seanj43 Posted October 25, 2010 Share Posted October 25, 2010 Firstly, I am new to the forum, so hello I am trying to code a login script for my website. I have got the login to work but how do I get it to create a session so the user stays logged in until they log out? Also how can I prevent access to success.php and fail.php so they cannot be accessed directly. I am new to PHP so please explain in detail for me. Here is my code... <?php ob_start(); $host=""; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name=""; // Database name $tbl_name=""; // Table name mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $mypassword=md5($mypassword); $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE email='$myusername' and password='$mypassword'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1){ session_register("myusername"); session_register("mypassword"); header("location:success.php"); } else { header("location:fail.php"); } ob_end_flush(); ?> Quote Link to comment Share on other sites More sharing options...
revraz Posted October 25, 2010 Share Posted October 25, 2010 First thing I would suggest is to check PHPFreaks site for a Session Tutorial. If there isn't one there, google PHP Session Tutorial. Wherever you found that code, it's old and isn't correct. Quote Link to comment Share on other sites More sharing options...
mentalist Posted October 25, 2010 Share Posted October 25, 2010 mmm, I can't see a login one in the code snippets forum here. As for stopping the access of those pages... I'd do a check at the top of the page for 'if logged in' (*) and redirect if not, etc... By doing a tutorial or two, it'll become clear! Quote Link to comment Share on other sites More sharing options...
seanj43 Posted October 25, 2010 Author Share Posted October 25, 2010 First thing I would suggest is to check PHPFreaks site for a Session Tutorial. If there isn't one there, google PHP Session Tutorial. Wherever you found that code, it's old and isn't correct. Well I have looked everywhere for a tutorial but I am unable to find one that works/I understand. Could anybody point me in the right direction? As for the code being old and not correct, I found it on a tutorial website. It works, but what does it need doing to it to make it 'correct'? EDIT: Update to code <?php mysql_connect("localhost", "user", "password")or die("cannot connect"); mysql_select_db("db name")or die("cannot select DB"); $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $mypassword=md5($mypassword); $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM users WHERE email='$myusername' and password='$mypassword'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1){ session_register("myusername"); session_register("mypassword"); header("location:success.php"); } else { header("location:fail.php"); } ?> Quote Link to comment Share on other sites More sharing options...
mentalist Posted October 25, 2010 Share Posted October 25, 2010 Technically the tutorial you've followed is fine, but it's where you go from there, how you implement it site wide, etc... So, what happens in your code is, if the login is successful then two variables are defined in the $_SESSION array. Next, in 'success.php', 'fail.php' and other subsequent files you'll need to check for the variables you just registered with the session. e.g. <?php session_start(); if (!isset($_SESSION["myusername"])) { // allow access } else { // disallow access } ?> Notice the use of session_start, your example uses session_register which (I didn't know this, but for clarity it wouldn't make any diff to me) actually makes a call to session_start if not already called. To log out, when a link is clicked it'll call a page and do something like... (example from manual, see session_destroy) <?php // Initialize the session. // If you are using session_name("something"), don't forget it now! session_start(); // Unset all of the session variables. $_SESSION = array(); // If it's desired to kill the session, also delete the session cookie. // Note: This will destroy the session, and not just the session data! if (ini_get("session.use_cookies")) { $params = session_get_cookie_params(); setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"] ); } // Finally, destroy the session. session_destroy(); ?> Here's main manual contents for sessions... sessions Have a play with your code and try to hack it, e.g. use say Telnet and try to hijack the session, then wonder how you could prevent it... Also you md5 the password, then stripslashes and escape it, not sure if that's the way round i'd do it (open to debate...)... Quote Link to comment Share on other sites More sharing options...
seanj43 Posted October 25, 2010 Author Share Posted October 25, 2010 So how and where should I implement this in my code? Quote Link to comment Share on other sites More sharing options...
mentalist Posted October 25, 2010 Share Posted October 25, 2010 Each page... So make it into a function and put it in a common php file which you include... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.