Thread: Simple login and redirect with mysql

I've not used sessions much (because when I make things I prefer using cookies), but, it's pretty easy to set up..

in your config.php you will check if the cookies exist, and if they do you'll check if the login is correct or not. if not, assign the cookies an empty value, and if so, then make some login variable like $login equal to true. for example:

PHP Code:

<?php
  //connect to mysql host/select database
  @mysql_connect('host', 'user', 'pass') or die('could not connect to mysql host');
  @mysql_select_db('database') or die('could not select database');

  //don't forget to change "thissite" to something relative to your website's name!

  $login = false;
  $expire_time = time() - (3600*24*364.25); //-1 year
  //check for cookies
  if(isset($_COOKIE['thissite_username'], $_COOKIE['thissite_password']){
    //cookies were found, let's authenticate
    $auth = mysql_query("SELECT username FROM table_users WHERE username='$_COOKIE[thissite_username]' AND password='$_COOKIE[thissite_password]' LIMIT 1");
    $authenticate = mysql_fetch_array($auth);
    if($authenticate[0]){
      //user authenticated
      $login = true;
      $expire_time = time() + (3600*24*3); //+3 days
    }else{
      //user has incorrect username/password
      //you might want to do something here, but i'm leaving it empty
    }
  }
  //set the cookies with the new time (the expire_time will be -1 year (ie: cookie will be ignored) unless the login was authenticated)
  setcookie("thissite_username", $_COOKIE['thissite_username'], $expire_time);
  setcookie("thissite_password", $_COOKIE['thissite_password'], $expire_time);

  //now, we're pretty much done
?>

this can be somewhat insecure (depending on what you're doing, that is) but it will work for most simple situations!

then, to login, you just create a form and grab the information and verify it using basically the same stuff in the config, and if it's correct then you set cookies to log them in. for example:

PHP Code:

<?php
  require_once("config.php");
  //make sure they're not already logged in
  if($login) die("you're already logged in");

  //i assume you're making a POST submitted form, so this will use the POST variables with the names username and password
  if(isset($_POST['username'], $_POST['password'])){
    //user has already submitted, so let's authenticate
    $auth = mysql_query("SELECT username FROM table_users WHERE username='$_POST[username]' AND password='$_POST[password]' LIMIT 1");
    $authenticate = mysql_fetch_array($auth);
    if($authenticate[0]){
      //was authenticated, so let's set the cookies and give them a link to the member stuff
      echo "you have been logged in!<br />\n";
      echo "<a href='page1.php'>click here</a> to continue<br />\n";
      exit; //exit so that the form is NOT displayed
    }else{
      //user could not be authenticated, let's give them an error and show the form
      echo "your login information could not be authenticated<br />\n";
      echo "please use the form below and try again<br /><br />\n";
    }
  }
  //user hasn't submitted yet (or had an error when trying to) and isn't logged in, so just show the form to login
?>
<!-- put your form here, in plain HTML -->

now, all you need to do is make protected pages.. which is the easiest part. to make sure you can't view them unless you're logged in, you can simply add a statement checking if $login is true. for example:

PHP Code:

<?php
  require_once("config.php");
  if(!$login){
    //user is not logged in!
    echo "you must be logged in to view this page<br />\n";
    echo "please <a href='login.php'>click here</a> to login<br />\n";
    exit; //exit so that this is all they see, and you're basically done
  }
?>
<!-- all your sensitive protected information can now go here in plain HTML -->

just remember that basically every page you want to require a login on must have something like the above.

this was basically just to get you started, and all of this is untested (although I don't think I've made many syntax errors, if any), so it will need some tinkering and configuration to make it suit your database and website. you can always add in stuff like layout headers/footers as well, I just made a simple example.

ask for help if you need it, or if everything I just posted is a big mess of confusion for you.

you can try putting the md5() call around your GetSQLValueString($password) call, so that it looks like:

PHP Code:

  $LoginRS__query=sprintf("SELECT username, user_password FROM login_users WHERE username=%s AND user_password=%s",
    GetSQLValueString($loginUsername, "text"), md5(GetSQLValueString($password, "text"))); 


if that doesn't work, start echoing out the value of $password after you md5() the $_POST['password'] like you originally did, and see what it is giving you for output. then, do a GetSQLValueString() call to it, and echo out its output as well. if these are different, then that is your problem. you'll have to remove the call for GetSQLValueString() for the password if so.

echo md5($password);