Help with PHP Login script (sessions and validation).

sw33t_r3v3ng3

I need some help with a login script.

I have a page called login.php and the code is:

<?php
session_start();
//post the data
$email = $_POST;
$password = $_POST;

if ($email&&$password){

$connect = mysql_connect("*******", "****", "***") or die ("Couldn't connect to the DB"); //connect to the DB!
mysql_select_db("****")or die("Couldn't find the database");

$query = mysql_query("SELECT * FROM **** WHERE email='$email'");

$numrows = mysql_num_rows($query);

if($numrows!==0){
while($row = mysql_fetch_assoc($query)){
$dbemail = $row;
$dbpassword = $row;
}

if($email==$dbemail&&sha1($password)==$dbpassword){

@$_SESSION = 'email';

header('Location: usercpanel.php');
}else{
header('Location:index.php');
}
}
}
?>

basically what i want to happen is if the users details are correct, start a session and on the user control panel page, if the session is active allow the user to view the page.

What am i doing wrong. (By the way i know that mysql is outdated, but feck it, if someone wants to point me to some resources to help with mysqli please go ahead).

Thanks in advance

magooly

What happens right now?

Also your app is wide open to SQL injection

sw33t_r3v3ng3

magooly wrote: »

What happens right now?

Also your app is wide open to SQL injection

I know, i want to get the whole system working first and then ill go about security as i have no knowledge of security but want to learn!

magooly

Can you try setting a login session var and using this check on every page.

Something like...


# if already logged in
if(isset($_SESSION))
{
header('Location:index.php');
}
else
{
header('Location: logout.php');
}
exit;
}

if($_SERVER == 'POST')
{# login attempt
$login_result=do_login();
if ($login_result == 1)
{
session_begin();
header('Location:index.php');
exit;
}
}


function do_login()
{#process login
$username = trim($_POST);
$password = trim($_POST);
$sql ="SELECT id FROM login WHERE username='$username' AND password = '$password' ";
$conn=dbconnect();
$pg_result=pg_query($conn, $sql);
if (pg_num_rows($pg_result) >0)
{#valid user
$row = pg_fetch_assoc($pg_result);
$loginid = $row;
}
else
{#invalid_username
return -1;
}
}

function session_begin()
{
$_SESSION["login"] = true;
$_SESSION["username"] = trim($_POST);
}

sw33t_r3v3ng3

magooly wrote: »

Can you try setting a login session var and using this check on every page.

Something like...


# if already logged in
if(isset($_SESSION))
{
header('Location:index.php');
}
else
{
header('Location: logout.php');
}
exit;
}

if($_SERVER == 'POST')
{# login attempt
$login_result=do_login();
if ($login_result == 1)
{
session_begin();
header('Location:index.php');
exit;
}
}


function do_login()
{#process login
$username = trim($_POST);
$password = trim($_POST);
$sql ="SELECT id FROM login WHERE username='$username' AND password = '$password' ";
$conn=dbconnect();
$pg_result=pg_query($conn, $sql);
if (pg_num_rows($pg_result) >0)
{#valid user
$row = pg_fetch_assoc($pg_result);
$loginid = $row;
}
else
{#invalid_username
return -1;
}
}

function session_begin()
{
$_SESSION["login"] = true;
$_SESSION["username"] = trim($_POST);
}

Thanks very much for the help, would you be able to explain it (sorry im newish at this!)

magooly

Well the idea is to store a variable in the session that will indicate that the user has logged in correctly. This is a cookie that will stay alive until the user closes the browser or a timeout of 30 mins of inactivity. So if the Session array contains the login var and its value is true then you allow access to the site.

The first block above redirects the user to a logout page if the user is not logged in.

The second block checks if the user has filled out a form(user and pw) and pressed submit, it then calls a method do_login and waits for the result.

The 3rd block is the method to query the db and it should return 1 for success but I forgot to add that

The last block sets the 2 session vars in the browsers session after trimming the value submitted.

Can I recommend you download Joomla for examples around this kind of login management code, its opensource so you will easily see all the code you will need.

sw33t_r3v3ng3

magooly wrote: »

Well the idea is to store a variable in the session that will indicate that the user has logged in correctly. This is a cookie that will stay alive until the user closes the browser or a timeout of 30 mins of inactivity. So if the Session array contains the login var and its value is true then you allow access to the site.

The first block above redirects the user to a logout page if the user is not logged in.

The second block checks if the user has filled out a form(user and pw) and pressed submit, it then calls a method do_login and waits for the result.

The 3rd block is the method to query the db and it should return 1 for success but I forgot to add that

The last block sets the 2 session vars in the browsers session after trimming the value submitted.

Can I recommend you download Joomla for examples around this kind of login management code, its opensource so you will easily see all the code you will need.

Most of it makes sence, if i was to paste it into my login.php page what would i need to change ?

Talisman

Have a read through this post: Learn php tutor needed #40 - It's some code I wrote for a tutorial some months ago and covers everything you need.

Ziycon

I would suggest you look at using mysqli instead of mysql if your learning as mysqli supports/improved object-oriented interface, prepared statements, multiple statements, transactions, enhanced debugging capabilities and embedded server support to name but a few.

Also the mysql extension is deprecated from php 5.5.0 and will be removed in the near future.

oscarBravo

sw33t_r3v3ng3 wrote: »

I know, i want to get the whole system working first and then ill go about security as i have no knowledge of security but want to learn!

I can understand why you'd approach things that way, but I strongly recommend against it.

Put it this way: if you were planning to build a boat, do you think it would be a good idea to make something that floats, and then worry about stopping leaks, rather than build a boat that's watertight to start with?

You're clearly just starting to learn some of this stuff. If you learn to think about security as one of the core design criteria instead of something you try to bolt on later, you'll be doing yourself a big favour.

sw33t_r3v3ng3

oscarBravo wrote: »

I can understand why you'd approach things that way, but I strongly recommend against it.

Put it this way: if you were planning to build a boat, do you think it would be a good idea to make something that floats, and then worry about stopping leaks, rather than build a boat that's watertight to start with?

You're clearly just starting to learn some of this stuff. If you learn to think about security as one of the core design criteria instead of something you try to bolt on later, you'll be doing yourself a big favour.

i see where your coming from, is there anywhere in particular i can check out to learn mysqli ?

I thing theres a lack of tutorials and documentation out there !!

sw33t_r3v3ng3

One more thing thats getting me is sessions. I want to validate the users input and if it is correct, set a session and redirect them to their profile. what is the problem here:

if($email==$dbemail&&sha1($password)==$dbpassword){
session_start();
$_SESSION;
header('Location: usercpanel.php');
}else{
header('Location:index.php');
}

// i have more code, its just not necessary for my question
// should session_start(); be on the top of the page

Thanks!