PHP Login Help

[VikiC]

Hi. I'm having a little problem creating a login using PHP. Looked at several tutorials and not having much luck. I've created a database in MySql called "member" with a username and password field just to test but don't appear to be getting as far as that.  I'm also using XAMPP.  So basically the PHP so far is five different pages.

 

"config.inc" contains:

 

<?php

 

$hostname = 'localhost';        // Your MySQL hostname. Usualy named as 'localhost', so you're NOT necessary to change this even this script has already online on the internet.

$dbname  = 'member'; // Your database name.

$username = 'root';            // Your database username.

$password = '';                // Your database password. If your database has no password, leave it empty.

 

// Let's connect to host

mysql_connect($hostname, $username, $password) or DIE('Connection to host is failed, perhaps the service is down!');

// Select the database

mysql_select_db($dbname) or DIE('Database name is not available!');

 

?>

 

"index.php" contains:

 

<?php

 

// Inialize session

session_start();

 

// Check, if user is already login, then jump to secured page

if (isset($_SESSION['username'])) {

header('Location: securedpage.php');

}

 

?>

<html>

 

<head>

<title>PHPMySimpleLogin 0.3</title>

</head>

 

<body>

 

<h3>User Login</h3>

 

<table border="0">

<form method="POST" action="loginproc.php">

<tr><td>Username</td><td>:</td><td><input type="text" name="username" size="20"></td></tr>

<tr><td>Password</td><td>:</td><td><input type="password" name="password" size="20"></td></tr>

<tr><td> </td><td> </td><td><input type="submit" value="Login"></td></tr>

</form>

</table>

 

</body>

 

</html>

 

"loginproc.php" contains:

 

<?php

 

// Inialize session

session_start();

 

// Include database connection settings

include('config.inc');

 

// Retrieve username and password from database according to user's input

$login = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "')");

 

// Check username and password match

if (mysql_num_rows($login) == 1) {

// Set username session variable

$_SESSION['username'] = $_POST['username'];

// Jump to secured page

header('Location: securedpage.php');

}

else {

// Jump to login page

header('Location: index.php');

}

 

?>

 

"securedpage.php" contains:

 

<?php

 

// Inialize session

session_start();

 

// Check, if username session is NOT set then this page will jump to login page

if (!isset($_SESSION['username'])) {

header('Location: index.php');

}

 

?>

<html>

 

<head>

<title>Secured Page</title>

</head>

 

<body>

 

<p>This is secured page with session: <b><?php echo $_SESSION['username']; ?></b>

<br>You can put your restricted information here.</p>

<p><a href="logout.php">Logout</a></p>

 

</body>

 

</html>

 

"logout.php" contains:

 

<?php

 

// Inialize session

session_start();

 

// Delete certain session

unset($_SESSION['username']);

// Delete all session variables

// session_destroy();

 

// Jump to login page

header('Location: index.php');

 

?>

 

BASICALLY - when i go into this and enter the username and password the same page index.php stays.

 

Apologies for the length of this post, just wanted to get the info in. Also have checked that MySql server is running etc.

 

Finaly Year Project Student here and i don't want to fall at the first hurdle so any help is appreciated  

[jcanker]

What do you mean "the same page index.php stays"?  Does the page refresh when you click the submit link?  In other words, you click submit and it refreshes the page, or does it just not do anything?

[Rifts]

I dont know if this is the problem 100% but I would never do this

$login = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "')");

 

it should look like this:

$user = $_POST['username'];
$pass = $_POST['password'];
$user= stripslashes($user);
$pass= stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);

$login = mysql_query("SELECT * FROM user WHERE (username = '$user') and (password = '$pass) ");

 

also try echoing the vars. to see if they are working correctly

 

also this site is really helpful to learn about this http://www.phpeasystep.com/phptu/6.html

[VikiC]

What do you mean "the same page index.php stays"?  Does the page refresh when you click the submit link?  In other words, you click submit and it refreshes the page, or does it just not do anything?

 

Yeah it just doesn't do anything, i refresh it, it stays the same.

[VikiC]

I dont know if this is the problem 100% but I would never do this

$login = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "')");

 

it should look like this:

$user = $_POST['username'];
$pass = $_POST['password'];
$user= stripslashes($user);
$pass= stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);

$login = mysql_query("SELECT * FROM user WHERE (username = '$user') and (password = '$pass) ");

 

also try echoing the vars. to see if they are working correctly

 

also this site is really helpful to learn about this http://www.phpeasystep.com/phptu/6.html

 

Thanks i'll give this a go. First time using PHP/MySQL...tried a couple of different tutorials, no luck.

[VikiC]

Got sorted.

 

This tutorial http://www.phpeasystep.com/phptu/6.html was spot on after a few changes.

 

Thanks for the advice guys i'm sure i'll be back for more

[Rifts]

welcome, glad it helped.