-
login in php?
i have a login php. that is login.php
Code:
<html>
<body>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table></body>
</html>
the checklogin.php is here
Code:
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="users"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$username=$_POST['username'];
$password=md5($_POST['password']);
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count==1){
// Register $username, $password and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
now using these codes, i can login if my username and passwords are corret, if not i cannot, the problem is as follow
only member users will access the login_successful.php
the first page when i type it in the bar is like this
http://localhost/web/login.php
then if username and passwords are correct, it redirects to the login_successful.php.
but this is not secure, beause, when i type
http://localhost/web/login_successful.php
in the internet address bar, i access it without logging, so what to do to prevent such kind of access? thanks dears!
-
Re: login in php?
I would look into sessions. Basically you can create a session variable when the user logs in that is stored from the time that they are accessing the site. Then on the login_successful page you can block access to that page unless they have the session variable. For example you can modify your code like this:
Code:
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="users"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$username=$_POST['username'];
$password=md5($_POST['password']);
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count==1){
// Register $username, $password and redirect to file "login_success.php"
session_start();
$_SESSION['logged_in'] = true; //i always use this as a session register
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
Then on your login_successful page you could do this:
Code:
<?php
session_start();
if($_SESSION['logged_in'] = true)
{
//show the page
}
else
{
//dont show the page
}
the $_SESSION['logged_in'] is just a variable I like to create to make things simple to check to see if they are logged or not.
edit: I meant to tell you on any page that you are using sessions you need to make sure that you use the session_start() at the top of the page.
