So it's my birthday and here's what you can give me TWW.....

I have a login page that checks a username and password and then if it matches anything in a database, it logs that user in and loads a specific URL. I've managed to do all this but my problem is that once logged in if I manually put in the URL of another user, it will allow me access it even though I should only be allowed access to the URL for MY username and password.

$username="root";
$password="secretpassword";
$db_name="mydatabase"; 
$tbl_name="mytable";
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$myusername=$_POST['myusername']; $mypassword=$_POST['mypassword'];

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword);  

$sql="SELECT * FROM $tbl_name WHERE scusername='$myusername' and scpassword='$mypassword'";

$result=mysql_query($sql); 
if (mysql_num_rows($result) == 0 ) {  echo "Wrong Username or Password";
 } else {      
while ($row = mysql_fetch_array($result)) {       
extract($row);    
session_register("myusername");
session_register("mypassword");
header("location:$url.php"); }  } ?> 

8/31/2010 8:04:12 PM

You need to find a newer PHP tutorial. The ones at w3schools are pretty good. Here's the one for sessions: http://www.w3schools.com/php/php_sessions.asp

The key to figuring out your problem is to figure out exactly what it is you want to do and think what sort of steps you have to go through programmatically to meet that goal.

Oh, and don't connect to MySQL as root in your scripts. Big mistake.

8/31/2010 8:48:37 PM

how is the "specific URL" generated? i assume you're doing something like directing them to a profile page or something after the login

i also assume that you have primary keys in the users table...if that's the case, register the primary key as a session variable upon successful login and have your "specific URL" page use the primary key to pull up that user's information (or whatever you're using it for)

if that's not the case, you're doing it wrong

9/1/2010 8:13:09 AM

also, don't use session_register()...i think it's deprecated, but even if it isn't, $_SESSION[] is better

9/1/2010 8:55:57 AM

Well there's little doubt I'm doing it wrong....

And I realized after I posted and did a little bit of research that I shouldn't be using the session_register but I took the code from something I'd done in the past at some point.

In an effort to make this as painless as possible I currently am only using one table which holds a unique id, username, password, and URL. And yeah, based on their username, that's the URL that they get redirected to once registered header("location:$url.php".

Should I not be only using one table? And anyone know of a good tutorial for the things I'm going to need to do (besides the one Stein posted which I am currently looking at...TY :kiss ?

9/1/2010 11:41:34 AM

9/1/2010 11:51:14 AM

^aahahhahahahhaha

9/1/2010 12:02:15 PM

gdamn it

9/1/2010 12:07:56 PM

OK....well per Stein's suggestion....here's what I'd like to do:

I have a flash presentation that I've made specific to a client and each presentation includes a dummy login page (again, specific to each client) so I will have a page say 'client1.php' that will obviously be meant to be only seen by that client. So I have a database with one table which includes a unique id, a username, a password, and the name of their specific page. So I want them to go to a general login page, enter their username and password and then if it checks out, it logs them in and redirects them to their unique page. I was under the impression the way I've gone about it so far was the best...now I'm just having problems figuring out how to store a session and then include that session_start for the pages so that they can only see theirs....?

9/1/2010 1:56:15 PM

jkfo;KJfkJgklJfgljDSlkgjlSKDjglkDGJSm

9/1/2010 11:54:47 PM

What about storing a session is unclear?

9/2/2010 8:59:20 AM

Quote :

"So I have a database with one table which includes a unique id, a username, a password, and the name of their specific page. So I want them to go to a general login page, enter their username and password and then if it checks out, it logs them in and redirects them to their unique page."

I would make a general page and use PHP include based on their unique ID AND first name/last name.

If they successfully log in, be sure to pull the unique ID and their first name and assign a variable to it and pass it to your loggedin.php.

(i.e loggedin.php&id=2&name=Tom )

Write another query to double check and make sure the id and name match (you wouldn't want people just chainging the unique ID and getting access to other peoples pages)

then write a phpinclude for an html or whatever file and append their ID to it. include"yourpage'.$id.'".html".

You could probably get away with writing IF statements but if you get a lot of users could be a pain.

9/2/2010 11:23:32 AM

Uh... no. Don't do that.

Listen, you have someone logging in, you store their session ID ( $_SESSION['id'] ) and then redirect them to "display.php" and then use the value in $_SESSION['id'] (which is their unique ID) to display whatever it is that person should see. Don't pass anything in the URL, there's no need to do so.

Just be sure to put a session_start() as the first line on both pages since otherwise you don't have "access" to read/write $_SESSION.

9/2/2010 11:29:44 AM

Quote :

"Listen, you have someone logging in, you store their session ID ( $_SESSION['id'] ) and then redirect them to "display.php" and then use the value in $_SESSION['id'] (which is their unique ID) to display whatever it is that person should see. Don't pass anything in the URL, there's no need to do so."

yeah do this, sorry

9/2/2010 11:34:57 AM

OK.....so I've done it like you guys have said (mostly....though I'm sure somewhere is something different) but anyway, here's my question...
I have a display.php page which indeed uses the value stored in the session. Now this question is a very basic one I'm sure but....I currently have it pulling the URL like this....which works perfectly:

include("$url.php");

9/26/2010 7:25:18 PM

wot

9/26/2010 7:46:32 PM

include("$url.php");

include(/folder/"$url.php");

include(\folder\"$url.php");

include('\folder"\"$url.php");

9/26/2010 7:51:48 PM

it's not even your birthday

i'm out

9/26/2010 8:39:51 PM

fair enough. You guys have been awesomee

9/26/2010 9:24:22 PM

but feel free to be more awesome.....

9/26/2010 10:31:09 PM

Quote :

" include("$url.php"); "

I haven't done anything with PHP in a while, but are periods allowed in variable names?

--

After actually reading your question, I think you'd want to do something like this

$foo = '/path/to/' . $user_url;

include($foo);

9/27/2010 8:33:14 AM

While you're right about how you'd do it, Ernie, "include" isn't a function and thus you don't (and shouldn't) use parentheses around it.

Quote :

"I haven't done anything with PHP in a while, but are periods allowed in variable names?"

PHP is generally pretty good about figuring out what's a variable name and what isn't. If there's any confusion it can be wrapped in braces, such as "{$url}.php"

mytwocents if you look at the PHP manual http://www.php.net/include you'll see that "include" requires a string, which is the path to the file in question. Knowing what you know about PHP, which of the following is a string:

$a = folder/"url.php"
$a = folder/url.php
$a = "folder/url.php"

[Edited on September 27, 2010 at 10:33 AM. Reason : .]

9/27/2010 10:33:06 AM

^...
$a = "folder/url.php"
?

I realize that my questions might be somewhat retarded but understand that I never learned php, I just did/do things by trial and error and the way I had was working...I just couldn't figure out how to get the path in there...I have no doubt my php is seriously flawed and it works...until it doesn't....which is why I'm here.

I've now gotten myself totally screwed up and somehow ended up with

$foo = "'/folder/'.{$url}.php";
include '$foo';

9/27/2010 12:15:35 PM

oh shit......

so I did

$foo = "$url.php";
include ('folder/' .$foo);

9/27/2010 12:21:53 PM

$foo = "$url.php";

9/27/2010 12:30:09 PM

Well I suppose I'd be bothered by it too except that it works... but I see the issue (I think)....

each url is unique to each person who logs in so it's just pulling it from the table where the data is stored... ?? How else do you do it?

9/27/2010 1:09:42 PM

Well, lots of things

mysqli, get your db credentials out the damn way, concatenation instead of throwing .php in the variable name to let the engine suss it out

etc etc

[Edited on September 27, 2010 at 2:14 PM. Reason : I thought you asked what else would one do, not how else. Whatever, this thread sucks.]

9/27/2010 2:06:45 PM

include "/folder/{$url}.php";

The issue Ernie's understandably having with saying "$url.php" is that when you do that, you're hoping that the PHP interpreter properly handles that line, rather than you just explicitly telling it what to do.

It generally works well enough if you keep it simple, but surrounding the variable with braces lets the interpreter know exactly what you want. When you start getting complicated and using arrays, you'll notice that:

echo "Value 0: $array[0]";
and
echo "Value 0: {$array[0]}";

Print two different values.

9/27/2010 3:11:17 PM

i, too, was a little weirded out by $url.php

but hey, it is valid. if you're comfortable with it, and there aren't other developers maintaining it to get thrown off by it, no problem using that syntax

also, i doubt you are in this case, but make sure if you're doing an include on $url, make sure the user can't influence the value of $url - could open yourself up to code injection attack http://www.theserverpages.com/articles/webmasters/php/security/Code_Injection_Vulnerabilities_Explained.html

9/27/2010 3:35:06 PM

It's a really bad habit a lot of new PHP programmers pick up partly because the manual and the countless web tutorials out there don't do a very good job of saying "here's how you tell the interpreter this is a variable" and since PHP is pretty good at picking up what's going on, most people don't even know it's possible until they run into the array issue I mentioned.

9/27/2010 4:58:26 PM