FullyFunctional Member System: Login/Logout, Admin Panel, Sessions, Self-Installation

[user-7256]

OVERVIEW

This is a fully-functional, self-installing members management system, now version 1.1.2. Translated, that means:

This is the major build #1, minor build #1, and 1 larger bux fix (so I just add 2 lol) (1.1.2)

FEATURES
Mostly Self-Installing, Login, Logout, Register, Simple Admin Panel, Mostly Commented Code, and Instructions.

Use it - customize it! Build onto it. Learn from it! But first, download and unzip it!

FUNCTIONAL SAMPLE

Click This Link To Try It!
**** SAMPLE DOWN **** My server is new and I have been too lazy to move it over yet.

To see what it's like, go ahead: Register and login. Play with it a bit. The sample provides an admin panel view (with disabled functions though to prevent abuse).

The other version is the same, but is shown and works exactly as the download would when installed properly. Admin panel is visible only to admins, etc, etc.

** CAUTION: I do not have the time to censor any data in this sample, so the admin panel displaying the usernames may contain vulgar data. If it does, please PM me and I will remove that user.

This uses PHP sessions. It's VERY easy to customize, since it's so simple to start off with and learn from.

USAGE RECOMMENDATIONS

*** SECURITY WARNING ***

THIS IS NOT A SECURE SCRIPT! It is a simple task to crack into it and present unwanted results such as data loss, corruption, or disfacement of site. Access to database is also a concern here. I am not to be blamed or held responsible for any security faults or data losses/unauthorized accesses. DOWNLOAD, INSTALL, AND USE AT YOUR OWN RISK.

Recommended Security Additions

• SQL Injection Detection - Prevent an injection via forms (PHP function: mysql_real_escape_string() is a common way of preventing injection)
• Create all variables from $_POST after a form submission so you won't use unwanted ones via the URL bar
• Create a more complex user login system (email validation is encouraged)
• Store more than the username in a session variable to track logins
• Check each login on every page load with the database and validate the data
• Create a logging system that will inform you of any bugs or security flaws
• Make the admin user detection in admincheck.php better, similar to user login detection

You can add on almost ANYTHING to this, but I HIGHLY recommend you improve it yourself! Learn from it and make a cool web app!

For those of who think this is junk, I agree. It is - if you just leave it as I have written it. The general idea behind my doing this is so people can learn from a practical project and build upon it themselves.

Bugs/Comments/Suggestions accepted via PM or reply. (No nasty ones, please.)

SCRIPT UPDATES & BUG FIXES

August 2005 - Ver. 1.0.1
A bug in the registration script (my bad!) that didn't insert the new user into the database. To fix this problem, re-download the zip file and replace register.php with the new one.
Don't want to redownload? Just change line 95 of register.php to:

$q = "INSERT INTO users VALUES(NULL, '$name', '$uname', '$pwd', '$date', '0', '$profile', 'normal', '$age')";

And you're done!

----------------------------

August 2005 - Ver. 1.1
I've decided to add a basic security feature to the script, since many new PHP'ers won't figure it out for quite a while I'm guessing.

The config.php file has a security vulnerability (sp?) that could easily reveal your database name, username, and password. This is now fixed and I highly advise you re-download the zip file and edit these files:

• config.php - Put this code into your current config.php file:
  

  <?php
  $dbname = ""; //Database name.
  $dbuser = ""; //Database user name
  $dbpwd = ""; //Database user password.
  ?>

  Then, fill in the values for these 3 variables. After this, delete the old content (should be 1 line) so that your config.php file consists ONLY of this new content.
• dbconn.php - Just replace the old one with the one in the zip file and it should work okay if you edited config.php right.

----------------------------

August 2005, ver. 1.1.2
There was an error in admin_edit.php. It said you were not an admin when you really were, so either re-download and replace "admin_edit.php" with this new one, or just do the following:

Put this code on the second line of "admin_edit.php":

include("dbconn.php");

Done!




Enjoy!

-Matt

INSTALLATION

1. Download the below .zip file to a temporary location.
2. Extract to a more permanent location, (E.g. C:\wwwroot\MemberSystem) and you may then delete the .zip file.
3. Refer the README file for more easy installation instructions.

 

[user-7256]

That means that a PHP script has write, edit, and read permissions for that file.

Sorry that you have to make your own DB Most servers don't allow PHP to do that But it makes the table (the long and boring part) for you.

EDIT: Sorry noswad, missed a few last posts.

Make sure you edit your config.php file to match the user data for that database that you setup in CPanel. If it still doesn't work, I'd be happy to HELP you configure it further via IM. (AIM or YIM)


MAKE SURE YOU UPDATE YOUR SCRIPT!
(Update #2, listed near the bottom on the main topic post)

 

[user-7256]

Another bug has been fixed, just check out how to remedy it on the first page, bottom of my topic.

 

[RageD]

Nice work I fiddled & added some of my own stuff in there... Mind if I post like a 'news' section for people? It will ADD News, admins can edit/delete as well!

-RageD

 

[user-7256]

Ah, go ahead. You can post it if you want, but save your coding for Crestin

 

[RageD]

ok

Make this in a seperate file... something like installsql.php

<?php

/*
Install, because it is easier for me! :-D
*/

if (!isset($go))
{

?>
<html>
<head>
<title>Members Database Installation</title>
</head>
<body>
<center><h1>Begin Installation</h1></center>
<BR>
Welcome to the installation process.
<BR><BR>
<b>Before beginning installation, please make sure that:</b>
<ul>
<li>You have a database set up, and a user for it with permissions to at least SELECT, INSERT, DELETE, and UPDATE.</li>
<li>You have all files uploaded and config.php CHMOD'ed at 777.</li>
<li>The database you made is empty.</li>
</ul>
<BR>
<form method="post" action="?go=true">
<big><b><font color="gray">DATABASE DETAILS</font></b></big>
<BR><BR>
Please type the FULL database name (including pre- and suffixes that your web host<BR>
may add. This is usually a prefix of "YourUsername_"): <input type="text" name="dbname">
<BR><BR>
Database username (include pre- and suffixes, which are generally the same as the ones<BR>
added for the database): <input type="text" name="dbuser">
<BR><BR>
User password: <input type="password" name="dbpwd1">
<BR>
Type again: <input type="password" name="dbpwd2">
<BR><BR>
Path of config.php: <input type="text" name="path"><small><BR>
Example: If the file is at www.domain.com/members/config.php, type "members".<BR>
<font color="maroon">Do NOT add trailing or leading slashes.</font></small>
<BR><BR>
<BR><BR>
When ready to install, just press the button below.
<BR><BR>
<center><input type="submit" value="         Install         "></center>
</form>
</body>
</html>
<?php
}

if (isset($go))
{	
	
	$errstatus = 0;
	
	if (!$dbname || !$dbuser || !$dbpwd1 || !$dbpwd2 || !$path)
	{
		echo '<font color="red">You must fill out all the required fields. <a href="javascript:history.back(1)">Back</a>';
		exit;
		$errstatus = 1;
	}
	
	if ($dbpwd1 != $dbpwd2)
	{
		echo '<font color="red">The passwords do not match. <a href="javascript:history.back(1)">Back</a>';
		exit;
		$errstatus = 1;
	}
	
	@ $fp = fopen("config.php", 'w');
	
	if (!$fp)
	{
		echo '<font color="red">There was an error opening the config.php file. Make sure its CHMOD is 777 and is in the same directory as install.php. <a href="javascript:history.back(1)">Back</a>';
		exit;
		$errstatus = 1;
	}
	
	$write = "<?php
\$dbname = \"".$dbname."\";
\$dbuser = \"".$dbuser."\";
\$dbpwd = \"".$dbpwd2."\";
?>";
	//$write = $dbname.'\n'.$dbuser.'\n'.$dbpwd2;
	
	@ $go = fwrite($fp, $write);
	
	if (!$go)
	{
		echo '<font color="red">There was an error writing the config.php file. Make sure its CHMOD is 777. <a href="javascript:history.back(1)">Back</a>';
		exit;
		$errstatus = 1;
	}
	
	fclose($fp);
	
	@ $conn = mysql_connect('localhost', $dbuser, $dbpwd1);
	@ $db = mysql_select_db($dbname);
	
	if (!$db || !$conn)
	{
		echo '<font color="red">Could not connect to database. Either the DB doesn\'t exist, or the username/pwd combo supplied was invalid. <a href="javascript:history.back(1)">Back</a>';
		exit;
		$errstatus = 1;
	}
// Create News Table
	$sql = "CREATE TABLE `news` (
`id` BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT ,
`title` VARCHAR( 30 ) NOT NULL ,
`post` VARCHAR( 30 ) NOT NULL ,
`poster` VARCHAR( 32 ) NOT NULL ,
`date` DATE NOT NULL ,
PRIMARY KEY ( `id` )
) TYPE = MYISAM COMMENT = 'Stores all the news.';";

	@ $result = mysql_query($sql);
	
	if (!$result)
	{
		echo '<font color="red">Error adding table and columns to the database. Error returned is: '.mysql_error().' <a href="javascript:history.back(1)">Back</a>';
		exit;
		$errstatus = 1;
	}
	

?>
<html>
<head>
<title>News Database Installation</title>
</head>
<body>
<center><h1>Installation Results</h1></center>
<BR>
<?php if ($errstatus == 1) { ?><font color="red"><b>There was an error during installation.</b></font><?php } else { ?>
<font color="green"><b>Installation successful!</b></font>

<BR><BR>

SQL for News Installed!
<BR><BR>
<a href="index.html">Login</a> to manage add news, etc!
<?php } ?>
</body>
</html>
<?php
}
?>

Replace admin_home.php with this:

<?php

//Start the session

session_start();

include("dbconn.php");
//Make sure the user is logged in.
include("checklogin.php");
//Now make sure they're an admin.
include("checkadmin.php");

//Get number of users.

$q = "SELECT * FROM users";
$s = "SELECT * FROM news";
$r = mysql_query($q);
$t = mysql_query($s);

?>
<HTML>
<TITLE>Administrator Page</TITLE>
<BODY>
This is the Administration page!  Only Administrators here! :) <a href="admin_postnews.php">Post News</a>
<BR><BR>
<b>Number of news items: <?php echo(mysql_num_rows($t)) ?></b>
<BR><BR>
<b><big>List</big></b>
<BR><BR>
<b>ID | Title | Date | Poster | Options</b>
<BR>
<hr>
<?php

while ($row = mysql_fetch_array($t))
{
	//Stripslashes takes away extra escape characters \ from the string.
        $id = stripslashes($row['id']);
	$title = stripslashes($row['title']);
        $post = stripslashes($row['post']);
	$date = stripslashes($row['date']);
	$poster = stripslashes($row['poster']);
?>
<?php echo($id) ?> | <?php echo($title) ?> | <?php echo($date) ?> | <?php echo($poster) ?> | <a href="admin_editnews.php?id=<?php echo($id) ?>">Edit Post</a> -- <a href="admin_delete.php?id=<?php echo($id) ?>">Delete</a><BR>
<hr>
<?php
}
?><br><br>
<b>Number of users: <?php echo(mysql_num_rows($r)) ?></b>
<BR><BR>
<b><big>List</big></b>
<BR><BR>
<b>Name | Username | Number of Logins | Permissions | Options</b>
<BR>
<hr>
<?php

//Now, this is a practical example of looping
//while the results are retrieved.
//Check it out!

while ($row = mysql_fetch_array($r))
{
	//Stripslashes takes away extra escape characters \ from the string.
	$name = stripslashes($row['name']);
	$uname = stripslashes($row['username']);
	$numlogins = stripslashes($row['num_logins']);
	$per = stripslashes($row['permissions']);
	$id = $row['id'];
?>
<?php echo($name) ?> | <?php echo($uname) ?> | <?php echo($numlogins) ?> | <?php echo($per) ?> | <a href="admin_edit.php?id=<?php echo($id) ?>">Edit User</a> -- <a href="admin_delete.php?id=<?php echo($id) ?>">Delete</a><BR>
<hr>
<?php
}
?>


<BR>
<a href="main.php">Main</a>
</body>
</html>

add two more pages:

news.php:

<?php
/* News Addon by RageD 
© TeamXero 2005
*/
include_once("dbconn.php");
?>
<a href=admin_postnews.php>Add News Item</a><br><br>
<?php
$s = "SELECT * FROM news";
$t = mysql_query($s);
echo "There are ";
echo(mysql_num_rows($t));
echo " news items!";

while ($row = mysql_fetch_array($t))
{
	//Stripslashes takes away extra escape characters \ from the string.
        $id = stripslashes($row['id']);
	$title = stripslashes($row['title']);
        $post = stripslashes($row['post']);
	$date = stripslashes($row['date']);
	$poster = stripslashes($row['poster']);
?>

<HTML>
<TITLE>News</TITLE>
<BODY><br><br>
<b><?php echo($title) ?></b> Posted By - <?php echo($poster) ?> on <?php echo($date) ?><br><br> <?php echo($post) ?><br><br>
</BODY>
</HTML>
<?php
}
?>

-and-

admin_postnews.php:

<?php
session_start();
include("checklogin.php");
include("checkadmin.php");

/* CMS Made by RageD for TeamXero DevTeam Website
© Copyright 2005 TeamXero
*/

if (!isset($go))
{
?>

<html>
<head>
<title>Member Registration</title>
</head>
<body>
<center><h1>Register</h1></center>
<BR>

All fields required unless marked.
<BR><BR>
<form method="post" action="?go=true">
Title: <input type="text" name="title">
<BR><BR>
Message: <input type="text" name="post">
<BR><BR>
<input type="submit" value="Submit">
</form>
<BR><BR>
<a href="index.html">Back to Home</a>
</body>
</html>
<?php
}

if (isset($go))
{
	
	//connect to database.
	
	include("dbconn.php");
	

	//Current date...
	$date = date("m-d-Y");

       //Poster is Username
       $poster= $_SESSION['username'];
	
	//Insert!
	
	
	$q = "INSERT INTO news VALUES(NULL, '$title', '$post', '$date', '$poster')";
	@ $result = mysql_query($q);
	
	if (!$result)
	{
		do_error('Could not insert into database. Error returned is '.mysql_error());
	}
	
	
?>
<html>
<head>
<title>Post Successful!</title>
</head>
<body>
<center><h1>Successful</h1></center>
<BR>

You have successfully posted!

<BR><BR>
<a href="news.php">Go to News</a><br>
<a href="admin_home.php">Back to Admin Page</a>
</body>
</html>
<?php
}
?>

-and-

admin_editnews.php:

<?php

/* CMS Made by RageD for TeamXero DevTeam Website
© Copyright 2005 TeamXero
*/

//Start the session

session_start();

include("dbconn.php");
//Make sure the user is logged in.
include("checklogin.php");
//Now make sure they're an admin.
include("checkadmin.php");

if (!$id)
{
	echo("ERROR > No POST ID found.");
	exit;
}

if (!isset($go))
{
	
	$q = "SELECT * FROM users WHERE id='$id' LIMIT 1";
	$r = mysql_query($q);
	
	while ($row = mysql_fetch_array($r))
	{
                $id = stripslashes($row['id']);
		$title = stripslashes($row['title']);
		$poster = stripslashes($row['poster']);
		$post = stripslashes($row['post']);
		$age = $row['date'];
	}


?>
<html>
<head>
<title>Admin Panel</title>
</head>
<body>
<center><h1>Editing <?php echo "$title"; ?></h1></center>
<BR>
<form method="post" action="?go=true&id=<?php echo($id) ?>">

ID: <input type="text" name="name" value="<?php echo($id) ?>">
<BR><BR>
Title: <input type="text" name="title" value="<?php echo($title) ?>">
<BR><BR>
Date: <input type="text" name="date" value="<?php echo($date) ?>" size="75">
<BR><BR>
Post: <input type="text" name="post" value="<?php echo($post) ?>">
<BR><BR>
Poster: <input type="text" name="poster" value="<?php echo($poster) ?>">
<BR><BR>
<input type="submit" value="Append Changes">
</form>
<BR><BR>

<a href="admin_home.php">Cancel</a>
</body>
</html>
<?php
}

if (isset($go))
{
	if (!$title || !$post || !$id)
	{
		echo("You have to fill out a username and select the permission, or missing ID.");
		exit;
	}
	
	//Begin updates.
	
	mysql_query("UPDATE news SET ID='$id',title='$title',date='$date',post='$post',poster='$poster' WHERE id='$id' LIMIT 1");
	
	}

?>

<html>
<head>
<title>Admin Panel</title>
</head>
<body>
<center><h1>Post Edited</h1></center>
<BR>
News has been successfully edited.

<a href="admin_home.php">Back</a>
</body>
</html>

-RageD

 

[user-7256]

Thanks for that addition, RageD!

 

[paaaaaaaaaa]

Q-) Do you know how i can know when a user closes their browser
as i am having a lot of trouble with and also researched on it alot too, though i still didn't get any good results, what i am wanting to do is put the sessions data on the database i check for and retrieve all the session information from the database
like when a person clicks the logout link, they logout their sessions are ended, (destroyed) but what if the user never logs out, they're sessions are lost some where in the database, so i want to know when that happens (I.E When the user closes their browser), so i can tell the database to delete all the session information about that person, (got any solutiions for this bro)?

thanks in advance :d

Im not sure how most people go about this but I would would do it like this:

When a person enters a page logged in or not, I would record their ip address, user info and the time in a table in my database. The ip address would be so they dont double log. Then when the next person visits they spark the script up which searches the database for who was online over the past 15 minutes and display these as online on your page. The rest get deleted.

 

[user-7256]

Would anybody want a live demo of this script again?