PHP 5 Creating Login Page/Script

[dminder]

I am trying to use this tutorial here: PHP Tutorial and I have a few questions.
1. What do you name the page that is using the script? index.html? index.php?

2. Where do you put the .php script files? Is it better to have them in their own folder? What kind of security should I put on them? If I put security on them then how do I get to them?

I am modifying the template for my own web page and I am not totally sure if I set it up right:

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Welcome to My Website</title>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="style.css" />
</head>

<body>
<ul id="nav">
<!-- //How do I setup these links to load only the php page without reloading the entire thing? -->
 <li><a href="#" title="Home">Home</a></li>
 <li><a href="#" title="News &amp; Events">News &amp; Events</a></li>
 <li><a href="#" title="Services">Services</a> </li>
 <li><a href="#" title="Contact">Contact</a></li>
 <li><a href="#" title="Events">Events</a> </li>
 <li><a href="#" title="Forums">Forums</a></li>
 <li><a href="#" title="Login">Register</a></li>
</ul>
<!-- //This is the banner -->
<img src="images/banner.jpg" width="800" height="212" alt="temp" />

<!--  //This is the Date Time and Login -->
<form name="form1" method="post" action="checklogin.php">
<div id="Login" style="width: Auto">
	<input type="text" name="username" id="username"/>
	<input type="text" name="password" id="password"/>
	<input type="submit" name="Submit" value="Login">
	<!-- //When a user presses "Submit" then it should go to login.php -->
</div>
</form>
</html>

Any and all help is greatly appreciated!

D

[kows]

the name of the script submitting the form does not matter. your index.php script can submit it, index.html could submit it, or any other page could submit it. it also does not matter where these files are located; they do not need protection. you can put them in the root "www" directory of your domain. putting them in a folder will have no negative or positive effects.

as far as the questions in your code ("How do I setup these links to load only the php page without reloading the entire thing?"), the only way you can accomplish loading a page without actually refreshing the page is by using JavaScript, or more specifically, AJAX. I don't believe it would benefit you to load an entire page like that through this method, though. you could also use frames, or an iframe, but I don't recommend either. why exactly do you want to do this?

as for a second comment in your script, you mention that when your user presses submit, you want them to go to "login.php," yet your script points toward "checklogin.php" in the <form>'s action. make sure you're posting to the right script.

edits:

oh, also, I noticed the tutorial you're reading is using some deprecated functions. you can use the $_SESSION variable to register variables now (instead of session_register()) as long as you have a session started (using session_start()), and you can also check whether that session variable exists using the global array. a quick example instead of what you're using:

PHP Code:

<?php
  //at the top of every page using sessions
  session_start();


  //login script
  $_SESSION['username'] = $username;
  $_SESSION['password'] = $password;


  //in any page that you require a login for
  if(!isset($_SESSON['username'])){
    //redirect user if they are not logged in
    header("Location: login.php");
  }


  //and for a logout script
  unset($_SESSION['username'], $_SESSION['password']);
?>

[dminder]

So I would put that whole section into the start of every page? I think I should explain what I "envision" (used loosely LOL ) the site to be.

I will have a header php page that is included in each "sub" page which has navigation & banner sections on it. Below that, and I admit I am not quite sure how to do this, I want to put the Login/Logout and current date/time. Then I want to have content for the rest of that page. Eventually I may do a footer page, but taking baby steps here /snicker.

How would I go about the whole login/logout thing? Should I make another included file that contains the login/logout stuff? How does the session_state persist? Ugh I know I have alot to learn...hopefully you can bear with me.

Edit: Also, how do I hide the characters in my passwordbox, obviously I dont want to show the characters being typed!!


Thanks for the assist btw!!

D

[kows]

uh, no, you wouldn't put that all at the beginning of every page. I separated things using comments as to what they were used for. session_start() is the only thing you call on every page.

sessions persist through cookies, though I believe only the session ID is stored in the cookie and is then used to obtain that user's session information. session_start() just initializes this process.

as a quick example for what you might want to do, you can use this as a template for your pages (and modify it accordingly, if needed). please note, though, that navigation/banners/etc are generally included in the "header" page as well, unless they are drastically changing every page. this is why I only include one "header" file:

PHP Code:

<?php
  //start/resume our session
  session_start();

  //include our header
  include("header.php");

  //now, this is important
  //we only show the login form if our user is not already logged in.
  if(!isset($_SESSION['username'])){
?>
<form action="login.php" method="post">
  Username: <input type="text" name="username" /><br />
  Password: <input type="password" name="password" /><br />
  <input type="submit" value="Login" />
</form>
<?php
  }else{
    //user is logged in
?>
  hello, <strong><?php echo $_SESSION['username']; ?></strong>!<br />
  <a href="logout.php">Logout</a>
  <!-- you can give them a custom menu or something here -->
<?php
  }
  //show the date
  echo date("j/n/Y g:i a"); //format is: d/m/yyyy h:m
?>

<!-- this is where the actual content of your page goes -->

<?php
  //include our footer
  include("footer.php");
?>

you could probably use your original login script, but make sure you change the variable names in either this script or the login script so that you're checking the right POST/SESSION stuff.

this example shows the very basics of a website that would have most/all of their content available to non-members, but had the ability to login and maybe have access to additional information/pages. this basically means that it does not include anything that would redirect the user if they were not logged on. it would be very simple to add to if desired, though. look over the examples from the post above and this post, and let me know if you have any questions.

[dminder]

Thank you btw, I have been trial and erroring all night long, and with your post I was able to fix the final little bug I had there. Now I seem to be having an issue with my checklogin.php page, here is the code:

Code:

<?php
ob_start();

// Connect to server and select databse.
mysql_connect("$localhost", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql = "SELECT * FROM tbl WHERE username = '" . $myusername . "' and userpw = '" . $mypassword . "'";
$result = mysql_query($sql);

if (!$result)
   // Show error message
   echo "Error in SQL: " . $sql;
   //"Wrong Username ( " . $myusername . ") or Password (" . $password . ")";
else
   {
   // Register $myusername, $mypassword and redirect to file "indexlogin.php"
   session_register("myusername");
   session_register("mypassword"); 
   header("location:indexlogin.php");
   }

ob_end_flush();

?>

The problem is that when it redirects back to my indexlogin (original page) it is still showing the username and password boxes instead of the hello message. What am I doing wrong?

Thanks again!

D

[kows]

First, I would advise you to stop using session_register(), as it is deprecated. to log a user in, you can replace the lines using "session_register" with:

PHP Code:

session_start();
$_SESSION['username'] = $myusername;
$_SESSION['password'] = $mypassword; 


then, as long as you've resumed the session on the original page (using session_start()) and are referencing "$_SESSION['username']" and "$_SESSION['password']" instead of the original session names that you used, everything looks fine for the most part.

[dminder]

Another question, how do you not hardcode the password to your database within the php file? What stops somebody from downloading that file and then hacking your database? I was reading a tutorial from VisualAd on the codebank about classing out the database stuff, but I am still trying to digest it and understand it and figure out how best to implement it. Until then, I am hesitant to just put these files out there for the world to see.

Thanks for all your help kows, you have rating from me!!

D

[kows]

well, no one will be able to just "download" your file randomly unless you're careless about something. to be safe, you should put it in a directory not accessible on the web. most web hosts give you a "root" directory which then has a "www" or "public_html" folder, which is where your website will be located. you can create a file that connects to your database in the root directory, and simply change the path in your files that need to include it.

in /<root-directory>/mysql.inc.php:

PHP Code:

<?php
  mysql_connect("localhost", "username", "password");
  mysql_select_database("database");
?>

in /<root-directory>/www/index.php:

PHP Code:

<?php
  require_once("../mysql.inc.php");
?>

[wilfred]

hi, kows

after i reviewed this thread, i have a question for you

PHP Code:

<?php
include('configdb.php');
$error = '';
session_start();
if (isset($_GET['logoff'])) {
    $_SESSION = array();
    
    if (isset($_COOKIE[session_name()])) {
        setcookie(session_name(), '', time()-1000, '/');
    }
    
    session_destroy();
}

elseif (isset($_SESSION['valid']) && $_SESSION['valid']) {
    header('Location: view.php');
    exit();
}

elseif (isset($_POST['O_Email']) || isset($_POST['O_Pswd'])) {

    $O_Email=$_POST['O_Email'];
    $O_Pswd=$_POST['O_Pswd'];

    $O_Email = isset($_POST['O_Email']) ? $_POST['O_Email'] : '';
    $O_Pswd = isset($_POST['O_Pswd']) ? $_POST['O_Pswd'] : '';
    
    $sql="SELECT * FROM OWNER WHERE O_Email='$O_Email' and O_Pswd='$O_Pswd'";
    $result=mysql_query($sql);
    $count=mysql_num_rows($result);
    
    if ($count==1) {
        $_SESSION['valid'] = 1;
        $_SESSION['O_Email'] = $_POST['O_Email'];
        
        header('Location: view.php');
        exit();
    } else {
        $error = 'Username & Password do not match, please try again';
    }
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>Login</title>
<style>
form { border: 1px solid black; padding: 10px; }
#error { color: #FF0000; font-weight: bold; }
</style>
</head>

<body>
<?php
if ($error) { echo "<p id=\"error\">{$error}</p>\n"; }
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<p>Welcome to our website, you need to log in:</p>
<p>Email: <input type="text" name="O_Email" value="<?php echo @$O_Email; ?>"><br />
Password: <input type="password" name="O_Pswd" value="<?php echo @$O_Pswd; ?>"></p>
<p><input type="submit" value="Login" /></p>
</form>
</body>
</html>

This is my code for login, the Owner table in my database consists of O_Email, O_Pswd, O_Name and O_ID.

In my code i let the user to login by using their email address, I want to know can i register a session with the O_Name? Because i want to show their name on the top of the next page.

Anybody can help me? Thanks!