[solved] - Thanks Everyone - login php script problem

June 29th, 2004, 11:15 am

ok, the extra ) was my fault, sorry about that.

You need to put the $_POST stuff on the admin_login.php page, not the login.php page. It RETRIEVES the data, it doesn't send data... see what I mean?

So:

1) Get rid of the PHP stuff in your HTML form, unless you're planning to use a cookie to add their username to the VALUE field for username, there's no point.

2) Remove any other PHP code you added to the login.php form due to this thread.

3) On admin_login.php (the target, aka, ACTION, for your login form) make it look like this:

PHP Code: [ Download ] [ Select ]

 
 
 
<?
 
   include('connect.php');
 
 
 
   function get_data_by_method($method_hash,$element){
 
      foreach ($method_hash as $key => $value) {
 
         if($key == $element){return $value; }
 
      }
 
      return "";
 
   }
 
 
 
 
 
   $user = get_data_by_method($_POST,"username");
 
   $pass = md5(get_data_by_method($_POST,"password"));
 
 
 
 
 
   $sql = "SELECT username,password FROM admin WHERE username='".$user."' and password='".$pass)."';";
 
   $results = mysql_fetch_array(mysql_query($sql));
 
 
 
   if(!isset($db_user)){$db_user = false;}
 
   if(!isset($db_pass)){$db_pass = false;}
 
 
 
   foreach($results as $field => $value){
 
      if($field == "username"){$db_user = $value; }
 
      if($field == "password"){$db_pass = $value; }
 
   }
 
 
 
   if(!$db_user || !$db_pass){ echo "couldnt get informtion"; }
 
   else{
 
      if($db_user == $user && $db_pass == $pass){
 
         setcookie("admin",$userid,time() + 3600);
 
         echo "Welcome Admin - You have Admin Access <a href=admin.php>click here to continue</a>";
 
      }
 
      else{ echo "You do not have permission to access this area, sorry <a href=login.php>click here to go back</a>"; }
 
   }
 
?>
 
 

1.  
2.  
3.  
4. <?
5.  
6.    include('connect.php');
7.  
8.  
9.  
10.    function get_data_by_method($method_hash,$element){
11.  
12.       foreach ($method_hash as $key => $value) {
13.  
14.          if($key == $element){return $value; }
15.  
16.       }
17.  
18.       return "";
19.  
20.    }
21.  
22.  
23.  
24.  
25.  
26.    $user = get_data_by_method($_POST,"username");
27.  
28.    $pass = md5(get_data_by_method($_POST,"password"));
29.  
30.  
31.  
32.  
33.  
34.    $sql = "SELECT username,password FROM admin WHERE username='".$user."' and password='".$pass)."';";
35.  
36.    $results = mysql_fetch_array(mysql_query($sql));
37.  
38.  
39.  
40.    if(!isset($db_user)){$db_user = false;}
41.  
42.    if(!isset($db_pass)){$db_pass = false;}
43.  
44.  
45.  
46.    foreach($results as $field => $value){
47.  
48.       if($field == "username"){$db_user = $value; }
49.  
50.       if($field == "password"){$db_pass = $value; }
51.  
52.    }
53.  
54.  
55.  
56.    if(!$db_user || !$db_pass){ echo "couldnt get informtion"; }
57.  
58.    else{
59.  
60.       if($db_user == $user && $db_pass == $pass){
61.  
62.          setcookie("admin",$userid,time() + 3600);
63.  
64.          echo "Welcome Admin - You have Admin Access <a href=admin.php>click here to continue</a>";
65.  
66.       }
67.  
68.       else{ echo "You do not have permission to access this area, sorry <a href=login.php>click here to go back</a>"; }
69.  
70.    }
71.  
72. ?>
73.  
74.  

Let me know if that works

.c

*EDIT: Changed function name to work for ANY collectoin hash, not just post....

June 29th, 2004, 11:19 am

ok 1)

Code: [ Download ] [ Select ]

<? include('http://www.69kilobytes.co.uk/header.php'); ?>

<form name=admin_login method=post action=admin_login.php>
<input type=text name=username id=user>
<input type=password name=password id=MD5('$pass')>
 <input type=submit value=submit name=submit>
</form>

<? include('http://www.69kilobytes.co.uk/footer.php'); ?>

1. <? include('http://www.69kilobytes.co.uk/header.php'); ?>
3. <form name=admin_login method=post action=admin_login.php>
4. <input type=text name=username id=user>
5. <input type=password name=password id=MD5('$pass')>
6.  <input type=submit value=submit name=submit>
7. </form>
9. <? include('http://www.69kilobytes.co.uk/footer.php'); ?>

link: http://www.69kilobytes.co.uk/cp/login.php

i will post the rest as well...

June 29th, 2004, 11:22 am

ok the admin login php page

link: http://www.69kilobytes.co.uk/cp/admin_login.php

ERROR line 15... and it still says "You do not have permission blah blah" meaning the username and password did not work. Even though they are correct.

June 29th, 2004, 11:37 am

Ok... sorry, I noticed something else... the md5 stuff was wrong, and there isn't anything actually reading the data retrieved from the query. I've updated the script above, see if that works. If it doesn't, I'll create a test database and actually trying the scripts... I'm writting from memory here.. heh

June 29th, 2004, 12:02 pm

Stop the presses!

heh

Give this a try. I combined the connect.php include file in for sake of ease. I ran this against a test database and it worked. Give it a try on your site and let me know.

PHP Code: [ Download ] [ Select ]

 
<?
 
   function get_data_by_method($method_hash,$element){
 
      foreach ($method_hash as $key => $value){
 
         if($key == $element){ return $value; }
 
      }
 
      return "";
 
   }
 
 
 
 
 
  $submit = get_data_by_method($_POST,"submit");
 
   $user = get_data_by_method($_POST,"username");
 
   $pass = md5(get_data_by_method($_POST,"password"));
 
   if(!isset($db_user)){$db_user = false;}
 
   if(!isset($db_pass)){$db_pass = false;}
 
 
 
   $username = "";
 
   $password = "";
 
   $host = "";
 
   $database = "";
 
   mysql_connect($host,$username,$password) or die("Cannot connect to the database.<br>" . mysql_error());
 
   mysql_select_db($database) or die("Cannot select the database.<br>" . mysql_error());
 
   $result = mysql_query("SELECT username,password FROM userdata WHERE username='".$user."' and password='".$pass."';");
 
   while ($row = mysql_fetch_array($result, MYSQL_BOTH)) {
 
      $db_user = $row["username"];
 
      $db_pass = $row["password"];
 
   }
 
 
 
   if(!$db_user || !$db_pass){ echo "couldnt get informtion"; }
 
   else{
 
      if($db_user == $user && $db_pass == $pass){
 
         setcookie("admin",$userid,time() + 3600);
 
         echo "Welcome Admin - You have Admin Access <a href=admin.php>click here to continue</a>";
 
      }
 
      else{ echo "You do not have permission to access this area, sorry <a href=login.php>click here to go back</a>"; }
 
   }
 
   mysql_free_result($result);
 
?>
 
 

1.  
2. <?
3.  
4.    function get_data_by_method($method_hash,$element){
5.  
6.       foreach ($method_hash as $key => $value){
7.  
8.          if($key == $element){ return $value; }
9.  
10.       }
11.  
12.       return "";
13.  
14.    }
15.  
16.  
17.  
18.  
19.  
20.   $submit = get_data_by_method($_POST,"submit");
21.  
22.    $user = get_data_by_method($_POST,"username");
23.  
24.    $pass = md5(get_data_by_method($_POST,"password"));
25.  
26.    if(!isset($db_user)){$db_user = false;}
27.  
28.    if(!isset($db_pass)){$db_pass = false;}
29.  
30.  
31.  
32.    $username = "";
33.  
34.    $password = "";
35.  
36.    $host = "";
37.  
38.    $database = "";
39.  
40.    mysql_connect($host,$username,$password) or die("Cannot connect to the database.<br>" . mysql_error());
41.  
42.    mysql_select_db($database) or die("Cannot select the database.<br>" . mysql_error());
43.  
44.    $result = mysql_query("SELECT username,password FROM userdata WHERE username='".$user."' and password='".$pass."';");
45.  
46.    while ($row = mysql_fetch_array($result, MYSQL_BOTH)) {
47.  
48.       $db_user = $row["username"];
49.  
50.       $db_pass = $row["password"];
51.  
52.    }
53.  
54.  
55.  
56.    if(!$db_user || !$db_pass){ echo "couldnt get informtion"; }
57.  
58.    else{
59.  
60.       if($db_user == $user && $db_pass == $pass){
61.  
62.          setcookie("admin",$userid,time() + 3600);
63.  
64.          echo "Welcome Admin - You have Admin Access <a href=admin.php>click here to continue</a>";
65.  
66.       }
67.  
68.       else{ echo "You do not have permission to access this area, sorry <a href=login.php>click here to go back</a>"; }
69.  
70.    }
71.  
72.    mysql_free_result($result);
73.  
74. ?>
75.  
76.  

June 29th, 2004, 12:15 pm

but.... How will the other pages know i logged in? :O

Thanks for the code i really appreciate it. I spent a week trying to get this bit working


is this ok?

PHP Code: [ Download ] [ Select ]

if(isset($_COOKIE["admin"])) { echo 'welcome'; } else { echo 'You need to login to view this area of the site';}?>

June 29th, 2004, 12:41 pm

oops, i didn't take that into account. you can't use $userid, unless you add that to the mysql query. after SELECT, replace userid with whatever the auto-incrementing primary key field name is (uid, id, userid, whatever it is)

PHP Code: [ Download ] [ Select ]

 
    $result = mysql_query("SELECT userid,username,password FROM userdata WHERE username='".$user."' and password='".$pass."';");
 
    while ($row = mysql_fetch_array($result, MYSQL_BOTH)) {
 
        $db_uid = $row["userid"];
 
        $db_user = $row["username"];
 
        $db_pass = $row["password"];
 
    }
 
 

1.  
2.     $result = mysql_query("SELECT userid,username,password FROM userdata WHERE username='".$user."' and password='".$pass."';");
3.  
4.     while ($row = mysql_fetch_array($result, MYSQL_BOTH)) {
5.  
6.         $db_uid = $row["userid"];
7.  
8.         $db_user = $row["username"];
9.  
10.         $db_pass = $row["password"];
11.  
12.     }
13.  
14.  

Then, when you're setting the cookie, use:

PHP Code: [ Download ] [ Select ]

setcookie("admin",$db_uid,time() + 3600);

PHP Code: [ Download ] [ Select ]

 
<?
 
  if(!isset($cookie_uid)){$cookie_uid = false;}
 
  $cookie_uid = get_data_by_method($_COOKIE,"admin");
 
  if(!$cookie_uid){ header("Location: login.php"); }
 
?>
 
 

1.  
2. <?
3.  
4.   if(!isset($cookie_uid)){$cookie_uid = false;}
5.  
6.   $cookie_uid = get_data_by_method($_COOKIE,"admin");
7.  
8.   if(!$cookie_uid){ header("Location: login.php"); }
9.  
10. ?>
11.  
12.  

This must go at the top of the page or the header call will give an error. You must send all headers before anything is actually sent to the browser, or you will get an error.


Also, just to note on some naming conventions. I like to use $db_varname to denote any variable that contains a value that was pulled from the database. That's the "real" data, and no potentially garbage data that someone has submitted... It has no real bearing on the script, it just makes it easier to read, for me anyway.

.c

June 29th, 2004, 12:45 pm

PHP Code: [ Download ] [ Select ]

 
$cookie_uid = get_data_by_method($_COOKIE,"admin");
 
 

1.  
2. $cookie_uid = get_data_by_method($_COOKIE,"admin");
3.  
4.  

Fatal error: Call to undefined function: get_data_by_method() in /home/virtual/site2/fst/var/www/html/cp/admin.php on line 4

June 29th, 2004, 12:47 pm

again, if you add the function get_data_by_method to a common include file you can call it from anywhere. If you don't, then you'll need to include the whole function on every page.

I would suggest adding:

PHP Code: [ Download ] [ Select ]

require_once("common.php");

to every page on your site (the path to the common.php file must be set right, obviously, just as you would with regular link).

Do not include anthing except functions or variable declarations in the file, since it will be on every page. The require_once call means you will get a fatal error if it's not found (make sure the path is right) and the _once part means it will only every be included once, even if you accidently include another file that also tries to include it. require and include do the same thing, the only difference is require stops the parser if the file isn't found, include doesn't.

I make a habit of using include_once or require_once, unless I specifically want to include a particular file more than once on a given page, which is pretty rare.

.c

June 29th, 2004, 12:51 pm

oh... and if you add that function to an include, make sure to remove it from any page you have copied it on to. You don't want to have the function defined twice, that can cause some unexpected results...

Remember, including a file is basically the same thing as copying and pasting the whole file you're including into the document you're including it on where the include call is (heh how many times can YOU use include in the same sentence?). So

file 1:
hello there

file 2:
blah
include(file1)
blahh

is the same as:
blah
hello there
blahh


so, if instead, file 2 was:
blah
hello there
include(file1)
blahh

you're really have:
blah
hello there
hello there
blahh

see what I mean?
.c

June 29th, 2004, 12:51 pm

please read previous post

June 29th, 2004, 12:53 pm

I know about the includes dude :$ im not that much of a noob no more

June 29th, 2004, 12:57 pm

heh, you never know =]

Anyway, in that case. Just add the function to an include file called common.php and on every page you want to protect:

PHP Code: [ Download ] [ Select ]

 
<?
 
  $path_to_includes = "../includes/";
 
  require_once($path_to_includes."common.php");
 
  if(!isset($cookie_uid)){$cookie_uid = false;}
 
  $cookie_uid = get_data_by_method($_COOKIE,"admin");
 
  if(!$cookie_uid){ header("Location: login.php"); }
 
?>
 
 
 
 

1.  
2. <?
3.  
4.   $path_to_includes = "../includes/";
5.  
6.   require_once($path_to_includes."common.php");
7.  
8.   if(!isset($cookie_uid)){$cookie_uid = false;}
9.  
10.   $cookie_uid = get_data_by_method($_COOKIE,"admin");
11.  
12.   if(!$cookie_uid){ header("Location: login.php"); }
13.  
14. ?>
15.  
16.  
17.  
18.  

(Ok... I added something new... heh, just change the $path_to_includes value to be whatever it needs to be based on the page...)


OR

Just copy the function to the page. It would be the same, using the include is just easier and cleaner.

.c

June 29th, 2004, 1:00 pm

dude, there is no such function as:

get_data_by_method

i even checked on php.net

June 29th, 2004, 1:49 pm

It's part of the code I provided above:

PHP Code: [ Download ] [ Select ]

 
 
 
    function get_data_by_method($method_hash,$element){
 
        foreach ($method_hash as $key => $value){
 
            if($key == $element){ return $value; }
 
        }
 
        return "";
 
    }
 
 
 
 

1.  
2.  
3.  
4.     function get_data_by_method($method_hash,$element){
5.  
6.         foreach ($method_hash as $key => $value){
7.  
8.             if($key == $element){ return $value; }
9.  
10.         }
11.  
12.         return "";
13.  
14.     }
15.  
16.  
17.  
18.