user login verification

Ashleek007 · March 4th, 2004, 11:46 AM

hi,
I have got an HTML page where users type in their username and password. This is then submitted to a logincheck PHP page where the values entered are stored in varibles called $username and $password. This section works fine.

The problem is when im trying to check these variables against the database fields(username, password) i have created.

heres the code I have used on the login check page. I think its to do with the SQL code i have used and the PHP variables I have tried to enter(IN RED BELOW)?!?!

<?PHp
      $dbc = mysql_connect('localhost', 'root', '') or die ('Could not connect to MySQL :' .mysql_error());
      mysql_select_db('CupidCorner') or die('Could not connect to database :' .mysql_error());

     $username = $_POST['Username'];
      $password = $_POST['password'];
      echo $username; ?>
      <br>
      <?php
      echo ' ',$password;

      $query = "Select * From Login Where Username = ($username) And password = ($password)";
      $result = mysql_query($query);
      while($row = mysql_fetch_array($result, mysql_assoc))
          {
           echo "$row[username]$row[password]";
        }
        mysql_close();
      ?>

This is the error message I have got:-
Warning: Supplied argument is not a valid MySQL result resource in c:\apache\htdocs\logincheck.php on line 22

line 22 is the variables i was talking about.

cheers ASH

richard.york · March 4th, 2004, 04:04 PM

Try the following...

if (!$result = mysql_query("Select * From Login Where Username = '$username' And password = '$password'"))
{
echo mysql_error();
}

You didn't quote your strings in the SQL, and you didn't report errors at the query.

: )
Rich

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::

Ashleek007 · March 4th, 2004, 04:23 PM

where would i place this??

Ashleek007 · March 4th, 2004, 04:25 PM

thanks ASH

richard.york · March 4th, 2004, 04:54 PM

No worries? You have it working now?

Also.. I noticed another error...

while($row = mysql_fetch_array($result, mysql_assoc))
{
echo "$row[username]$row[password]";
}

Constants are case-sensitive. Predefined constants are always in all uppercase so to get associative indices use MYSQL_ASSOC with mysql_fetch_array() or use the mysql_fetch_assoc() function.

You should be seeing an error text from that if you have error_reporting set to E_ALL.

: )
Rich

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::

Ashleek007 · March 4th, 2004, 05:00 PM

Sorry mate,

Thanks for the help, i played around with it for a while and its working now, what ive got is a login page that checks the username and password stored in a database.

Thats the verification done!!

Now i need to create a session for each user to store values in, (shopItems,test scores etc.....) These need to be stored both for the duration of the session and also permanently(in the case of testscores). Should i store the test scores in a variable then put them in a database table? how do i go about creating this session variable?

thank you very much!
ASH

richard.york · March 4th, 2004, 05:14 PM

It seems everyone is asking about sessions lately. Have a look in the Beginning PHP & PHP DB forums where Nik and I have been fielding session questions...

Here are a few of the threads...
http://p2p.wrox.com/topic.asp?TOPIC_ID=10392
http://p2p.wrox.com/topic.asp?TOPIC_ID=10480
http://p2p.wrox.com/topic.asp?TOPIC_ID=10436

If you still have questions after having a look at those, I'd be happy to help.

Sure I think you will have to store your test scores in a DB, sessions are configured to last for about 24 minutes by default after that time is up there is a 1% chance on each request that garbage collection will run and delete outdated session data. All of that can be customized, of course, have a look at the PHP page on sessions http://www.php.net/session.

: )
Rich

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::

Ashleek007 · March 4th, 2004, 09:05 PM

OK OK,

this is the code ive got so far, ive hit another stumbing block though. It checks the username and password against the database and if the user isnt registered brings up an 'username/password incorrect' message!

the session bit is where im stuck. I think i have created a session called 'logged_in' which is given the value 'true' when the user has given a valid username and password. the header bit doesnt seem to work though?? throws up this warning: -

Warning: Cannot add header information - headers already sent by (output started at c:\apache\htdocs\logincheck.php:12) in c:\apache\htdocs\logincheck.php

<?php
session_start();

$dbc = mysql_connect('localhost', 'Ashleek007', '') or die ('Could not connect to MySQL :' .mysql_error());
      mysql_select_db('login') or die('Could not connect to database :' .mysql_error());

      $username = $_POST['username'];
      $password = $_POST['password'];

?>
      <br>
<?php
      $query = "Select * From userlogin Where USERNAME = '$username' And PASSWORD = '$password'";
      $result = mysql_query($query);

       if($row = mysql_fetch_array($result, MYSQL_ASSOC))
       {
           # echo "$row[USERNAME]$row[PASSWORD]";
           $_SESSION['logged_in'] = 'TRUE';
           header('Location: index.php?sid=' .session_id());
       }

       else
       echo "Incorrect Username/password";

       mysql_close();
?>

This will eventually redirect the 'approved' logged in user with a session ID to the users section?!. If I wanted to make some pages 'users only' would i use a statement such as :-

if ($_SESSION['logged_in'] = 'TRUE';)
        {
           //users only pages code here?!?!?!
        }
        else
        {
            echo 'not logged in';
            header('Location: login.php');
        }

would i have to use this on every 'users only' page or is there an easier way to do this?!

Sorry for wasting your time about the session questions, but your help is very much appreciated. If i can become a tenth of where u two guys are i'll be VERY happy!.

also just a quikie so i dont have to ask later! if I want users to be able to log out do i use the code:-
session_unset() or unset() ??

thanks
ASH

p.s. think my eyes are square, and its far too late!!

richard.york · March 4th, 2004, 10:00 PM

Hi Ashlee,

You're getting closer..

session_start() and header() both modify outgoing HTTP headers. The former outputs a COOKIE and the latter, well whatever you're telling it to, in this case the Location header. The HTTP headers have to go out before any content from the body itself. So my guess is you have some output happening before the call to header().

<?php
session_start();

$dbc = mysql_connect('localhost', 'Ashleek007', '') or die ('Could not connect to MySQL :' .mysql_error());
     mysql_select_db('login') or die('Could not connect to database :' .mysql_error());

     $username = $_POST['username'];
     $password = $_POST['password'];

// This creates output before your call to header.
<s>
?>
     <br>
<?php
</s>

     $query = "Select * From userlogin Where USERNAME = '$username' And PASSWORD = '$password'";
     $result = mysql_query($query);


     if($row = mysql_fetch_array($result, MYSQL_ASSOC))
     {
         <s># echo "$row[USERNAME]$row[PASSWORD]";</s>
         $_SESSION['logged_in'] = <s>'</s>TRUE<s>'</s>;

         header('Location: index.php?sid='.session_id());
     }

     else
     {
            $_SESSION['logged_in'] = FALSE;
            echo "Incorrect Username/password";
     }

     mysql_close();
?>

<?php
session_start();

// When you check for TRUE you don't have to quote "TRUE" its a
// reserved word with special meaning.
// Also you don't need the semi-colon in the conditional expression.

if ($_SESSION['logged_in'] == <s>'</s>TRUE<s>';</s>)
{
//users only pages code here?!?!?!
}
else
{
// header call first (cannot have output before it).
header('Location: login.php');
   // Since you're redirecting this won't do anything.
<s>echo 'not logged in';</s>
   exit;
}
?>

Right you would have to use it on every page that requires protection. I just talked a bit on this too.. are you using Apache? From your post it looks like it.. then can you use .htaccess? I believe you have to enable .htaccess configuration changes in httpd.conf, once you do that you can auto prepend and append authentication to files you want protected, whereas you won't have to write the check in every file.

This thread talks about configuring using .htaccess
http://p2p.wrox.com/topic.asp?TOPIC_ID=10392

You would use the regular unset() function to destroy a $_SESSION variable. If you want to get rid of a whole session use the session_destroy() function.

: )
Rich

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::

Ashleek007 · March 5th, 2004, 09:49 AM

thanks for the help so far, im learning a huge amount from this!

BUT, it wont let me log in. Ive got a feeling its to do with the session. Do i need to declare this session in a 'global' file like i would in ASP?

ive got a login.php page where the input boxes are(no php code),
this passes the info to the logincheck.php(the top section of the code youve written)then redirects to the index.php
the index.php then asks if the session is true run the secure code or redirect back to login.php.

I know that i have entered the correct user/password as it doesnt bring an error message, so must set the session[logged_in] to true. but when it passes to the index to check if the value is true, it doesnt recognise it and uses the else statement to redirect back to the login.php

have u any idea why?
cheers
ASH