Login script validation & sessions

Re: Login script validation & sessions

Steve Fitzgerald wrote:[color=blue]
>The below login script does work. The form does not seem to be
>submitting. I keep getting the username and password fields.[/color]
[...][color=blue]
>I'd appreciate it if someone could give me some pointers.[/color]

You don't want to show the form after the user presses the submit
button, and you only want to validate input after the user presses the
button.


Enclose the form and validation in another if()

<?php if (!isset($_POST['submit'])) { ?>

## FORM HERE ##

<?php } else { ?>

## VALIDATION HERE ##

<?php } ?>


--
"Yes, I'm positive."
"Are you sure?"
"Help, somebody has stolen one of my electrons!"
Two atoms are talking:

Re: Login script validation &amp; sessions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whilst lounging around on 3 Jul 2003 03:24:16 -0700, sf@mnetsys.com
(Steve Fitzgerald) amazingly managed to produce the following with
their Etch-A-Sketch:
[color=blue]
> The below login script does work. The form does not seem to be
> submitting. I keep getting the username and password fields. The
> only errors I get are notices that email and password and undefined
> indexes.
>
> Here's the login script:
> <?php
> session_start() ;
>
> // includes
> include_once ("includes/common.php");
> include_once ("includes/db_vars.inc");
>
>
> //check to see isLoggedIn is True
> if (!isset($_SESSI ON["isLoggedIn "])) {
> ?>
> <!-- LOGIN FORM -->
> <form method=post action="<?echo $_SERVER['PHP_SELF']?>">
> <table cellpadding=2 cellspacing=0 border=0>
> <td>Username: </td><td><input type="text" name="email"
> size=10></td><tr>
> <td>Password: </td><td><input type="password" name="password"
> size=10></td><tr>
> <td>&nbsp;</td><td><input type="submit" name="submit" value="Log
> In"></td>
> </table></form>
>
>
> <?php
> //connect to database
> dbConnect('crc1 ');
> $email = $_POST['email'];
> $password = $_POST['password'];[/color]


Unnecessary use of vars.

[color=blue]
> $sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email'
> AND password = md5('$password' )";[/color]
^^^

Function call within a string won't help =)


$sql = "
SELECT *
FROM crc1.tblusers
WHERE emailaddress = '{$_POST['email']}'
AND password = '" . md5($_POST['password']) . "'
";

[color=blue]
> echo $sql;
> $result = mysql_query($sq l) or die ("Error in query: $sql. " .
> mysql_error());
> while ($row=mysql_fet ch_array($resul t)) {
> if (mysql_num_rows ($result)!= False) {[/color]
^^^^^

This doesn't return a boolean value, rather an INT.


if (mysql_num_rows ($result) > 0) {

[color=blue]
> $isLoggedIn = TRUE;
> session_registe r($email);
> session_registe r($password);
> session_registe r($isLoggedIn);[/color]
^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^


See www.php.net for SESSION information.

[color=blue]
> header('locatio n: http://localhost/app/mycrc/mycrc.php');
> }// end if
> }//end if
> }else{
> //debugging
> echo ''.$_POST['email'].' <br/>';[/color]
^^

???

What purpose are these serving? No need for them whatsoever.

[color=blue]
> echo ''.$_POST['password'].'<br/>';
> echo 'Could not log you in.<br/>';
> print_r ($_SESSION);
> }//end if
> ?>
>
> I'd appreciate it if someone could give me some pointers.[/color]


In additon to the above, I strongly suggest www.php.net for some
reading to help you understand some of this code.. and www.mysql.com
for the MySQL manual for your SQL syntax.



Regards,

Ian

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPwQSOWfqtj2 51CDhEQLS8gCePO VZ5EibvfOuLxqB+ bW95KlYD8AAnjZO
Fblxk6iUk+x9H+B 7r1WTSwvp
=pBYj
-----END PGP SIGNATURE-----

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.ne t | forum.digiserv. net
Programming, Web design, development & hosting.

Re: Login script validation &amp; sessions

"Ian.H [dS]" <ian@WINDOZEdig iserv.net> writes:[color=blue]
> (Steve Fitzgerald) amazingly managed to produce the following with[color=green]
> > $sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email'
> > AND password = md5('$password' )";[/color]
> ^^^
> Function call within a string won't help =)[/color]

md5() is a valid MySQL function, should work fine.


--
Chris

Re: Login script validation &amp; sessions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whilst lounging around on 03 Jul 2003 12:51:48 +0100, Chris Morris
<c.i.morris@dur ham.ac.uk> amazingly managed to produce the following
with their Etch-A-Sketch:
[color=blue]
> "Ian.H [dS]" <ian@WINDOZEdig iserv.net> writes:[color=green]
> > (Steve Fitzgerald) amazingly managed to produce the following
> > with[color=darkred]
> > > $sql = "SELECT * FROM crc1.tblusers WHERE emailaddress =
> > > '$email' AND password = md5('$password' )";[/color]
> > ^^^
> > Function call within a string won't help =)[/color]
>
> md5() is a valid MySQL function, should work fine.
> http://www.mysql.com/doc/en/Miscella...functions.html[/color]


Ahh yes, my apologies Chris.. well pointed out =)



Regards,

Ian

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPwQoE2fqtj2 51CDhEQJvfgCfbn 3aJi+wd8UZZquQF 7QPWR7SOAoAoKQ5
AyoUAlJB/OzwwmQDWmxPOmaA
=Fa3t
-----END PGP SIGNATURE-----

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.ne t | forum.digiserv. net
Programming, Web design, development & hosting.

Re: Login script validation &amp; sessions

The below code authenticates my login, but my sessions are not
registering. In the debugging section I have print_r ($_SESSION); and
all that produces in Array (). Am I missing something?

<?php
session_start() ;

// includes
include_once ("includes/common.php");
include_once ("includes/db_vars.inc");


//check to see if this form has already been submitted
if (!isSet($_POST['submit'])){
?>
<!-- LOGIN FORM -->
<form method=post action="<?php echo $_SERVER['PHP_SELF']; ?>">
<table cellpadding=2 cellspacing=0 border=0>
<td>Username: </td><td><input type="text" name="email"
size=10></td><tr>
<td>Password: </td><td><input type="password" name="password"
size=10></td><tr>
<td>&nbsp;</td><td><input type="submit" name="submit" value="Log
In"></td>
</table></form>


<?php
}else{
//connect to database
dbConnect('crc1 ');
$email = $_POST['email'];
$password = $_POST['password'];
$sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email' AND
password = md5('$password' )";
echo $sql;
$result = mysql_query($sq l) or die ("Error in query: $sql. " .
mysql_error());
while ($row=mysql_fet ch_array($resul t)) {
if (mysql_num_rows ($result)!= False) {
$isLoggedIn = TRUE;
session_registe r("email");
session_registe r("password") ;
session_registe r("isLoggedIn") ;
//header('locatio n: http://localhost/app/mycrc/mycrc.php');
}// end while
}//end if
echo '<br/>'.$_POST['email'].' <br/>';
echo ''.$_POST['password'].'<br/>';
print_r ($_SESSION);
}//end if
?>

Chris Morris <c.i.morris@dur ham.ac.uk> wrote in message news:<87adbv6d6 3.fsf@dinopsis. dur.ac.uk>...[color=blue]
> "Ian.H [dS]" <ian@WINDOZEdig iserv.net> writes:[color=green]
> > (Steve Fitzgerald) amazingly managed to produce the following with[color=darkred]
> > > $sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email'
> > > AND password = md5('$password' )";[/color]
> > ^^^
> > Function call within a string won't help =)[/color]
>
> md5() is a valid MySQL function, should work fine.
> http://www.mysql.com/doc/en/Miscella...functions.html[/color]

Re: Login script validation &amp; sessions

I corrected part of the problem by using $_SESSION instead of
session_registe r(). Now, the problem is that my code to validate if
$_SESSION["isLoggedIn "] has been set on the top of each of the pages
I'm trying to protect does not seem to work.

Here's the code:
<?php
session_start() ;
if (isSet($_SESSIO N['isLoggedIn']) != '1'){
header('locatio n: http://localhost/login.php');
exit();
}else{
...rest of code
}
?>
I always get sent back to the login page.

Any suggestions?


sf@mnetsys.com (Steve Fitzgerald) wrote in message news:<f1885463. 0307031741.52a5 7c21@posting.go ogle.com>...[color=blue]
> The below code authenticates my login, but my sessions are not
> registering. In the debugging section I have print_r ($_SESSION); and
> all that produces in Array (). Am I missing something?
>
> <?php
> session_start() ;
>
> // includes
> include_once ("includes/common.php");
> include_once ("includes/db_vars.inc");
>
>
> //check to see if this form has already been submitted
> if (!isSet($_POST['submit'])){
> ?>
> <!-- LOGIN FORM -->
> <form method=post action="<?php echo $_SERVER['PHP_SELF']; ?>">
> <table cellpadding=2 cellspacing=0 border=0>
> <td>Username: </td><td><input type="text" name="email"
> size=10></td><tr>
> <td>Password: </td><td><input type="password" name="password"
> size=10></td><tr>
> <td>&nbsp;</td><td><input type="submit" name="submit" value="Log
> In"></td>
> </table></form>
>
>
> <?php
> }else{
> //connect to database
> dbConnect('crc1 ');
> $email = $_POST['email'];
> $password = $_POST['password'];
> $sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email' AND
> password = md5('$password' )";
> echo $sql;
> $result = mysql_query($sq l) or die ("Error in query: $sql. " .
> mysql_error());
> while ($row=mysql_fet ch_array($resul t)) {
> if (mysql_num_rows ($result)!= False) {
> $isLoggedIn = TRUE;
> session_registe r("email");
> session_registe r("password") ;
> session_registe r("isLoggedIn") ;
> //header('locatio n: http://localhost/app/mycrc/mycrc.php');
> }// end while
> }//end if
> echo '<br/>'.$_POST['email'].' <br/>';
> echo ''.$_POST['password'].'<br/>';
> print_r ($_SESSION);
> }//end if
> ?>
>
> Chris Morris <c.i.morris@dur ham.ac.uk> wrote in message news:<87adbv6d6 3.fsf@dinopsis. dur.ac.uk>...[color=green]
> > "Ian.H [dS]" <ian@WINDOZEdig iserv.net> writes:[color=darkred]
> > > (Steve Fitzgerald) amazingly managed to produce the following with
> > > > $sql = "SELECT * FROM crc1.tblusers WHERE emailaddress = '$email'
> > > > AND password = md5('$password' )";
> > > ^^^
> > > Function call within a string won't help =)[/color]
> >
> > md5() is a valid MySQL function, should work fine.
> > http://www.mysql.com/doc/en/Miscella...functions.html[/color][/color]

Re: Login script validation &amp; sessions

Steve Fitzgerald wrote:[color=blue]
> I corrected part of the problem by using $_SESSION instead of
> session_registe r(). Now, the problem is that my code to validate if
> $_SESSION["isLoggedIn "] has been set on the top of each of the pages
> I'm trying to protect does not seem to work.
>
> Here's the code:
> <?php
> session_start() ;
> if (isSet($_SESSIO N['isLoggedIn']) != '1'){
> header('locatio n: http://localhost/login.php');
> exit();
> }else{
> ..rest of code
> }
> ?>
> I always get sent back to the login page.
>
> Any suggestions?[/color]

either just use
if (!isset($_SESSI ON['isLoggedIn']) {
or
if ($_SESSION['isLoggedIn'] != 1) {
you've mixed the two together

Re: Login script validation &amp; sessions

Steve Fitzgerald wrote:
[color=blue]
> if (isSet($_SESSIO N['isLoggedIn']) != '1'){
> header('locatio n: http://localhost/login.php');
> exit();
> }else{
> ..rest of code
> }[/color]

if (
!isset($_SESSIO N['isLoggedIn']) ||
(isset($_SESSIO N['isLoggedIn']) && $_SESSION['isLoggedIn'] != 1)
) {
// Send them to the login page.
} else {
// Rest of code
}