Forum Moderators: coopster
What im trying to do keep users from directly typing the URI and accessing the page. I might have hinted to this before, but am just now learning the ins and outs of PHP.
//Fisrt part checks to see if an existing cookie already resides.
if(isset($_COOKIE['ID_my_site']))
//if there is, it logs you in and directes you to the members page
{
$username = $_COOKIE['ID_my_site'];
$pword = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM userinfo WHERE dbusername = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pword!= $info['password'])
{
}
else
{
header("Location: /Home/index.html");
}
}
}
//This portion take the login screen if it is submitted and validates.
if (isset($_POST['submit'])) {
// makes sure they filled it both username and password fields
if(!$_POST['username'] ¦¦!$_POST['pword']) {
die('You need to enter a username and password to continue.');
}
// checks it against the database
if (!get_magic_quotes_gpc()) {
$_POST['email'] = addslashes($_POST['email']);
}
$check = mysql_query("SELECT * FROM userinfo WHERE dbusername = '".$_POST['username']."'")or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=http://www.mysite.com>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{
$_POST['pword'] = stripslashes($_POST['pword']);
$info['dbpword'] = stripslashes($info['dbpword']);
$_POST['pword'] = md5($_POST['pword']);
//gives error if the password is wrong
if ($_POST['pword']!= $info['dbpword']) {
die('Incorrect password, please try again.');
}
else
{
// if the users login is ok then we add a cookie
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pword'], $hour);
//then redirect them to the members area
header("Location: [mysite.com...]
}
}
}
else {
// if they are not logged in
?>
//HTML form fields for user to enter go here...
?php
}
?>
/*What i am not getting is how to incorporate a $_SESSION similar to
what Jatar_K posted before...Would i place the $_SESSION in the
section that adds the cookie..?* For Instance:/
else
{
// if login is ok then we add a cookie
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pword'], $hour);
*************************************************************
$_SESSION['username'] = "$username";
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
*************************************************************
//then redirect them to the members area
header("Location: http://www.example.com/Home/index.html");
}
/*Then add the following on each page that i want to restrict?*/
session_start(); $newip = $_SERVER['REMOTE_ADDR']; if (!isset($_SESSION['username']) ¦¦ empty($_SESSION['username']) ¦¦ $newip!= $_SESSION['ip']) { include "login.php"; }
[edited by: tedster at 9:07 pm (utc) on Feb. 1, 2007]
[edit reason] use example.com in code [/edit]
session_start();
if(empty($_SESSION['variable'])) {
# or use $_COOKIE instead, depending on what you are looking for
#
header("Location: path/to/login/form");
exit();
}
# continue with the "hidden" content here.
Also, don't forget to escape your variables correctly!
if (!get_magic_quotes_gpc()) {
$email = addslashes($_POST['email']);
}
is not correct. You should be using mysql_real_escape_string here.
if (!get_magic_quotes_gpc()) {
$email = [url=http://us2.php.net/mysql-real-escape-string]mysql_real_escape_string[/url]($_POST['email']);
} else {
$email = [url=http://us2.php.net/stripslashes]stripslashes[/url]($_POST['email']);
$email = mysql_real_escape_string($email);
}
And that goes for all user-defined (directly or potential) variables within your query statement.
Good luck! :)
