user login verification

Ashleek007 · March 5th, 2004, 12:27 PM

would it matter that im using localhost?

Ashleek007 · March 5th, 2004, 01:25 PM

dont worry about trying to fix it iv'e done it. It was that there was no exclamation mark in the if statement!! dont actually know what that does but read up on if statements and everyone has it , and now my script works!

thank you very much for the help, you are a star!
ASH:D

how would i log out of the system making it impossible to get into the system?
like a logout button that terminates the session?would that wrk?

richard.york · March 5th, 2004, 02:58 PM

The exclaimation mark is the 'not' operator. So for exapmle...

Code:

if (!foo())
{
   // In English -- if not foo()
   // Foo must be false
}

if ($foo != 1)
{
    // $foo can be anything but 1
}
else
{
   // $foo is 1
}

if (!$foo)
{
   // Same thing as the function
   // 'not' can be a short-hand for the empty() construct
   // Or in other words it is checking for 
   // 0,'0',NULL,FALSE,'FALSE','' values... (the absense of value)
   // One difference between empty() and 'not' is a variable 
   // doesn't have to exist first to use empty() whereas under 
   // error_reporting E_ALL (show all errors, warnings and notices) 
   // it must already exist to use the 'not' operator.
   // see http://www.php.net/empty
}
else
{
  // $foo contains a value other than NULL, FALSE, or empty (the presence of value).
}

http://www.php.net/manual/en/languag...comparison.php

Yeah design a logout button that once pressed goes to a script like the following...

<?php
   session_start();

   session_unset();   // kill all session variables
   session_destroy(); // kill the session itself

   header("Location: im/logged/out.php");
?>

I guess you don't have to redirect. That's up to you.

: )
Rich

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::

Ashleek007 · March 6th, 2004, 08:48 AM

well this must mean that my code doesnt actually work then? i'll post the code im using:

LOGINCHECK.PHP
<?php
session_start();

$dbc = mysql_connect('localhost', 'Ashleek007', '') or die ('Could not connect to MySQL :' .mysql_error());
      mysql_select_db('login') or die('Could not connect to database :' .mysql_error());

      $username = $_POST['username'];
      $password = $_POST['password'];

      $query = "Select * From userlogin Where USERNAME = '$username' And PASSWORD = '$password'";
      $result = mysql_query($query);

       if($row = mysql_fetch_array($result, MYSQL_ASSOC))
       {
           $_SESSION['logged_in'] = true;//doesnt seem to set this session?
           header('Location: index.php?sid='.session_id());
       }
       else
       {
            $_SESSION['logged_in'] = false;
            echo "Incorrect Username/password";
//it still checks the username and password correctly though
       }
       mysql_close();
?>

INDEX.PHP
<?php
session_start();
if(!$_SESSION['logged_in'] == true)
{?>
<a href="logout.php">logout </a>//secure code here
<?PHP
}
else
{
  header('Location: login.php');
}
?>

if you look at the green line in the index.php this must mean that if session equals false because of the '!' ?! therefore meaning there is no such session set?

i kno that there is no session set to TRUE because when i run the logout script then type the URL localhost/index.php it still lets me view it!

have you any ideas?
CHEERS
ASH

Snib · March 6th, 2004, 11:02 AM

I use isset() myself.

I make the session variable 'username' if the login info is correct and if it isn't I dont make 'username' at all.

When I want to know if the user is logged in:

if(isset($_SESSION['username']))
//the user is logged in
else
//the user needs to log in

Let me know if you need more info.

----------
---Snib---
----------

richard.york · March 6th, 2004, 05:33 PM

Yeah that doesn't make any sense.

This ought to be correct syntactically -- but logically speaking ought to make your head spin!

if(!$_SESSION['logged_in'] == true)

I think your login authentication part is failing..

<?php
    $foo = false;

    if (!$foo == true)
    {
    echo 'Namaste!';
    }
?>

This script evaluates as TRUE. Its like saying if $foo is FALSE is TRUE... execute this... (Nik, correct me if I'm wrong on this!). That being the case that means that $_SESSION['logged_in'] is FALSE if you are seeing secure pages. If $_SESSION['logged_in'] == TRUE you ought to be getting sent back to the login page.

For your secure page I would use something like this:
if (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] == TRUE)

If $_SESSION['logged_in'] is set (exists) and contains a true value.. show secured page.

Now back to the authentication scheme itself..
if($row = mysql_fetch_array($result, MYSQL_ASSOC))

This ought to work correctly - though its not an approach I've seen before. mysql_fetch_array() returns FALSE if it isn't able to return any rows, or when it has run out of rows to return. Since you aren't doing anything with the result set though I would recommend using mysql_num_rows instead, to avoid the waste :).

if(mysql_num_rows($result) == 1)
{
    $_SESSION['logged_in'] = true;//doesnt seem to set this session?
    header('Location: index.php?sid='.session_id());
}
else
{
    $_SESSION['logged_in'] = false;
    echo "Incorrect Username/password";
    //it still checks the username and password correctly though
}

Also, just to be safe..
$result = mysql_query($query) or die(mysql_error());

Let me know what happens!

: )
Rich

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::

Ashleek007 · March 7th, 2004, 09:21 PM

Its still not working, and i think its still the session.

Instead of redirecting back to the login.php ive got it to output an error message if the session is not equal to true. it does this and displays a sessionID in the address bar, as below:-

http://localhost/index.php?sid=e25fc...b9834d76ffcbfa

does that mean a session has been made?
it still shows me the error message though! not the secure content!

is there a different way i can do this? like totally start a fresh?
or could you each page ive got?

its really stressfull!!

ill post the code ive got so far AGAIN!!

login.php
contains the username and password which are checked against the database and put into variables $username and $password once submitted to the logincheck.php

logincheck.php
<?php
session_start();

$dbc = mysql_connect('localhost', 'Ashleek007', '') or die ('Could not connect to MySQL :' .mysql_error());
      mysql_select_db('login') or die('Could not connect to database :' .mysql_error());

      $username = $_POST['username'];
      $password = $_POST['password'];

      $query = "Select * From userlogin Where USERNAME = '$username' And PASSWORD = '$password'";
      $result = mysql_query($query) or die(mysql_error());

      if(mysql_num_rows($result) == 1)
{
    $_SESSION['logged_in'] = true;//doesnt seem to set this session?
    header('Location: index.php?sid='.session_id());

}
else
{
    $_SESSION['logged_in'] = false;
    echo "Incorrect Username/password";
    //it still checks the username and password correctly though
}
       mysql_close();
?>

index.php
<?php
session_start();

if (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] == true)
{
?> <a href="logout.php">logout </a><?PHP
}
else
{
  echo 'error';
}
?>

all it does is output the error from the else statement above! its like it doesnt know about the session ive set in the logincheck.php ive even tried just if(isset blahblah....) without checking the value and it still throws out the error?!

do i need to tell the thing that ive used sessions or that im goin to use sessions?

im feeling grim

thanks for your persistance with this pain in ur ass!
ASH

Snib · March 8th, 2004, 12:04 PM

Instead of setting it to false on failure, try not setting it at all.

Then just ask if it is set to tell if the user is logged in.

Hope this works,

----------
---Snib---
----------

Ashleek007 · March 8th, 2004, 02:57 PM

hey, ive just found out the code ive used works perfectly. I was using PHPtriad, an apache server on localhost and my computer has a divided harddrive (C) and(D) the apache was installed on (C) and the website was on the (D). This must have caused an error somewhere. I racked my brain to try and figure out where i was goin wrong. I decided to upload it to a domain name (WWW) and it worked.......all of it!!!

thanks very much rich, i definatley couldnt have done it without ya!

im sure ill be back on here, so make sure to look out for me......and make a mental note to steer clear!!haha!

cheers again, id buy u a pint if you were ever in the UK
ASH

richard.york · March 8th, 2004, 04:54 PM

Quote:

quote:Originally posted by Snib:

Instead of setting it to false on failure, try not setting it at all.
Then just ask if it is set to tell if the user is logged in.

That wouldn't have an effect on anything;)
I beleive the better approach is to always assign the variable a value.

Quote:

quote:Originally posted by Ashlee

thanks very much rich, i definatley couldnt have done it without ya!
im sure ill be back on here, so make sure to look out for me......and make a mental note to steer clear!!haha!
cheers again, id buy u a pint if you were ever in the UK

Right on! I'm glad to hear it works. I was racking my brain to think of what could be going awry with that. Certainly something in the configuration. I just discovered that new installs of PHP don't create a session data directory or upload temp directory (explains some of the strange posts related to session errors I've seen lately). If I make it to the UK I'll take you up on that (God knows I could always use a pint)!

: )
Rich

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::