Help with PHP Login Stuff

[poymode]

---

Hello Everybody,

I was wondering how to make a login script in php and protect a page with password using php. I know the MySQL stuff so just explain the PHP side.

I made one using......

sample.php

<form method="post">
Username: <input type="text" name="UName" /><br>
Password: <input type="password" name"PWord" /><br>
<input type="submit" value="Go" />

Since the form has no action, I believe that when you submit the form it goes to sample.php, am I right?

In sample.php before the form, I also wrote a php script checking the username and password if they are correct.
It depends on the usertype
for example, if he is an admin, he'll go to admin.php and do admin stuff there.
if he's a user, then only a simple user interface is for him, say userindex.php

my problem really is, when I access admin.php or userindex.php directly, say http://localhost/admin.php, it isn't username/password protected, even if i don't go thru the login page, I can't still access the admin stuff. Can I Do protecting with PHP?

[janjerell]

Hi... You can use a flag that will determine if the user has successfully logged in. Store the flag in the session(example: $_SESSION['Allowed'])...
When the user passed the login, you then set the value of the flag to true.
Then put a condition at the top of all the admin pages that if the flag session ($_SESSION['Allowed']) is false/unset then you redirect the user to the login page...

[poymode]

Could you show me a simple example? I tend to learn faster through watching.

[cold_fusion]

Modifying your example

Code:

<?php
if ($_POST['UName'] == "Juan" && $_POST['PWord'] == "p@ssword")
{
  show_page();
}
else
{
?>

<form method="post">
Username: <input type="text" name="UName" /><br>
Password: <input type="password" name"PWord" /><br>
<input type="submit" value="Go" />

<?php } ?>

[janjerell]

Could you show me a simple example? I tend to learn faster through watching.

login.php

Code:

<?php


function show_page()
{
 //get the user type here
 
 //check the user type

 if(UserType=="admin") //if user type is admin
 {
 
  //create a session for the flag that determines that
  //the current user is allowed to visit the admin pages
  //and set this to true
  $_SESSION["AdminViewAllowed"] = true;

  //redirect him/her to the admin page
  header("Location: admin.php");
 }
 else
 {
  //create a session for the flag that determines that
  //the current user is allowed to visit the user pages that requires login
  //and set this to true
  $_SESSION["UserViewAllowed"] = true;

  //redirect him/her to the userindex page
  header("Location: userindex.php");
  
 } 

}


if ($_POST['UName'] == "Juan" && $_POST['PWord'] == "p@ssword")
{
  show_page();  
}
else
{
?>

<form method="post">
Username: <input type="text" name="UName" /><br>
Password: <input type="password" name"PWord" /><br>
<input type="submit" value="Go" />

<?php } ?>

admin.php

Code:

<?php


 $bool_allowed = false;

 //check if there is a current session for the flag for admin viewing

 if(isset($_SESSION["AdminViewAllowed"]))
  {

    //check if the current user is allowed to view this page
	if($_SESSION["AdminViewAllowed"])
    {
     $bool_allowed = true;     
    }
  }

  //if the current user is not allowed to view the admin page
  if(!$bool_allowed)
	header("Location: login.php"); /* Redirect him to login page*/

?>   
<!--The following codes will be displayed if the user is allowed to view this page-->
		
<html>
	<head>
		<title>Admin Page<title>
	</head>
	<body>
		Welcome, Admin!
	</body>
</html>

userindex.php

Code:

<?php


 $bool_allowed = false;

 //check if there is a current session for the flag for user viewing

 if(isset($_SESSION["UserViewAllowed"]))
  {

    //check if the current user is allowed to view this page
	if($_SESSION["UserViewAllowed"])
    {
     $bool_allowed = true;     
    }
  }

  //if the current user is not allowed to view this page
  if(!$bool_allowed)
	header("Location: login.php"); /* If not allowed, redirect him/her to login page*/

?>   
<!--The following codes will be displayed if the user is allowed to view this page-->
		
<html>
	<head>
		<title>User Page<title>
	</head>
	<body>
		Welcome, user!
	</body>
</html>

logout.php

Code:

<?php
    //unset the session variables
	unset ($_SESSION["UserViewAllowed"]);
	unset ($_SESSION["AdminViewAllowed"]);

	//redirect to login page
	header("Location: login.php");
?>

Try lang na bai, wa na nako testingi basta mao na ako idea..hehe

[poymode]

Okay.akong testingan later. Salamat kaau, hina kaau kog analysis, di sad ko familiar sa mga variables ug functions, last week ra ko gasugod.[br]Posted on: April 18, 2008, 06:54:52 PM_________________________________________________

How can I retrieve the username and password in my database so that I can confirm that the values inputted and stored in $_POST are in my database?

I did this....

$username = $_POST['Uname'];
$pword = $_POST['Pword'];

$query = "SELECT username,pword FROM user_info WHERE username = '$username' AND pword = '$pword'";
$result = mysql_query($query);

$row = mysql_fetch_row($result);

// the problem..

if( "The inputted username and password is in the database" )
{
show_page();
}

[cold_fusion]

if ($username==$row[0] && $pword==$row[1])

[janjerell]

Try this(wa japon ni nako testingi):

Code:

<?php


function show_page($usertype)
{
	//start a session
	session_start();
	

 if($usertype=="admin") //if user type is admin
 {
 
  //create a session for the flag that determines that
  //the current user is allowed to visit the admin pages
  //and set this to true
  $_SESSION["AdminViewAllowed"] = true;

  //redirect him/her to the admin page
  header("Location: admin.php");
 }
 else
 {
  //create a session for the flag that determines that
  //the current user is allowed to visit the user pages that requires login
  //and set this to true
  $_SESSION["UserViewAllowed"] = true;

  //redirect him/her to the userindex page
  header("Location: userindex.php");
  
 } 
}



//check if there is a postback or a form is submitted
if(count($_POST) > 0)
{
	
	//get the username and password from the post variables
	$username = $_POST['Uname'];
	$pword = $_POST['Pword'];
	
	$query = "SELECT username,pword,usertype FROM user_info WHERE username = '" + $username + "' AND pword = '" + $pword + "'";
	$result = mysql_query($query);

	//count number of rows being retrieved
	//if it has a record
	if (mysql_num_rows($result) > 0) 
	{
		$row = mysql_fetch_assoc($result);//fetch the results
		//check if it user and pass from the form vs. from the DB matches
		if($username==$row["username"] && $pword == $row["pword"])
		{
		   show_page($row["usertype"]);
		}
	}
}

?>

<form method="post">
Username: <input type="text" name="UName" /><br>
Password: <input type="password" name"PWord" /><br>
<input type="submit" value="Go" />

Ibutang pod diay ni sa ibabaw sa mga page kung diin naggamit ug session variables:

Code:

	session_start();//This is required to manipulate (set,retrieve,remove) session variables

[janjerell]

Kini sakto ni c cold_fusion.. kini gamita kay imo gigamit sa pagfetch sa results kay mysql_fetch_row man...

if ($username==$row[0] && $pword==$row[1])

[poymode]

hmmm..naa ghapon problem, kada login nako mu redirect ra siya sa login.php

then sa admin.php

<?php


$bool_allowed = false;

//check if there is a current session for the flag for admin viewing

session_start();

if(isset($_SESSION["AllowAdmin"]))
{

//check if the current user is allowed to view this page
if($_SESSION["AllowAdmin"])
{
$bool_allowed = true;
}
}

//if the current user is not allowed to view the admin page
if(!$bool_allowed)
{
header("Location: login.php"); /* Redirect him to login page*/
}

?>

Kung I view nako directly via localhost ang admin.php, mu display siya "Welcome Admin" which dili mao kay wa gud ko ni login. Sakto raman sad ang code diba? false na gud $bool_allowed then check daun if naa sod ang $_SESSION, sa kani nga scenario wala man kay wa may g pass, direct thru localhost man so sa next if statement which is if(!$bool_allowed), if not false, then true...redirect to login.php..sakto ba?

this is my current login.php, change my fetch associative to fetch rows. and also changed my $_SESSION keys to make it shorter. When I Login using admin,admin..mu redirect ra siya sa login.php balik.

<?php
include('db.php');

function show_page($usertype)
{
//start a session
session_start();


if($usertype=="admin") //if user type is admin
{

//create a session for the flag that determines that
//the current user is allowed to visit the admin pages
//and set this to true
$_SESSION["AllowAdmin"] = true;

//redirect him/her to the admin page
header("Location: admin.php");
}
else
{
//create a session for the flag that determines that
//the current user is allowed to visit the user pages that requires login
//and set this to true
$_SESSION["AllowUser"] = true;

//redirect him/her to the userindex page
header("Location: userindex.php");

}
}



//check if there is a postback or a form is submitted
if(count($_POST) > 0)
{

//get the username and password from the post variables
$username = $_POST['Uname'];
$pword = $_POST['Pword'];

$query = "SELECT username,pword,usertype FROM user_info WHERE username = '$username' AND pword = '$pword'";
$result = mysql_query($query);

//count number of rows being retrieved
//if it has a record
if (mysql_num_rows($result) > 0)
{
$row = mysql_fetch_rows($result);//fetch the results
//check if it user and pass from the form vs. from the DB matches
if($username==$row[0] && $pword == $row[1])
{
show_page($row[2]);
}
}
}

?>

<form method="post">
Username: <input type="text" name="UName" /><br>
Password: <input type="password" name"PWord" /><br>
<input type="submit" value="Go" />

naay murag WATCH ang php? pariha anang sa borland C compiler, makakita ta sa flow sa codes then makahibaw ta asa mu error? naglisod man gud ko kay wa ko kahibaw if sa login.php or sa admin.php mu redirect.

please help me..lamat kaau