PHP Login Script

@p0ng0Jul 22.2007

Hi,

i’m currently trying a new project to create a login page for an assignment i’ve got at work.

I work for a solicitor company in London and need to build a website that will allow clients to login to review their cases.

I’ve got as far as creating a login page, which allows them to login and fails if incorrect, but i’m stuck.

I’m using phpMyAdmin with MYSQL and Dreamweaver MX2004.

I have created a table called users which has the username and password and the login script successfully comminucates with the “users” database.

However, i don’t know how to add users to the database so they can actually login. I don’t think this is hard as i’ve done it before but need someone to refresh my memory.

Lastly,
a problem i’m not sure how to fix.
As each client is different, each court case and files will also be different. Currently, if a client logs in successfully, they are transfered to “success.php” which is a static page. But how do i get specific users to go to their own page. For example, client: JO/PRO/IMM/0985 should login with their username: joproimm0985 password: xxxx and take them to their folder, thus every client can only view their own files and not the whole database.

I hope i have explained in enough detail but any more info can be requested.

Please can someone help me?

Cheers!

to post a comment

PHP

17 Comments(s) _↴

@dbrandonJul 22.2007 — #If you're simply wanting to add a user yourself it would be easiest to just go to the phpMyAdmin homepage, navigate to your users table, and use the insert feature here. Otherwise you will have to set up a page which inserts a new row into the table. You will need to use the sql 'insert' statement, like this:

[code=php]
 mysql_query("INSERT INTO users (username, password, ...any other fields...) 
 VALUES ('$username', '$password', ...any other fields...)");
 [/code]

You need to esablish a database connection before the mysql function will work.

The variables would be best posted from a form i'd imagine, and don't forget to encrypt the passwords if the login script is expecting an encrypted pass.

With regards to the redirect, i'm assuming your using header("location: blahblah"); to redirect the user. If so, you can assign a variable and use this in the redirect.

E.g. you could have another field in the database table called 'homeDir' (their own directory). Then, upon successful login, you could query the table, assign the value of this field to a variable, and then use:

[code=php]
 header("location: success.php?path=$variableName");
 [/code]

[code=php]
 header("location: $variableName");
 [/code]

You'd need a way of stopping a user from being able to just move to the directory of another user with this method.

A better way to do this might be to associate certain court cases with a username / user ID. Then success.php could just pull all records from the database which are associated to the currently logged in user.

Hope that helps ?

@p0ng0authorJul 23.2007 — #Hey, thanks for the really quick response. As you may know, i'm new to it all. So when you say go to the users field, is that the users database i created?

If so, i select users from the drop down menu on the left and i clicked insert. In there, there it said "username" so i entered admin and under that it said "password" so i entered *a password*. So this is how i create users and passwords by inserting a user and password, or is that not it?

Secondly, i'm not too sure when you said i need to establish a connection, so could you explain that in detail also. It would really help me if you explained it like the first, for example "click this *button* which is on the left. Now click that *button* on the right", i would appreciate this extreemly!

Cheers!

@p0ng0authorJul 23.2007 — #*Update post above, cannot edit so will add from here*

i can now create users so that they can login. When a user logs in with a user/pass, it takes the user to success.php and says SUCCESS. And if someone has entered a wrong password it takes them to FAIL.php and says sorry failed.

The only thing i need more explanation on is when you said "now if you want them to go to their own case, you need to query...." i don't understand any of that step. can you explain in steps please? ?

@dbrandonJul 23.2007 — #What exactly are you hoping to have displayed on success.php ?

That should help me give a more relevant answer on how to acchieve what you're wanting.

@php_hazard_01Jul 23.2007 — #you just have to put their cases on the DB and label them as you see fit..

the table should look like

[CODE]
 client1              client2              client3
 1,3,7                2,4,6                5,8,9,10
 [/CODE]

when client1 logs in, it takes those numbers 1,3,7 from this database

[CODE]db_cases
 1      -    case of the missing dog
 2      -    case of the missing parakeet
 3      -    case of the missing minx
 4      -    case of the missing jade diamond
 5      -    case of the missing burger
 6      -    case of the missing hot chick
 7      -    case of the missing chicken
 8      -    case of the missing french fries
 9      -    case of the missing ferrari
 10    -    case of the missing cat
 [/CODE]

where the numbers are cases of your clients...

and returns those.

i think this is a simple approach but not adviseable

@p0ng0authorJul 24.2007 — #What exactly are you hoping to have displayed on success.php ?

That should help me give a more relevant answer on how to acchieve what you're wanting.[/QUOTE]

When a client logs in to success.php, it will say "Successful Login. You are now being redirected to your account".

They will then be redirected to a new page, a page that is of their reference. For example, a client's case/ref is: JO/PRO/KRIS/895. The client will be redirected to a page called "joprokris895-home.php". Somehow, the database will get which page the client needs to go to, from the username. I thought if i keep the reference and username and their actual page unique, the database will be easy to redirect the client to the correct page. On that page (joprokris895-home.php) there will be links. As one of them will be "view your case" which will redirect to a page something like "joprokris895-case.php" or simply "joprokris895.php".

I hope this is understandable and you can get a picture of what it is i want to work.

Using dreamweaver + phpmyadmin ive got the basic login working, if they enter a wrong login it redirects them to "fail.php" and if they login successful they are redirected to "success.php". But if someone tries to visit success.php manually, it will say Failed, because they have to login first, so that bit is already ok.

@dbrandonJul 24.2007 — #Does each client just have one case reference, or could there be more than one ?

Are the cases held in a database ? If so, what fields / headings are there at the moment (things like date, description, etc) ?

There is no need to display a 'you are being redirected' page, success.php can display information based on the currently logged in user quite simply.

@p0ng0authorJul 24.2007 — #Does each client just have one case reference, or could there be more than one ?

Are the cases held in a database ? If so, what fields / headings are there at the moment (things like date, description, etc) ?

There is no need to display a 'you are being redirected' page, success.php can display information based on the currently logged in user quite simply.[/QUOTE]
Hi,

at the moment the cases are not in a database.

The documents which we produce are on our computers in word, .doc format. But we also get docs from court etc, so not every file is there, unlike the hard copies which is a physical folder with documents inside. I would imagine that everything would be scanned onto the computer eventually or something.

At the moment all i'm looking for is each login to get directed to individual folders. From there we can add the body.

@dbrandonJul 24.2007 — #If you're simply wanting a different redirect (bare in mind this is not a good way of implementing it, unless you secure each folder from other users), look for

[code=php]header("location: ........");[/code]

in your login code, then change success.php, to a variable value.

For example, your code might look like this

[code=php]header("location: success.php");[/code]

and your login script may assign a session variable containing the username of the logged in user. In which case

[code=php]header("location: users/".$_SESSION['username']."/");[/code]

Would redirect the user to a folder named the same as their username in the users folder.

But like i say, this is not a particuly good way of implementing this. Hope it helps anyhow !

@p0ng0authorJul 24.2007 — #I really appreciate the users for trying to help me here, but really i am lost! lol.

I searched though the php code of login page (index.php) and i couldn't find anything saying header("location: ........."; or anything along those lines.

I will paste the code here and so you know exactly what i have.

[code=php]<?php require_once('../Connections/connectDB.php'); ?>
 <?php
 // *** Validate request to login to this site.
 session_start();
 
 $loginFormAction = $_SERVER['PHP_SELF'];
 if (isset($accesscheck)) {
 $GLOBALS['PrevUrl'] = $accesscheck;
 session_register('PrevUrl');
 }
 
 if (isset($_POST['username'])) {
 $loginUsername=$_POST['username'];
 $password=$_POST['password'];
 $MM_fldUserAuthorization = "";
 $MM_redirectLoginSuccess = "success.php";
 $MM_redirectLoginFailed = "fail.php";
 $MM_redirecttoReferrer = false;
 mysql_select_db($database_connectDB, $connectDB);
 
 $LoginRS__query=sprintf("SELECT username, password FROM users WHERE username='%s' AND password='%s'",
 get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
 
 $LoginRS = mysql_query($LoginRS__query, $connectDB) or die(mysql_error());
 $loginFoundUser = mysql_num_rows($LoginRS);
 if ($loginFoundUser) {
 $loginStrGroup = "";
 
  //declare two session variables and assign them
  $GLOBALS['MM_Username'] = $loginUsername;
  $GLOBALS['MM_UserGroup'] = $loginStrGroup; 
 
  //register the session variables
  session_register("MM_Username");
  session_register("MM_UserGroup");
 
  if (isset($_SESSION['PrevUrl']) && false) {
   $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; 
  }
  header("Location: " . $MM_redirectLoginSuccess );
 }
 else {
 header("Location: ". $MM_redirectLoginFailed );
 }
 }
 ?>[/code]

@dbrandonJul 24.2007 — #ok, the line reading

[code=php]$MM_redirectLoginSuccess = "success.php";[/code]

is telling your script where to send the user upon successful login. The actual redirecting is done here:

[code=php]header("Location: " . $MM_redirectLoginSuccess );[/code]

So, for example, you could change the line reading

[code=php]$MM_redirectLoginSuccess = "success.php";[/code]

to

[code=php]$MM_redirectLoginSuccess = "success.php?user=".$loginUsername;[/code]

to make your user be redirected to success.php?user=*their name here*

Then, you could change the code on success.php to redirect the user based on the value of 'user' in the url.

Hope that helps a bit ? Any more questions, just ask !

@p0ng0authorJul 24.2007 — #Thanks dude for the "any more questions" i really appreciate it! ?

riiiight now... lol

i've changed [code=php]$MM_redirectLoginSuccess = "success.php";[/code]
to
[code=php]$MM_redirectLoginSuccess = "success.php?user=".$loginUsername;[/code],

what is the next step i should do? i cant stress enough how much i need steps lol.

@p0ng0authorJul 24.2007 — #like give me an exmaple to do?

a clien case called: JO/PRO/IMM/KRIS/876. but the username will be joproimmkris876.

so tell me e.g: create a folder called joprokrisimm876 (i say a folder, so that theere can be an index file there so there can be more than one page on the users folder if that makes sense?)

@dbrandonJul 24.2007 — #ok, so you have your joproimmkris876 user created and they can log in.

hopefully, after logging in they are taken to success.php?user= joproimmkris876

if so, then we can make success.php redirect to the correct folder. paste the current source of success.php for me, and ill show you what it should be.

@p0ng0authorJul 24.2007 — #ok, atm, i've created a user "admin". when i logged in, it did take me to user=admin so that bit is all ok!

now, you say make it redirect to the current folder, i dont know about variables, so how do i make it direct to which accroding to the user? i'll paste the success.php code now.

[code=php]<?php
 session_start();
 $MM_authorizedUsers = "";
 $MM_donotCheckaccess = "true";
 
 // *** Restrict Access To Page: Grant or deny access to this page
 function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
 // For security, start by assuming the visitor is NOT authorized. 
 $isValid = False; 
 
 // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
 // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
 if (!empty($UserName)) { 
 // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
 // Parse the strings into arrays. 
 $arrUsers = Explode(",", $strUsers); 
 $arrGroups = Explode(",", $strGroups); 
 if (in_array($UserName, $arrUsers)) { 
 $isValid = true; 
 } 
 // Or, you may restrict access to only certain users based on their username. 
 if (in_array($UserGroup, $arrGroups)) { 
 $isValid = true; 
 } 
 if (($strUsers == "") && true) { 
 $isValid = true; 
 } 
 } 
 return $isValid; 
 }
 
 $MM_restrictGoTo = "fail.php";
 if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) { 

 $MM_qsChar = "?";
 $MM_referrer = $_SERVER['PHP_SELF'];
 if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
 if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
 $MM_referrer .= "?" . $QUERY_STRING;
 $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
 header("Location: ". $MM_restrictGoTo); 
 exit;
 }
 ?>[/code]

@dbrandonJul 24.2007 — #ok try replacing all that code with ...

[code=php]
 <?php 
 session_start(); 
 
 header("Refresh: 3; URL=".@$_GET['user']."/");
 
 $MM_authorizedUsers = ""; 
 $MM_donotCheckaccess = "true"; 
 
 // *** Restrict Access To Page: Grant or deny access to this page 
 function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
 // For security, start by assuming the visitor is NOT authorized. 
 $isValid = False; 
 
 // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
 // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
 if (!empty($UserName)) { 
 // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
 // Parse the strings into arrays. 
 $arrUsers = Explode(",", $strUsers); 
 $arrGroups = Explode(",", $strGroups); 
 if (in_array($UserName, $arrUsers)) { 
 $isValid = true; 
 } 
 // Or, you may restrict access to only certain users based on their username. 
 if (in_array($UserGroup, $arrGroups)) { 
 $isValid = true; 
 } 
 if (($strUsers == "") && true) { 
 $isValid = true; 
 } 
 } 
 return $isValid; 
 } 
 
 $MM_restrictGoTo = "fail.php"; 
 if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) { 

 $MM_qsChar = "?"; 
 $MM_referrer = $_SERVER['PHP_SELF']; 
 if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&"; 
 if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0) 
 $MM_referrer .= "?" . $QUERY_STRING; 
 $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer); 
 header("Location: ". $MM_restrictGoTo); 
 exit; 
 } 
 
 echo "You will be taken to <b>".@$_GET['user']."/</b> in 3 seconds ...";
 
 ?>
 [/code]

@p0ng0authorJul 24.2007 — #GOD IT WORKED!

wow thank you sooo much!

though im not finished yet, because i will have to add stuff and then try bypassing it to test the security and all stuff but yeah, if i do need any help i would like to come back here?! ?

Also in #PHP _↴

Table Autofill .htaccess URL Rewrite Access external CSS file from PHP file?

Success!

Help @p0ng0 spread the word by sharing this article on Twitter...

Tweet This

PHP Login Script

17 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

PHP Login Script

17 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

17 Comments(s) _↴

Also in #PHP _↴