Results 1 to 2 of 2

Thread: login in php?

  1. Feb 12th, 2009, 09:54 AM #1
    nebrom
    nebrom is offline

    Thread Starter
    Addicted Member
    Join Date
    Mar 2007
    Posts
    208

    Exclamation login in php?

    i have a login php. that is login.php
    Code:
    <html>
<body>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table></body>
</html>
    the checklogin.php is here
    Code:
    <?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="users"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$username=$_POST['username'];
$password=md5($_POST['password']);

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row

if($count==1){
// Register $username, $password and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
    now using these codes, i can login if my username and passwords are corret, if not i cannot, the problem is as follow
    only member users will access the login_successful.php
    the first page when i type it in the bar is like this
    http://localhost/web/login.php
    then if username and passwords are correct, it redirects to the login_successful.php.
    but this is not secure, beause, when i type
    http://localhost/web/login_successful.php
    in the internet address bar, i access it without logging, so what to do to prevent such kind of access? thanks dears!
    Reply With Quote Reply With Quote
  2. Feb 12th, 2009, 10:14 AM #2
    ngreenwood6
    ngreenwood6 is offline
    Hyperactive Member
    Join Date
    Jan 2009
    Posts
    448

    Re: login in php?

    I would look into sessions. Basically you can create a session variable when the user logs in that is stored from the time that they are accessing the site. Then on the login_successful page you can block access to that page unless they have the session variable. For example you can modify your code like this:

    Code:
    <?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="users"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$username=$_POST['username'];
$password=md5($_POST['password']);

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row

if($count==1){
// Register $username, $password and redirect to file "login_success.php"
session_start();
$_SESSION['logged_in'] = true; //i always use this as a session register
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
    Then on your login_successful page you could do this:

    Code:
    <?php
session_start();

if($_SESSION['logged_in'] = true)
{
//show the page
}
else
{
//dont show the page
}
    the $_SESSION['logged_in'] is just a variable I like to create to make things simple to check to see if they are logged or not.

    edit: I meant to tell you on any page that you are using sessions you need to make sure that you use the session_start() at the top of the page.
    If I helped you please rate me.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width