Forum Moderators: coopster
Here is the existing code:
login.php
<?php
// we must never forget to start the session
session_start();
$errorMessage = '';
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {
include 'config.php';
include 'opendb.php';
$userId = $_POST['txtUserId'];
$password = $_POST['txtPassword'];
// check if the user id and password combination exist in database
$sql = "SELECT user_id
FROM tbl_auth_user
WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";
$result = mysql_query($sql) or die('Query failed. ' . mysql_error());
if (mysql_num_rows($result) == 1) {
// the user id and password match,
// set the session
$_SESSION['db_is_logged_in'] = true;
}
// after login we move to the main page
if ($userId=="demo")header("Location: /cust/demo/");
else if ($userId=="admin"){header("Location: /cust/admin/");}
else
{header("Location: /cust/error.php");}
}
?>
My table field is called url and I would like to output it as
header("Location: $url";)
Can anyone assist?
Can you add another field to tbl_auth_user for the location? Or add another table. Then use SELECT to retrieve the destination.
Besides that, I'd like to point out some security issues you may want to consider. Your input data is unfiltered and could easily be spoofed, possibly causing you much grief. I'm no expert at security, but I'm learning...
Here's a few tips from the experts.
1. usernames have accepted characters, use them. When a user signs up a username we decide on the allowable chars ie alphanum, whatever your set might be. Enforce these same rules everytime they have to enter their password, if the username entered on login isn't only alnum then show them an error.
2. Filter all data, there are classes available for this, you can write your own but it is not a beginner, or maybe even intermediate task, the classes and libraries are out there, use them. I must also say don't blindly use anything, take a look inside, see what it's doing, then decide if it is safe or not. You may actually be better at this than the person who wrote it and if not you will definitely learn something.
Ref: [webmasterworld.com] Very good reading.
hth
I have added a field called url. However my problem is being able to match teh user against the url, see below:
/ after login we move to the main page
if ($userId=="demo")header("Location: /cust/$url/");
else if ($userId=="admin"){header("Location: /cust/admin/");}
You need another SELECT to retrieve the url.
$sql = "SELECT url
FROM tbl_auth_user
WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";
Put that after you check the result from the first SELECT.
Then, after login, what about the third condition? This would be my approach.
// after login we move to the main page
// or to admin
// or to failsafe
if ($userId=="demo")header("Location: /cust/$url/");
if ($userId=="admin") {
header("Location: /cust/admin/");
}
else {
header("Location: /cust/failed/");
}
I changed the query to return the url instead of the userid. You already have the user id from your POST. Then fetched the row, or failed.
$result = mysql_query("SELECT url FROM tbl_auth_user
WHERE user_id = '$userId' AND user_password = PASSWORD('$password') ");
$row = mysql_fetch_row($result) or die('Query failed. ' . mysql_error());
$url = $row['0']; // define the correct element for the field url
if (mysql_num_rows($result) == 1) {
// the user id and password match,
// set the session
$_SESSION['db_is_logged_in'] = true;
}
/ after login we move to the main page
// or to admin
// or to failsafe
if ($userId=="demo")header("Location: /cust/$url/");
if ($userId=="admin") header("Location: /cust/admin/");
header("Location: /cust/default/");
exit;
I think thats what you're attempting. Hope so anyway...
It's a little cleaner than my earlier effort. Did you get a chance to look at the issues with the input data?
Thanks for the code! Here is the full page with your add ins:
I recieved this error message:
Parse error: parse error, unexpected $ in /home/circle61/public_html/mattdesign/cust/login.php on line 47
Any Ideas?
<?php
// we must never forget to start the session
session_start();
$errorMessage = '';
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {
include 'config.php';
include 'opendb.php';
$userId = $_POST['txtUserId'];
$password = $_POST['txtPassword'];
// check if the user id and password combination exist in database
$sql = "SELECT user_id
FROM tbl_auth_user
WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";
$result = mysql_query($sql) or die('Query failed. ' . mysql_error());
if (mysql_num_rows($result) == 1) {
// the user id and password match,
// set the session
$_SESSION['db_is_logged_in'] = true;
}
// move user
$sql = "SELECT url
FROM tbl_auth_user
WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";
$result = mysql_query("SELECT url FROM tbl_auth_user
WHERE user_id = '$userId' AND user_password = PASSWORD('$password') ");
$row = mysql_fetch_row($result) or die('Query failed. ' . mysql_error());
$url = $row['0']; // define the correct element for the field url
// after login we move to the main page
// or to admin
// or to failsafe
if ($userId=="demo")header("Location: /cust/$url/");
if ($userId=="admin") header("Location: /cust/admin/");
header("Location: /cust/default/");
exit;
?>
dc
