[RESOLVED] Check login data before proceeding

[Nightwalker83]

Hi,

How would I check whether a customer is logged in to a website before proceeding if not then redirect them back to the current page?

So far I have tried using sessions to if the customer has logged in but it hasn't worked.

PHP Code:

     if ($_SESSION['username'] = $username && $_SESSION['upassword'] = $password){ 
echo "authenticated=true";
 header("Location: displayProducts.php");
}else { //user doesn't exist
echo "authenticated=false";
 header("Location: index.php");
} 


The above code gives the following error:

The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
* This problem can sometimes be caused by disabling or refusing to accept cookies.

What is the best if not the easiest way to do this?

Thanks,


Nightwalker

[SambaNeko]

Your method looks okay, but this line is problematic:

if ($_SESSION['username'] = $username && $_SESSION['upassword'] = $password){

It's assigning values to the session variables rather than comparing them. Change the "=" to "==". Also having an "echo" prior to header() will usually cause the redirection to fail.

[Nightwalker83]

Your method looks okay, but this line is problematic:



It's assigning values to the session variables rather than comparing them. Change the "=" to "==". Also having an "echo" prior to header() will usually cause the redirection to fail.

I just changed the things you mentioned, adding the extra "=" and also removing the echo statements. However, the problem is still occurring! The headers are causing problems I'm just not sure why that is.

[SambaNeko]

What the error is telling you is that your pages are endlessly redirecting. Are you getting this error when you've entered a valid login, or an invalid one, or in both cases? Something on displayProducts.php and/or on index.php is contributing to the problem.

[Nightwalker83]

What the error is telling you is that your pages are endlessly redirecting. Are you getting this error when you've entered a valid login, or an invalid one, or in both cases? Something on displayProducts.php and/or on index.php is contributing to the problem.

Well, I put the above code in the displayProducts.php code after:

PHP Code:

    session_start();
    if (isset($_SESSION['username'], $_SESSION['upassword'])){ 
$username = $_SESSION['username']; 
$password = $_SESSION['upassword'];
 } 


which, is suppose to get the values from the user log-in! I think I should be comparing the values stored in the database. However, seeing as the user could access the products page without registering that isn't going to work.

[I_Love_My_Vans]

First, after your header you really should exit the code

PHP Code:

header('Location: index.php');
exit; 


The code in your first post, can you tell me what file that is in? You're not providing enough of the puzzle to solve it, could you also provide the code for the login.

ILMV

[Nightwalker83]

The code in your first post, can you tell me what file that is in?

It is displayproducts.php like I posted in post #5.

You're not providing enough of the puzzle to solve it, could you also provide the code for the login.

Sure! Here is the code for the login:

PHP Code:

<?php
session_start();
$username = $_POST['user'];
$password = $_POST['upassword'];
// Database connection variables
$dbDatabase = "BazaarCeramics";
//connect to server or exit
if (!($conn = mysql_connect("localhost", "user", "") )){
echo 'result=connection+failed';
exit;
}
//connect to database or exit
if (!(mysql_select_db($dbDatabase, $conn))){
echo 'message=db+selection+failed';
exit;
}

//select user record where username and password matches
$query = "select * from customers where username='$username'AND password='$password'";
if (!($result = mysql_query($query))){ //if query fails echo exit
exit;
}
if ($row = mysql_fetch_array($result)) { //if user exists
//the following is just one of many different ways of retrieving the information from the select query
//the fetch_array command returns one record/row from the db formatted as an indexed or associative array.
//get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) { 
//if authorized, get the values of username and password 
$username=mysql_result($result,0,"username"); 
$password=mysql_result($result,0,"password"); 
//save the values in session variables 
$_SESSION['username'] = $username; 
$_SESSION['upassword'] = $password;
echo "authenticated=true";
 header("Location: getData.php");
}else { //user doesn't exist
echo "authenticated=false";
 header("Location: index.php");
}
}
?>

[kows]

first of all, you need to understand that you absolutely cannot send headers after sending output. if you want those header() redirects to work, then you must call them before any output is sent to the browser. what does this mean? get rid of your echo statements.

you're either developing for the web, or you're developing for flash -- you don't really do both with the same script. or if you do, you would have some sort of way of knowing which you were dealing with so that the action you were taking reflected the platform you're on. add a form variable in your flash script named "platform" and make the value "flash," and then check $_POST['platform'] in your script, or something. what you're doing now is not going to work too well, though.

secondly, you're leaving this script open to SQL injection -- I hope you remember all the fun you had learning about that. but furthermore, you should try to be a bit more efficient with the way you're grabbing data. you have a query that selects everything from your database table, and then you fetch the results, and then for some strange reason you use mysql_result() to extract the information?

and thirdly, you really should try to understand what all of these functions do before you start using them. mysql_fetch_array() fetches an entire row's result set. it fetches the information as both an associative array and a numeric array -- so you will have keys in the $row array like "0," "username," "1," "password," and so on. in this case, you may want to simply use mysql_fetch_assoc() instead. in almost all cases, you will not be interested in the numeric keys.

when you call mysql_fetch_assoc(), the entire first row of your result set will be stored within whatever variable you store the call in as an associative array. if you use the query you used there, and had a table with the fields "id," "username," "password," "email," "date," then you would have a $row array that looked like this:

Code:

$row = array (
    [id] => 1
    [username] => whatever
    [password] => whatever
    [email] => [email protected]
    [date] => 2009-11-25 9:09:00 AM
)

so, you can then reference the username and password by using the $row array:

$_SESSION['username'] = $row['username'];
$_SESSION['password'] = $row['password'];

this completely eliminates the need to use mysql_result() at all! it's just two extra function calls that should never have happened.

as I saw you were fetching from the database before you checked for results using mysql_num_rows(), this may help you. your entire "fetch" code should look and have a similar structure to this: (I've left out your check for $query to execute correctly, though you could put it back in)

PHP Code:

  $sql = "SELECT * FROM table WHERE ....";
  $query = mysql_query($sql);
  $num = mysql_num_rows($query);
  if($num){
    $result = mysql_fetch_assoc($query);
    $_SESSION['username'] = $result['username'];
    $_SESSION['password'] = $result['password'];
  } 


however, another problem you have now is that the ID, email, and date are all data you gathered from the database that you are not using. so, trim your SQL:

SELECT username, password FROM tablename WHERE ...

this may not mean too much in a small application, but it would in a larger application, and it would be best to learn about this type of stuff now rather than later.

oh, and don't forget about SQL injection: use mysql_real_escape_string() on $username and $password when defining them as unsafe $_POST variables.

you may also want to encapsulate this entire script within an IF statement checking if $_SERVER['REQUEST_METHOD'] is equal to "POST," and otherwise you can redirect somewhere else. this will also ensure that $_POST['username'] and $_POST['password'] are both set and that you don't get any warnings for not defining them when this script is mistakenly visited.

I've honestly written far too much now, and I haven't even really looked at or paid attention to the problem at hand! however, these are all problems you should still end up fixing. especially the header() sending.

so, before you get into redirects, just ensure your login script sets the session variables, and then that every other page you're visiting checks if they are set, and then echos them out or something so that you can see what they are set to. this will at least let you see if you have something terribly wrong with your sessions or not, and will eliminate the problem of your endless redirects for now. make sure you're calling session_start() at the beginning of any script that will be dealing with your session variables, too.

edit: added the bit of stuff about fetch-structure.

[SambaNeko]

A few remarks...

This may not work as you expect:

Code:

$_SESSION['username'] = $username;
$_SESSION['upassword'] = $password;
header("Location: getData.php");

I don't know if it's a universal problem, but I've had issues with altering $_SESSION vars and then using header() afterward. Use session_write_close() prior to header() to be sure your $_SESSION vars were set:

Code:

$_SESSION['username'] = $username;
$_SESSION['upassword'] = $password;
session_write_close();
header("Location: getData.php");

first of all, you need to understand that you absolutely cannot send headers after sending output. if you want those header() redirects to work, then you must call them before any output is sent to the browser. what does this mean? get rid of your echo statements.

For the record, if you use an output buffer, you can have echo()s before header() with no problem. This does not invalidate kows' point: headers cannot be sent after sending output, but the output buffer delays the sending the output (so to speak). Just mentioning this in case your logic requires such a set up.

As for the problem at hand, I'm going to have to read up a bit! One moment...

Edit: Any other problems aside, I'm still not seeing enough to solve the redirect problem. It should involve header()s on two different pages... like...

page1.php

Code:

<?php
if(true){
 header("Location: page2.php");
}
?>

page2.php

Code:

<?php
if(true){
 header("Location: page1.php");
}
?>

Obviously this is a much-over-simplified example, but that's the crux of the redirect problem. Your login page is redirecting to a page that is redirecting back to the login that is redirecting to.... etc.

[Nightwalker83]

@ Kows, the code I posted in post #7 isn't the problem! Any way I will try your suggest of the fetch code for the original problem and see if it works.

[kows]

I realize that and I took note of it, if you even managed to finish reading my post? :/

I also gave you a suggestion to fix your current problem in my post. re-read it if you missed it.

[Nightwalker83]

I realize that and I took note of it, if you even managed to finish reading my post? :/

I also gave you a suggestion to fix your current problem in my post. re-read it if you missed it.

As you can see with the above code for the login it redirects like so:

PHP Code:

if (mysql_num_rows($result) == 1) {
//if authorized, get the values of username and password
$username=mysql_result($result,0,"username");
$password=mysql_result($result,0,"password");
//save the values in session variables
$_SESSION['username'] = $username;
$_SESSION['upassword'] = $password;
echo "authenticated=true";
header("Location: getData.php");
}else { //user doesn't exist
echo "authenticated=false";
header("Location: index.php");
} 


although, as you mentioned I would need to some code in the display Products page in case some click the products link before they login to the site.

BTW, I checked over my code and realised I was missing the escape_strings I must have saved the backup code before I put them in my project.

[Nightwalker83]

I managed to solve the problem of the page not redirecting using:

PHP Code:

session_start(); 
if (isset($_SESSION['username'])&& ($_SESSION['upassword']))
{ 

} 
else 
{ 
//redirect back to login form if not authorized 
header("Location: index.php"); 
exit; 
} 


[kows]

you should also be calling isset() on the "upassword" as well, otherwise you might as well just be checking if either of them are "true."

anywho, for whatever reason, isset() sometimes has trouble when you're using multiple variables as arguments (meaning, you should do if(isset($var1) && isset($var2)) instead of supplying multiple arguments). I was never sure why, so I ended up making my own function:

PHP Code:

    function validateRequest($array)
    {
      $params = func_get_args();
      //start at 1 rather than 0 because $array is a required parameter
      for($i = 1; $i < count($params); $i++)
      {
        if(!isset($array[$params[$i]]))
        {
          return false;
        }
      }
      return true;
    } 


used like so:

PHP Code:

if(validateRequest($_POST, 'username', 'password')){

  //do whatever

} 


in your case, you could send $_SESSION as the array instead.

[Nightwalker83]

anywho, for whatever reason, isset() sometimes has trouble when you're using multiple variables as arguments (meaning, you should do if(isset($var1) && isset($var2)) instead of supplying multiple arguments). I was never sure why, so I ended up making my own function:

Ah ok! I might not need the password session anyway I'll have another look at it later.

Edit:

I changed the isset statement to how it was written in post #5 is that a better way to write it?