1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 11:59 pm Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

user authentication problems

         

franches

6:41 am on Oct 4, 2004 (gmt 0)

10+ Year Member



i know you will be able to help me with my probs.

could you please examine my code. this is the code that validates after the user enter username and password at the login page.

<?php
session_start();
$dbHost = "localhost"; // Database Connection Details - host
$dbUser = "root"; // Database Connection Details - username
$dbname = "TEST"; // Database Connection Details - database name

$username = $_POST['username'];
// Stores our inputted data in these variable names

$password = $_POST['password'];
// Stores our inputted data in these variable names

$db = mysql_connect($dbHost,$dbUser); // Connection Code
mysql_select_db($dbname); // Connects to database
$query = "(SELECT PIN, Password,Name FROM StaffTable WHERE PIN = '$username' AND Password = '$password')";
$result = mysql_query($query);

if(mysql_num_rows($result)) {
$_SESSION['loggedin'] = 1;
header('Location: <a href="http://copernicus/rhodora/statuslog/trial/admin.php" target="_blank">http://copernicus/rhodora/statuslog/trial/admin.php</a>');
exit(); }
else {
header('Location: <a href="http://copernicus/rhodora/statuslog/trial/...?error=1" target="_blank">http://copernicus/rhodora/statuslog/trial/...?error=1</a>');
exit(); }
?>

and this is my page after successful login. and my problem is I am not able to display the username which is the ID number or PIN of the user and his/her name. i think i used the wrong code in calling the PIN and Name.

thank you in advance. I'll be looking forward for your response.

<?php
session_start();

if(!isset($_SESSION['loggedin'])) {
header('Location: <a href="http://copernicus/rhodora/statuslog/trial/...?error=1" target="_blank">http://copernicus/rhodora/statuslog/trial/...?error=1</a>');
exit();
}

?>
<head>
<script>
blah blah
</script>
</head>
<body>
<?php
mysql_connect("localhost", "root")
or die( "Unable to connect\n". mysql_error() );

mysql_select_db("TEST")
or die("Unable to select db ".mysql_error()."\n");

<form action="<?php echo $_SERVER["PHP_SELF"]?>" method="post">

<fieldset>
<div>
<label for="pin">PIN :</label> <? echo $username?><br>
<label for="name">Name : </label><? echo $name?> <br>
</div>

blah blah blah
</fieldset>
</form>
</body>
</html>

dreamcatcher

8:27 am on Oct 4, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi franches,

Try adding the variables as session variables:

Beneath:

$_SESSION['loggedin'] = 1;

add:

$_SESSION['username'] = '$username';
$_SESSION['password'] = '$password';

Then on your page where you want to display the info use:

<label for="pin">PIN :</label> <? echo $_SESSION['password']?><br>
<label for="name">Name : </label><? echo $_SESSION['username']?> <br>

mincklerstraat

10:02 am on Oct 4, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Dreamcatcher's advice is good - also see my note on your thread [webmasterworld.com...] , a similar problem. You seem to be confusing sessions, post variables, and 'register globals' globals.

- Normally, stuff that comes in via forms (post and get), stuff that comes in via url parameters (get - you know, url.php?this=is_a_parameter&that=is_one_too), stuff that comes in cookies, and stuff that comes in sessions do not automatically 'come through' as normal variables, like $this and $that. They come in via arrays - in the url above, these values would come in as $_GET['this'] and $_GET['that']. If these were in a form done in the post method, they'd come in as $_POST['this'] and $_POST['that']. For sessions, they come in as $_SESSION['whatever']; and cookies come in as $_COOKIE['somethingelse']. In each case, the stuff in the square brackets is the name of the field, the parameter, the 'variable', or whatever coming in via that method.

- However, most hosting companies have 'register globals' turned on. This means that all these things 'come in' as well as ordinary variable names. Like $this, $that, and $whatever, so you can just use these variables. This may be easy to use, but is not so nice from a security standpoint. So it's best to use the longer versions like $_GET['this'] instead of $this. It also helps you from getting confused about which variable came in from where, if you use multiple input methods. Try to be consistent in this way and you'll spare yourself a lot of confusion.

tomda

10:29 am on Oct 4, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



And finally, to be on safe side, ALWAYS check your variable with string comparaison (e.g. before putting var in database).

Example :

CHECK THE POST VAR EXISTS 


if(isset($_POST["username"])) {$username=$_POST["username"];} else {$username="";}

THEN CHECK THE VAR (because it is a username, you may accept only letters and numbers) 


function check_field1($var){if(!preg_match("/[^A-Za-z0-9_]/",$var)) {return TRUE;} else {return FALSE;}}
$error="0";
if(!check_field1($usernameb)){$error++; }
if ($error!="0") {echo "<b>Please correct the following errors:</b><br>";}
if(!check_field1($usernameb)){echo "Username - <font color='#FF9999'>Only a-z, A-Z, 0-9 and _ are allowed.</font><br>";}
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 11:59 pm Apr 28, 2026