Simple login and redirect with mysql

Hi,

is there any good and simple php login script with mysql?

I just need the php files eg.

config.php -> for configuration
topnavigation.php -> for links and the log in and log out will change by checking session.
login.php -> login page to associate with other mysql database username and password fields.
passwordprotectedpage1.php -> password protected page
passwordprotectedpage2.php -> password protected page 2
logout.php -> logout page

I no need the register page as I want my login.php to associate with 1 of the mysql database table login username and password.

Is there any scripts? As currently I have edited from one php script but got some error as I still new in php, I not so understand session thingy, as now my problem is I can only password protected one files to redirect from. I think the problem for me is lies to session thingy and hope I can find 1 free php scripts that does this easily.

I've not used sessions much (because when I make things I prefer using cookies), but, it's pretty easy to set up..

in your config.php you will check if the cookies exist, and if they do you'll check if the login is correct or not. if not, assign the cookies an empty value, and if so, then make some login variable like $login equal to true. for example:

PHP Code:

---

<?php
  //connect to mysql host/select database
  @mysql_connect('host', 'user', 'pass') or die('could not connect to mysql host');
  @mysql_select_db('database') or die('could not select database');

  //don't forget to change "thissite" to something relative to your website's name!

  $login = false;
  $expire_time = time() - (3600*24*364.25); //-1 year
  //check for cookies
  if(isset($_COOKIE['thissite_username'], $_COOKIE['thissite_password']){
    //cookies were found, let's authenticate
    $auth = mysql_query("SELECT username FROM table_users WHERE username='$_COOKIE[thissite_username]' AND password='$_COOKIE[thissite_password]' LIMIT 1");
    $authenticate = mysql_fetch_array($auth);
    if($authenticate[0]){
      //user authenticated
      $login = true;
      $expire_time = time() + (3600*24*3); //+3 days
    }else{
      //user has incorrect username/password
      //you might want to do something here, but i'm leaving it empty
    }
  }
  //set the cookies with the new time (the expire_time will be -1 year (ie: cookie will be ignored) unless the login was authenticated)
  setcookie("thissite_username", $_COOKIE['thissite_username'], $expire_time);
  setcookie("thissite_password", $_COOKIE['thissite_password'], $expire_time);

  //now, we're pretty much done
?>

---

this can be somewhat insecure (depending on what you're doing, that is) but it will work for most simple situations!

then, to login, you just create a form and grab the information and verify it using basically the same stuff in the config, and if it's correct then you set cookies to log them in. for example:

PHP Code:

---

<?php
  require_once("config.php");
  //make sure they're not already logged in
  if($login) die("you're already logged in");

  //i assume you're making a POST submitted form, so this will use the POST variables with the names username and password
  if(isset($_POST['username'], $_POST['password'])){
    //user has already submitted, so let's authenticate
    $auth = mysql_query("SELECT username FROM table_users WHERE username='$_POST[username]' AND password='$_POST[password]' LIMIT 1");
    $authenticate = mysql_fetch_array($auth);
    if($authenticate[0]){
      //was authenticated, so let's set the cookies and give them a link to the member stuff
      echo "you have been logged in!<br />\n";
      echo "<a href='page1.php'>click here</a> to continue<br />\n";
      exit; //exit so that the form is NOT displayed
    }else{
      //user could not be authenticated, let's give them an error and show the form
      echo "your login information could not be authenticated<br />\n";
      echo "please use the form below and try again<br /><br />\n";
    }
  }
  //user hasn't submitted yet (or had an error when trying to) and isn't logged in, so just show the form to login
?>
<!-- put your form here, in plain HTML -->

---

now, all you need to do is make protected pages.. which is the easiest part. to make sure you can't view them unless you're logged in, you can simply add a statement checking if $login is true. for example:

PHP Code:

---

<?php
  require_once("config.php");
  if(!$login){
    //user is not logged in!
    echo "you must be logged in to view this page<br />\n";
    echo "please <a href='login.php'>click here</a> to login<br />\n";
    exit; //exit so that this is all they see, and you're basically done
  }
?>
<!-- all your sensitive protected information can now go here in plain HTML -->

---

just remember that basically every page you want to require a login on must have something like the above.

this was basically just to get you started, and all of this is untested (although I don't think I've made many syntax errors, if any), so it will need some tinkering and configuration to make it suit your database and website. you can always add in stuff like layout headers/footers as well, I just made a simple example.

ask for help if you need it, or if everything I just posted is a big mess of confusion for you.

Hi, thx for ur reply, but there are some error I encountered.

I try to do a new login php script in dreamweaver below but need help on associating with md5 as my database password is encrypted with md5.

Pls examine my code.

PHP Code:

---

<?php require_once('Connections/connMembers.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];  [B]-> Original[/B]
  $password=md5($_POST['password']); [B]-> Changed but can't work :([/B]
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "LoginSuccess.php";
  $MM_redirectLoginFailed = "LoginFailure.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_connMembers, $connMembers);
  
  $LoginRS__query=sprintf("SELECT username, user_password FROM login_users WHERE username=%s AND user_password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $connMembers) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;          

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];    
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<form id="login_form" name="login_form" method="POST" action="<?php echo $loginFormAction; ?>">
  <table width="200" border="1">
    <tr>
      <td>Username</td>
      <td><label>
        <input name="username" type="text" id="username" />
      </label></td>
    </tr>
    <tr>
      <td>Password</td>
      <td><label>
        <input name="user_password" type="password" id="user_password" />
      </label></td>
    </tr>
  </table>
  <p>
    <label>
    <input name="login" type="submit" id="login" value="Log In" />
    </label>
  </p>
</form>

</body>
</html>

---

Hope someone can correct the codes for me, if not I need to find or do a simple login php script that associate with 1 of mysql database tables. I no need registration page.

Thanks in advanced :)

you can try putting the md5() call around your GetSQLValueString($password) call, so that it looks like:

PHP Code:

---

  $LoginRS__query=sprintf("SELECT username, user_password FROM login_users WHERE username=%s AND user_password=%s",
    GetSQLValueString($loginUsername, "text"), md5(GetSQLValueString($password, "text"))); 


---

if that doesn't work, start echoing out the value of $password after you md5() the $_POST['password'] like you originally did, and see what it is giving you for output. then, do a GetSQLValueString() call to it, and echo out its output as well. if these are different, then that is your problem. you'll have to remove the call for GetSQLValueString() for the password if so.

Thanks for your reply, but that code can't work also, sorry to ask that how can I do the echo?

echo md5($password);

md5 was cracked wasn't it? Why not use sha1?

actually my codes work as I edit the wrong files :) Thanks for all the help, md5 is crackable? bruteforce u mean? actually a simple protection for me will do. Thanks :)