Login Script & Practical Application Question

[valgris]

Hello, I am slightly nervous about posting this because I am almost completely new to php, I have a few introductory books on the subject which I am working through at the moment as well as some reference books but I am still getting through the basics of it all.

I recently downloaded a login script, which allows a user to login and also allows the protection of some pages if users are not logged in.

This script was a free one from easykiss123. it comes with other .php files and I have given them all a look over and I get the general idea of what's going on for the most part, and I THINK as I keep reading my books I will understand everything even more. However, what I really want to do right now is make it so a website would know which user is logged on, and then use this information elsewhere.

For example if a particular user logged on and submitted something, I would like obviously the submission to be recorded but also the id of the user that submitted it, at the moment with this code, I do not think that is possible, however I could be wrong.

I am looking for any pointers or a nudge in the right direction or link to a tutorial of how I would go about this, anything that may help.

I think I would be storing the user ID in a global  variable that can be used throughout the site, but again I am not sure.

Thanks in advance for any help, I have included both the login script and the script used for protecting pages, as its already freely available online I see no issue with posting snippits of it here since the source has been referenced.

 

 

<?php # Script 16.8 - login.php
// This is the login page for the site.

require_once ('includes/config.inc.php'); 
$page_title = 'Login';
include ('includes/header.html');

if (isset($_POST['submitted'])) {
require_once (MYSQL);

// Validate the email address:
if (!empty($_POST['email'])) {
	$e = mysqli_real_escape_string ($dbc, $_POST['email']);
} else {
	$e = FALSE;
	echo '<p class="error">You forgot to enter your email address!</p>';
}

// Validate the password:
if (!empty($_POST['pass'])) {
	$p = mysqli_real_escape_string ($dbc, $_POST['pass']);
} else {
	$p = FALSE;
	echo '<p class="error">You forgot to enter your password!</p>';
}

if ($e && $p) { // If everything's OK.

	// Query the database:
	$q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass=SHA1('$p')) AND active IS NULL";		
	$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

	if (@mysqli_num_rows($r) == 1) { // A match was made.

		// Register the values & redirect:
		$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); 
		mysqli_free_result($r);
		mysqli_close($dbc);

		$url = BASE_URL . 'index.php'; // Define the URL:
		ob_end_clean(); // Delete the buffer.
		header("Location: $url");
		exit(); // Quit the script.

	} else { // No match was made.
		echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>';
	}

} else { // If everything wasn't OK.
	echo '<p class="error">Please try again.</p>';
}

mysqli_close($dbc);

} // End of SUBMIT conditional.
?>

<h1>Login</h1>
<p>Your browser must allow cookies in order to log in.</p>
<form action="login.php" method="post">
<fieldset>
<p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="40" /></p>
<p><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p>
<div align="center"><input type="submit" name="submit" value="Login" /></div>
<input type="hidden" name="submitted" value="TRUE" />
</fieldset>
</form>

<?php // Include the HTML footer.
include ('includes/footer.html');
?>

 

<?php 
require_once ('includes/config.inc.php'); 
$page_title = 'YOUR PAGE TITLE GOES HERE';

// Start output buffering:
ob_start();

// Initialize a session:
session_start();

// Check for a $page_title value:
if (!isset($page_title)) {
$page_title = 'User Registration';
}

// If no first_name session variable exists, redirect the user:
if (!isset($_SESSION['first_name'])) {

$url = BASE_URL . 'index.php'; // Define the URL.
ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.

}
?>

 

<?php // Flush the buffered output.
ob_end_flush();
?>

[Psycho]

From what I see the login functionality, validation is done by running a query to get the values for "user_id", "first_name", and "user_level" where the username and password match what the user entered. If a record is returned then authentication "passes" and the result of the query are stores in a session variable:

		// Query the database:
	$q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass=SHA1('$p')) AND active IS NULL";		
	$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

	if (@mysqli_num_rows($r) == 1) { // A match was made.

		// Register the values & redirect:
		$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); 

 

You will notice on the second script you posted that there is a check for "first_name" as a session value to determine if the user is logged in or not.

if (!isset($_SESSION['first_name'])) {

 

Well, the user_id and user_level are both stored in the session as well. So, as long as you initiate the session [i.e. sessio_start() ] on each page load you can access those variables for any "logged in" user using:

 

$_SESSION['first_name']

$_SESSION['user_id']

$_SESSION['user_level']

[valgris]

Thank you so much for your response, I missed that entirely.

I can actually have a go at creating a simple entry form and using the $session to write the users id to the table.

Though I think I should probably go into my books a bit more, as that is something I should have been able to spot.

Thanks again!