input type="text" name="username" /><br /> 
Password: <input type="password" name="password" /><br /> 
<input type="submit" value=" Login " /> 
</form>

Then for each client page at the top:

client.php

PHP Code:

  <?php 

session_start(); 

if ( $_SESSION['username'] == "" || $_SESSION['isloggedin'] != "true" ) 

{ 

  header('login.php');

  exit();

} 

 
// display client page 

echo 'Welcome Client <strong>' . $_SESSION['username'] . '</strong>...'; 

 
// ..etc ... rest of client content

?>

Lastly the logout page:

logout.php

PHP Code:

  <?php 

????: NamePros.com http://www.namepros.com/showthread.php?t=81425
session_start(); 

session_unset(); 

session_destroy(); 

 
echo '<meta http-equiv="refresh" content="5; URL=login.php" />'; 

echo 'Bye... You have successfully logged out!<br />'; 

?>

That's about it...

Let us know how you get along...

Cheers...

will7 · 04-09-2005, 11:49 AM

Nice one! Thank you so much gulfinet. You don't know how long I have been trying to get that sorted!

Two more questions:

1) When you go to www.rednerve.com and you see the login bit? Well, how can I make it so that when a client logs in, instead of displaying that, it says "You are logged in as $username. Click here to go to your page. (And it shows a logout link too)". But it only shows it if the client is logged in and it needs to display on all the pages of the site.

2) How would I go about encrypting the important data (namely passwords) on the site?
????: NamePros.com http://www.namepros.com/showthread.php?t=81425

Thanks again for the help and I hope you can do the same with these final problems.

adam_uk · 04-09-2005, 11:50 AM

you should really remove your username and password for your database from your code example (top post) and change them asap!!

will7 · 04-09-2005, 12:27 PM

Whoops! Always forget about that. Changed.

Now, anyone have any help on my other problems?

will7 · 04-10-2005, 09:13 AM

Could anyone check the thread link I posted earlier (to WDF) and check out the updates to this saga and see if they can help me? I changed the code to MD5 protect it and now it doesn't work

EDIT: Here is the link and the code I am using.

http://www.webdesignforums.net/showt...404#post162404

login.php:

PHP Code:

  <?php 

//Connect to database 

$dbh=mysql_connect ("*****", "*****", "****") or die (mysql_error()); 

mysql_select_db ("******"); 

 
$username = $_POST['username']; 

$password = $_POST['password']; 

 
//simple encryption added as an example (The passwords stored in the users table must be encrypted the same way) 

$query = "SELECT lastName FROM users where username='$username' and password='".md5($password)."'"; 

$result = mysql_query($query); 

 
if (mysql_num_rows($result) < 1)

{

header ("Location: notfound.html");

}

 
else 

{ 

     $row = mysql_fetch_array($result); 

   $lastName = $row[0]; 

 

    session_start(); 

         

    if($lastName == "Narburgh") 

    { 

        $_SESSION['auth'] = md5($lastName."admin"); 

????: NamePros.com http://www.namepros.com/showthread.php?t=81425
        header("Location: Narburgh.php");                          

    }                                         

    else 

    { 

            $_SESSION['lastName'] = $lastName; 

        $_SESSION['auth'] = md5($lastName."project"); 

????: NamePros.com http://www.namepros.com/showthread.php?t=81425
        header("Location: $lastName.php");     

    }

        }

?>

At the top of Client1.php:

PHP Code:

  <?php 

session_start();

if($_SESSION['auth'] != md5("Client1project") || $_SESSION['auth'] != md5("Narburghadmin")) 

{ 

    header("Location: notfound.html"); 

}

?>

Top of Narburgh.php:

PHP Code:

  <?

session_start(); 

 
if($_SESSION['auth'] != md5("Narburghadmin")) 

{ 

    header("Location: notfound.html"); 

}

?>

Top of Testing.php:

PHP Code:

  <?php 

session_start(); 

if($_SESSION['auth'] != md5("Testingproject") || $_SESSION['auth'] != md5("Narburghadmin")) 

{ 

    header("Location: notfound.html"); 

} 

 
?>

To see why I changed the code, check the WDF thread. I have MD5ed the passwords etc for security reasons.

So, if anyone has the time or helpful nature to read through the thread, see what's happened and try and help me solve this, I would really, really appreciate it.

will7 · 04-10-2005, 12:07 PM

No-one can help? Surely someone on all of Namepros knows what's up? Namepros has never let me down yet!

axilant · 04-11-2005, 02:26 PM

if your trying to get authentication im a master with authentication, i have written around 100 different authentication systems in php alone. Use the contact information in my profile if you would like some help.

will7 · 04-11-2005, 02:40 PM

Had some other PHP gods over at a different forum help me out. Sorted now!

04-09-2005, 10:28 AM	THREAD STARTER #1 (permalink)
will7 Senior Member Join Date: Jun 2004 Location: United Kingdom Posts: 2,694	PHP / MySQL Login Problem OK, to cut a long story short. I am trying to make a login system and am having troubles. I can make it so it logs in fine, but, here is the problem: Say a user logs in and their protected page is called client1.php. Now, when they login to access their page, if they type other secret pages filenames into their browser, they can access them with their login info. So, if client1 accessed his page (client1.php), he could also access client2's page by typing the exact filename lets say client2.php) into the browser. Now, I know there has to be a way of stopping this from happening! I think it can be done with sessions, but am not sure how. This is the code I have so far: login.php: PHP Code: //Connect to database $dbh=mysql_connect ("BLANK", "BLANK", "BLANK") or die ('I cannot connect to the database because: ' . mysql_error()); mysql_select_db ("BLANK"); session_start(); $username = $_POST['username']; $password = $_POST['password']; $query = "SELECT * FROM users where username='$username' and password='$password'"; ????: NamePros.com http://www.namepros.com/programming/81425-php-mysql-login-problem.html $result = mysql_query($query); if (mysql_num_rows($result) != 1) { header("Location: notfound.html"); } else { session_start(); ????: NamePros.com http://www.namepros.com/showthread.php?t=81425 $_SESSION['auth'] = ("$lastName"); header("Location: $lastName.php"); } ?> And for will.php (with "will" being what is in the "name" field for). Note: This is what I placed at the top of the page before the HTML, there is the HTML code for the page below it. PHP Code: `<?php session_start(); if ($_SESSION['auth']!='will') { header("Location: notfound.html"); } ?>` So, where have I gone wrong and how do I achieve what I am trying to do. I brought this thread over from WebDesignForums.net: http://www.webdesignforums.net/showt...336#post162336 So, I dunno if any of the info in that thread helps you. I brought it over to Namepros coz there are a lot more people that come online so a higher chance of quick replies. Thanks in advance, hope you understand my question. Will. __________________ Will Narburgh \| Graphic design \| Twitter \| Email me Last edited by will7; 04-09-2005 at 01:34 PM.

04-09-2005, 10:44 AM	#2 (permalink)
adamquaile New Member Join Date: Apr 2005 Posts: 8	A different approach Just a couple of things that might help you work out your problem. First of all, at one time, I had a login page with PHP and MySQL, but I went abou the whole thing a diferent way... I had just one login page, for every user and displayed similar but individual pages for each person. Then on every other page that required a person to be logged in on, I just checked that they were with sessions. I don't know exactly how you're structuring your site, but the general idea was something like this: I had all the info about each person in a row of a MySQL table, or in some cases, in a file. Every time a person accessed this one page (lets call it login.php) their name and password was checked aginst the table. If these details were correct then a session variable was set, and they were allowed to see their area. Every other page from that point was was only available to that user if they had the session variables set. Any specific data needed was then got at the time it was required. ????: NamePros.com http://www.namepros.com/showthread.php?t=81425 Hope that helps, but let me know if it doesn't... __________________ Adam Quaile Dancing Badger Web Design (http://www.dancingbadger.co.uk) For articles, tutorials, tips, tricks etc... on web design, programming, the web, and other similar funky stuff

04-09-2005, 10:51 AM	THREAD STARTER #3 (permalink)
will7 Senior Member Join Date: Jun 2004 Location: United Kingdom Posts: 2,694	OK. Well, I have my main site, and then a seperate page for each web design client. These are the password protected pages. I have set sessions, but it just checks for the session and if it's on, they seem to be able to access any page. It used to be that if they typed in the exact filename then they could access it without logging in, but, with the help of sessions I stopped that. But, I can't seem to get this problem I have now sorted out. Any more help anyone? __________________ Will Narburgh \| Graphic design \| Twitter \| Email me

04-09-2005, 11:12 AM	#4 (permalink)
gulfinet First Time Poster! Join Date: Apr 2005 Posts: 1	Hi, This is a common problem and you're right, sessions are the way to go... The procedure is: 1. User logs in (login.php) 2. create PHP session for user with his ip, expiring in say 20 mins 3. every page the users then visits must check that he has access to it first before displaying itself. That's the theory, now the practical: login.php: PHP Code: <?php $username = $_POST['username']; $password = $_POST['password']; if (verify_user(username, $password)) { // checks user/pass from mysql $url = lookup_client_page($username); // returns client1.php, client2.php,.. session_start(); session_register("username"); session_register("isloggedin"); $_SESSION['username'] = $username; $_SESSION['isloggedin'] = "true"; ????: NamePros.com http://www.namepros.com/showthread.php?t=81425 header("Location: $url"); } else { // we couldn't find user/pass combo... Show error msg.. echo '<h3>Invalid user/pass</h3>'; } ?> Show login form at the bottom of login.php: HTML Code: <form action="login.php" method="post"> Username: <input type="text" name="username" /><br /> Password: <input type="password" name="password" /><br /> <input type="submit" value=" Login " /> </form> Then for each client page at the top: client.php PHP Code: `<?php session_start(); if ( $_SESSION['username'] == "" \|\| $_SESSION['isloggedin'] != "true" ) { header('login.php'); exit(); } // display client page echo 'Welcome Client <strong>' . $_SESSION['username'] . '</strong>...'; // ..etc ... rest of client content ?>` Lastly the logout page: logout.php PHP Code: `<?php ????: NamePros.com http://www.namepros.com/showthread.php?t=81425 session_start(); session_unset(); session_destroy(); echo '<meta http-equiv="refresh" content="5; URL=login.php" />'; echo 'Bye... You have successfully logged out!<br />'; ?>` That's about it... Let us know how you get along... Cheers... Last edited by gulfinet; 04-09-2005 at 11:19 AM.

04-09-2005, 11:49 AM	THREAD STARTER #5 (permalink)
will7 Senior Member Join Date: Jun 2004 Location: United Kingdom Posts: 2,694	Nice one! Thank you so much gulfinet. You don't know how long I have been trying to get that sorted! Two more questions: 1) When you go to www.rednerve.com and you see the login bit? Well, how can I make it so that when a client logs in, instead of displaying that, it says "You are logged in as $username. Click here to go to your page. (And it shows a logout link too)". But it only shows it if the client is logged in and it needs to display on all the pages of the site. 2) How would I go about encrypting the important data (namely passwords) on the site? ????: NamePros.com http://www.namepros.com/showthread.php?t=81425 Thanks again for the help and I hope you can do the same with these final problems. __________________ Will Narburgh \| Graphic design \| Twitter \| Email me

04-09-2005, 11:50 AM	#6 (permalink)
adam_uk Senior Member Join Date: May 2003 Posts: 2,187	you should really remove your username and password for your database from your code example (top post) and change them asap!!

04-09-2005, 12:27 PM	THREAD STARTER #7 (permalink)
will7 Senior Member Join Date: Jun 2004 Location: United Kingdom Posts: 2,694	Whoops! Always forget about that. Changed. Now, anyone have any help on my other problems? __________________ Will Narburgh \| Graphic design \| Twitter \| Email me Last edited by will7; 04-09-2005 at 01:38 PM.

04-10-2005, 09:13 AM	THREAD STARTER #8 (permalink)
will7 Senior Member Join Date: Jun 2004 Location: United Kingdom Posts: 2,694	Could anyone check the thread link I posted earlier (to WDF) and check out the updates to this saga and see if they can help me? I changed the code to MD5 protect it and now it doesn't work EDIT: Here is the link and the code I am using. http://www.webdesignforums.net/showt...404#post162404 login.php: PHP Code: <?php //Connect to database $dbh=mysql_connect ("***", "*", "") or die (mysql_error()); mysql_select_db ("**"); $username = $_POST['username']; $password = $_POST['password']; //simple encryption added as an example (The passwords stored in the users table must be encrypted the same way) $query = "SELECT lastName FROM users where username='$username' and password='".md5($password)."'"; $result = mysql_query($query); if (mysql_num_rows($result) < 1) { header ("Location: notfound.html"); } else { $row = mysql_fetch_array($result); $lastName = $row[0]; session_start(); if($lastName == "Narburgh") { $_SESSION['auth'] = md5($lastName."admin"); ????: NamePros.com http://www.namepros.com/showthread.php?t=81425 header("Location: Narburgh.php"); } else { $_SESSION['lastName'] = $lastName; $_SESSION['auth'] = md5($lastName."project"); ????: NamePros.com http://www.namepros.com/showthread.php?t=81425 header("Location: $lastName.php"); } } ?> At the top of Client1.php: PHP Code: `<?php session_start(); if($_SESSION['auth'] != md5("Client1project") \|\| $_SESSION['auth'] != md5("Narburghadmin")) { header("Location: notfound.html"); } ?>` Top of Narburgh.php: PHP Code: `<? session_start(); if($_SESSION['auth'] != md5("Narburghadmin")) { header("Location: notfound.html"); } ?>` Top of Testing.php: PHP Code: `<?php session_start(); if($_SESSION['auth'] != md5("Testingproject") \|\| $_SESSION['auth'] != md5("Narburghadmin")) { header("Location: notfound.html"); } ?>` To see why I changed the code, check the WDF thread. I have MD5ed the passwords etc for security reasons. So, if anyone has the time or helpful nature to read through the thread, see what's happened and try and help me solve this, I would really, really appreciate it. __________________ Will Narburgh** \| Graphic design \| Twitter \| Email me Last edited by will7; 04-10-2005 at 10:20 AM.

04-10-2005, 12:07 PM	THREAD STARTER #9 (permalink)
will7 Senior Member Join Date: Jun 2004 Location: United Kingdom Posts: 2,694	No-one can help? Surely someone on all of Namepros knows what's up? Namepros has never let me down yet! __________________ Will Narburgh \| Graphic design \| Twitter \| Email me

04-11-2005, 02:26 PM	#10 (permalink)
axilant Account Closed Join Date: May 2004 Location: /etc/passwd Posts: 2,178	if your trying to get authentication im a master with authentication, i have written around 100 different authentication systems in php alone. Use the contact information in my profile if you would like some help.

04-11-2005, 02:40 PM	THREAD STARTER #11 (permalink)
will7 Senior Member Join Date: Jun 2004 Location: United Kingdom Posts: 2,694	Had some other PHP gods over at a different forum help me out. Sorted now! __________________ Will Narburgh \| Graphic design \| Twitter \| Email me

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
HOWTO: Install the Apache Web Server, Perl, PHP, and MySQL on Windows	deadserious	Webmaster Tutorials	96	05-27-2007 02:24 PM
Googlism - What does google think of you?	deadserious	The Break Room	55	12-15-2005 10:09 AM
Tutorial: How to Install Apache2 MySQL and PHP on Windows	deadserious	Webmaster Tutorials	35	09-21-2005 10:46 PM
Tutorial: Getting Started With MySQL (The Basics)	deadserious	Webmaster Tutorials	3	04-18-2004 02:17 PM

PHP / MySQL Login Problem

A different approach