The Web Squeeze: Login Security - The Web Squeeze

I have made a login script that takes me to a secure sectret page. Within that secret page is there is a members menu bar, I have 3 links in the menu that retrive data from a database. My question is how do I get those pages to see what login details were provided and display the data from the database that represents that username and password?

Can we see the code?

Cheers

You could use $_SESSION to log that information you want.

To expand on what Karinne has said.

At the top your page you can use the function

session_start();

This allows you to carry session information from one page to another.

Within your login form you can set something like this.

if (login is correct) 
{
$_SESSION['user'] = $database username;
$_SESSION['id'] = $database user id;
}

Then for you login pages at the top you can have something like this.

if (!$_SESSION['user'])
{
header('Location: login.php');
}

This means that if a user hasn't logged in they will be redirected to the login page. Alternatively you can provide a "you need to log in to view this" message.

To logout you can use unset.

unset($_SESSION['user']);
unset($_SESSION['id']);

These are the bare roots building blocks for a login system.

<head>
<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>
<title>Estate Details</title>
</head>


<style type="text/css">
<!--
@import url("default.css");
<!--
body {
	background-repeat: repeat-x;
}

</style>
<body>
<div id="header">
<script>
var Digital=new Date()
var month=Digital.getMonth()
if (month <= 2){	// month is between jan and march	
	document.write("<IMG SRC='http://www.lightex.co.uk/fieldworks/images/img5.jpg'>");
} else if (month <= 5){
	// month is between april and june
	document.write("<IMG SRC='http://www.lightex.co.uk/fieldworks/images/img2.jpg'>");
} else if (month <= 8){	// july and september
	document.write("<IMG SRC='http://www.lightex.co.uk/fieldworks/images/img2.jpg'>");
} else {	// otherwise its between oct and dec
	document.write("<IMG SRC='http://www.lightex.co.uk/fieldworks/images/img3.jpg'>");
}
</script>
</div>
<div id="page">
  <div id="content">
		<div id="welcome" class="post">
			<h1 class="title">Estate Details</h1>
			<IMG SRC="http://www.lightex.co.uk/fieldworks/images/420 copy.png" width="131" height="106">
		<div class="content">
			  <h3 align="center"><br />
			  </h3>
				<h3 align="center">&nbsp;</h3>
		  </div>
	</div>
		<div id="example" class="post">
			<?php
// Connects to my Database
mysql_connect("", "", "") or die(mysql_error());
mysql_select_db("") or die(mysql_error());
$data = mysql_query("SELECT * FROM ")
or die(mysql_error());
Print "<table border cellpadding=5>";
while($info = mysql_fetch_array( $data ))
{
Print "<tr>";
Print "<th>House Name:</th> <td>".$info['house_name'] . " </td>";
Print "<th>Address:</th> <td>".$info['2l_address'] . " </td></tr>";
Print "<th>Village:</th> <td>".$info['vill_address'] . " </td></tr>";
Print "<th>Area:</th> <td>".$info['ar_address'] . " </td></tr>";
Print "<th>County:</th> <td>".$info['cout_address'] . " </td></tr>";
Print "<th>Post Code:</th> <td>".$info['post_code'] . " </td></tr>";
Print "<th>Acres:</th> <td>".$info['acr_age'] . " </td></tr>";
Print "<th>Next Visit:</th> <td>".$info['next_vis'] . " </td></tr>";
}
Print "</table>";
?>
			<br>
			
			<div class="content">
								  
			  
		  </div>
		</div>
  </div>
	<div id="sidebar">
		<div id="menu">
			<ul>
			  <li><a href="homepage.html" onClick="logout_confirm(); return false;">Homepage</a>
			 <script> function logout_confirm() {
  if(confirm("You are about to logout?"))
	window.location = "homepage.html";
}</script></li>
				<li><a href="login_success.php" title="">Login Homepage</a></li>
			  <li><a href="../fieldworks/accountdetails.php" title="">Account Detail</a></li>
				<li><a href="lastbill.php" title="">Last Bill</a></li>
				<li><a href="estatedetails.php" title="">Estate Details</a></li>
				<li><a href="../fieldworks/contactuslogin.php" title="">Contact Us</a></li>
			</ul>
		</div>
		
		<div id="updates" class="boxed">
			<h2 class="title">Recent Updates</h2>
			<div class="content">
			  <ul>
				<li> </li>
				<li>
				  <h3 class="style7">Coming Soon</h3>
				</li>
			  </ul>
			  <p>We will be extending our services to parks  and large lawns.</p>
			  <ul>
				<li>
				  <h3></h3>
				</li>
			  </ul>
		  </div>
			<div class="content">
				<!-- Paste this code into the BODY section of your HTML document  -->


			</div>
	  </div>
	</div>
	<div style="clear: both;">&nbsp;</div>
</div>
<div id="footer">Copyright &copy; 2008 fieldworks.com. Designed by <a href="ttp://www.blanedesigns.com">Blane Designs</a>
  <p id="links"><br />
  <a href="#">Privacy Policy</a>
</div>
</body>

The code below should be displayed in the documents head. Nothing should exist between the head and body tags.

<style type="text/css">
<!--
@import url("default.css");
<!--
body {
	background-repeat: repeat-x;
}

</style>

As for the code Jason posted before my script, I now have a constant loop, I login, go to secret page go to link and it loops me back to my login, I know I have logged in correctly as I would not get to the secret page and I set up the user names and passwords!!!

Have you got 'session_start()' at the top of each of your pages?

Are you sure that on the step below a value is actually being put in the the 'user' session variable?

if (login is correct)
{
$_SESSION['user'] = $database username;
$_SESSION['id'] = $database user id;
}

Yes to 'session start' and I have know idea if a value is beign put in the 'user' session

Same principle as this, it must get info from somewhere, I am presuming a DB

It will store it in a session..

Right, having serious problems now, every time I make a new script change or add in new script to existing, I get a blank screen on the testing screen.
I have spilt coffee over my php book and am going slightly mad, my route has only just come back online and yes, good day. Anyway, the short of it is, I'm stuck again!

OK, I have some time.

Try this.

Create a form with 2 fields.

<p>You are required to login to access this</p>
<form method="post">
   <input type="text" name="username" maxlength="100" />
   <input type="password" name="password" maxlength="100" />
   <input type="submit" name="login" value="Login" />
</form>

This is a basic login form. Save this as login.php

Lets now write a simple function to process this form.

function Process()
{
   $user = mysql_real_escape_string($_POST['user']); // Protects database from sql injection.
   $pass = mysql_real_escape_string(sha1($_POST['password'])); // Creates a sha1 hash of the password. Replace sha1 with whatever encryption you are using.

  if (!empty($user) && !empty($pass)) // ! means not. So check these are not empty.
  {
	 $sql = "SELECT * FROM users WHERE username='$user' AND password='$pass'"; // Find user
	 $result = mysql_query($sql);
	 if (mysql_num_rows($result) == 1) // If one user is found with the correct username and password continue
	 {
		$_SESSION['user'] == $user; // Set session
		print 'You have successfully logged in';
	 }
	 else
	 {
		print 'Error: The username and passwords do not match';
	 }
  }
  else
  {
	 print 'error: The form is incomplete';
  }
}

Save this as process.php

Your index.php would look like this.

<?php
session_start();
if ($_POST['login'])
{
   include 'process.php';
   Process();
}
?>

<html>
<head></head>
<body>
<?php
   if (!isset($_SESSION['user']))
   {
	?>
   Add secure content here.
   <?php
   }
   else
   {
	   include 'login.php';
   }
</body>
</html>

You need to create a table called 'user'.

This needs to have 2 fields. Once called 'username', the other 'password'.

I haven't tested this but the logic is sound. Have a look through it and see if it makes sense to you.

If you're still not making any progress, then you could also check out these tuts
http://creativecoding.webforumz.com/editio...on-with-php.php
http://creativecoding.webforumz.com/editio...a-php-login.php

Thanks for the code, does not work, I can't see a DB connection being made though.

Both the tutorials above seem to deal with loging in and checking if user has logged in, it has confused me a little as it seems to be explaining stuff that (in my mind) I don't need as that has been done. My users have been verified, and logged in. I appologise if I am being slow and repeating myself, but I need a code that checks the username and tells the database, Jo Blogs has signed in, then the retive code gets all the requested infomation from the database refering to Jo Blogs, my appologies if you knew what I wanted all along. I am new to grasping php and still get very confused by it. My books help if I know what the selection of code is called to look up and reference it.

Sorry to make a very long thread out of an easy solution.

This post has been edited by acrikey: 02 April 2008 - 05:37 PM

How does the page know that "Jo Blogs" is logged in? From a $_SESSION variable?

All you have to do the is query your user details database:

$username=mysql_escape_string($_SESSION['username']); // get username and clean it up for the db query
$query=mysql_query("SELECT * FROM <table_name> WHERE username='$username'"); // query database
if($row=mysql_fetch_assoc($query)) { // check for and get results
  // output user detail here
  echo($row['last_name']); // for example
} else { // user not found
  echo('user not found'); // output error
}

acrikey, on Apr 2 2008, 07:36 PM, said:

Have you got a database set up? Do you have some PHP knowledge. I assumed you knew the basic syntax of php. Assuming this you should be able to either modify your script or modify what I wrote to make it work for your purposes.

Have you got a database set up? Yes I do

Do you have some PHP knowledge. Yes a very, very basic understanding, I am in the process of getting to understand, but I am still in the stage of looking up to make sure I have got them straight in my head, can't code without my code book at my side.

I have added, the start sessions and inserted:

<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
session_start();
$username=mysql_escape_string($_SESSION['username']); // get username and clean it up for the db query
$query=mysql_query("SELECT * FROM <members> WHERE username='$username'"); // query database
if($row=mysql_fetch_assoc($query)) { // check for and get results
  // output user detail here
  echo($row['last_name']); // for example
} else { // user not found
  echo('user not found'); // output error
}
?>

but it does not effect the DB table, and all content is still displayed, not just specific user.

This post has been edited by acrikey: 03 April 2008 - 01:22 PM