Forum Moderators: coopster
On top of every page to see if logged in, if not redirects to main_login.php:
<?
if(!session_is_registered('myusername')){
header("location:main_login.php");
}
?>
And then this is the whole system(check_login.php):
<?php
ob_start();
$host="********"; // Host name
$username="*******"; // Mysql username
$password="**********"; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
It's really basic, but it gets the job done for me. I was thinking that in the php code at the top of every page I could set a variable to that pages URL, and then have in the php file that holds the whole system(check_login.php) that a header(Location:), is set to that variable, but when I try to do that I fail because I don't know all that's involved, first I wouldn't know if the variable from the document transfers to the check_login.php file, and then when I try to set the header to the variable I would get an error because I probably stated it wrong. I'd really appreciate help, thanks!
[pre]header("location:main_login.php?next=" . urlencode($_SERVER['REQUEST_URI']));[/pre]This'll pass the current page's URL to your login script. Then in main_login.php, you want to replace the statement header("location:login_success.php"); by:
[pre]if(isset($_GET['next']) && !empty($_GET['next']) && isLocalURL($_GET['next']))
header("location: ".$_GET['next']);
else
header("location:login_success.php");[/pre]Then add the function isLocalURL, something like:
[pre]function isLocalURL($url) {
$urlParts = parse_url($url);
if(isset($parts['scheme']) && $parts['scheme'] != 'http')
return false;
if(isset($parts['host']) && $parts['host'] != '[i]your domain name[/i]')
return false; return true;
}[/pre]
You may need to test and tweek the above code for isLocalURL().
It's important to check that "next" contains a local URL, otherwise hackers may link to your login page and pass it an URL to their own website. Unsuspecting visitors will login and get redirected to the hacker's site without knowing.
Hope this helps.
<?php
ob_start();
$host="localhost"; // Host name
$username="*********"; // Mysql username
$password="************"; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
function isLocalURL($url) {
$urlParts = parse_url($url);
if(isset($parts['scheme']) && $parts['scheme'] != 'http')
return false;
if(isset($parts['host']) && $parts['host'] != 'http://localhost')
return false;
return true;
}
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
if(isset($_GET['next']) && !empty($_GET['next']) && isLocalURL($_GET['next']))
header("location: ".$_GET['next']);
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
I'm not sure if I did this right. Also, I put the new "header("location:main_login.php?next=" . urlencode($_SERVER['REQUEST_URI']));" in to replace the old one which was on top of every page.
Also, you said to put the next two statements into the main_login.php file, but I have no php in there at all, just a form that submits the information to the checklogin.php.
Also, the error I receive when I press the login button is this:
Parse error: parse error in C:\Users\Alex\Desktop\apache\htdocs\sites\CC\checklogin.php on line 51
Otherwise, you're on the track. The syntax error you should be able to figure out by yourself, hint: you're missing a closing curly bracket. Good luck.
