|
PHP - Help With Protected Pages And Session Register
Hi,
I have built a registration and login system for a website, part of which I wish to protect certain pages. The registration systems works well, as does the login BUT I am having difficulty with the next stage. How do I then 'capture' the username and password that were entered by the user and get the PHP page I want to protect to check that these are valid? I guess it is a piece of code I need to put in the top of the protected page? Here is the final piece of code (which then includes a link to the page I want to protect) from the login page which includes session_register, but then how can I use this information in the page I wish to protect? //Now if everything is correct let's finish his/her/its login session_register("username", $username); session_register("password", $password); echo "Welcome, ".$username." please continue onto our ".$sub." membership area...<a href=".$index.">click here</a>"; } Thanks, Simon Similar TutorialsHello: I wanted to see if I can make my password protected pages in my admin area, and the login form "more secure." I was told I should use MD5 / SALTING / HASHING to do this. I have tried some online tutorials, but am not understanding it, so I wanted to start from what I have and build upon it> This is my database table storing the myAdmins data (when I initially insert it into the database): Code: [Select] CREATE TABLE `myAdmins` ( `id` int(4) NOT NULL auto_increment, `myUserName` varchar(65) NOT NULL default '', `myPassword` varchar(65) NOT NULL default '', PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; INSERT INTO myAdmins VALUES("1","abc","123"); This is the login form I use: Code: [Select] <?php include('../include/myConn.php'); include('include/myAdminNav.php'); session_start(); session_destroy(); $message=""; $Login=$_POST['Login']; if($Login){ $myUserName=$_POST['myUserName']; $myPassword=$_POST['myPassword']; $result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$myPassword'"); if(mysql_num_rows($result)!='0'){ session_register("myUserName"); header("location:a_Home.php"); exit; }else{ $message="<div class=\"myAdminLoginError\">Incorrect Username or Password</div>"; } } ?> <form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>"> <? echo $message; ?> Username: <input name="myUserName" type="text" id="myUserName" size="40" /> Password: <input name="myPassword" type="password" id="myPassword" size="40" /> <input name="Login" type="submit" id="Login" value="Login" /> </form> This is the code on top of each page I password protect: Code: [Select] <? session_start(); if(!session_is_registered(myUserName)){ header("location:Login.php"); } ?> Works well, but can it be "better"?? And, if I am allowing the admin to update his/her username or password, I do it this way: Code: [Select] <?php include('../include/myConn.php'); include('include/myCheckLogin.php'); if ($_SERVER['REQUEST_METHOD'] == 'POST') { $myUserName = mysql_real_escape_string($_POST['myUserName']); $myPassword = mysql_real_escape_string($_POST['myPassword']); $sql = " UPDATE myAdmins SET myUserName = '$myUserName', myPassword = '$myPassword' "; mysql_query($sql) && mysql_affected_rows() ?> <?php } $query=mysql_query("SELECT * FROM myAdmins") or die("Could not get data from db: ".mysql_error()); while($result=mysql_fetch_array($query)) { $myUserName=$result['myUserName']; $myPassword=$result['myPassword']; } ?> <form method="post" action="<?php echo $PHP_SELF;?>"> <input type="hidden" name="POSTBACK" value="EDIT"> Username: <input type="text" size="60" maxlength="60" name="myUserName" value="<?php echo $myUserName; ?>"> Password: <input type="password" size="60" maxlength="60" name="myPassword" value="<?php echo $myPassword; ?>"> <input type="submit" value="Submit" /> </form> Should it be "better" .. ?? I don't seem to understand how to "encrypt" all of this to make it "stronger" .. Ideas? Improvements? Hello everyone: I wanted to see how I can make a simple login page (user name and password) that redirects to a page(s) if the login is correct. Also, I wanted to put protection on the page(s) that will send the user back to the login page if the credentials are nor correct. I would imagine the username/password would be stored in a database table (Admins), and the correct login info would be stored in a session ..? I am use to doing this with ASP, but never PHP. I want to make sure I understand how to do this properly and securely so I can use this as a model for other systems. In ASP I would do a protected page like this: a_login_check.asp Code: [Select] <% if session("admin_user_name") = "" then session.abandon response.redirect "login.asp" end if %> Protected-Page.asp Code: [Select] <!-- #include file="include/a_check_login.asp" --> <html> ... CONTENT ... </html> And of course there is the login page itself ... (I thought it would be nice to add a "Forgot Password" link on the login page, but if that is too complicated I can do that later .. or is it easy ??) Anyway, can someone point-out to me how to do this. I would appreciate it! Deprecated: Function session_register() is deprecated in /home/james/public_html/funshizzle.com/install/session.php on line 0 That is my error, I have no idea, What is it? Hello. Basically I've created a login script. Works great. It sends users to different locations depending on what type of user they are. Now I have also created a Members account. Upon logging in this user should go to the members area. That all works fine! In the login script i stored a few session variable like username, access_level and so on. Now in the members area I am trying to make the page echo the name of the current user. I have been stairing at my code too long and can no longer see why nothing is echo'ing. Any ideas. I thought that the session_start() would continue the session in the next page and throughout the site until the person logs off and runs the session_destroy()! Is this not correct. First ill post the login script <?php include('database.php'); session_start(); if(isset($_POST['submit3'])) { $email = stripslashes($_POST['email3']); $password = stripslashes($_POST['password3']); $email = mysql_real_escape_string($_POST['email3']); $password = md5($password); $CheckUser = "SELECT * FROM Members WHERE email='".$email."' AND password='".$password."'"; $userDetails2 = mysql_query($CheckUser); $userInfo = mysql_fetch_array($userDetails2); $count = mysql_num_rows($userDetails2); if($count != 0) { $_SESSION['username'] = $userInfo['username']; $_SESSION['usertype'] = $userInfo['usertype']; $_SESSION['access_level']= $userInfo['access_level']; if($userInfo['usertype']== 'Member') { header('Location: members/index.php'); } else if($userInfo['usertype'] == 'Owner') { header('Location: owner/index.php'); } else if($userInfo['usertype'] == 'Corporation') { header('Location: corporation/index.php'); } else if($userInfo['usertype'] == 'Administrator') { header('Location: owner/admin/index.php'); } else if($userInfo['usertype'] == 'Staff') { header('Location: owner/staff/index.php'); } } else { $message = "incorrect login details"; } } ?> now ill post the members page <?php include('../database.php'); session_start(); ?> <head> <link href="stylz.css" rel="stylesheet" type="text/css" /> <link href="reset.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="wrapper"> WELCOME TO THE MEMBERS AREA <?php $_SESSION['username']; ?> <?php include('../title.php');?> <?php include('../nav.php');?> <div id="test"></div> <?php include('../footer.php');?> </div> </body> </html> I have a script that was written and tested on another server, but now when I transferred it to the live server, session values are not being passed. I made a couple test pages to check and confirmed that the only issue is the session variables. Here is the test I performed. Please tell me what I'm missing: page1.php <? session_start(); $_SESSION['var1'] = 'testing'; print_r($_SESSION); ?> Returns: Array ( [var1] => testing ) page2.php <? session_start(); print_r($_SESSION); ?> Returns: Array () Hi guys,
I am having a problem transferring data between pages, using PHP sessions. I have a HTML SELECT drop-down to let user set the number of posts per page to display. <form method="POST" style="margin:auto;position:relative;width:35%;padding:17px;top:47px;">
<span>select posts-per-page:</span>
<select name="ppp">
<option selected disabled>--select ppp--</option>
<option value=10>10</option>
<option value=15>15</option>
<option value=20>20</option>
<option value=50>50</option>
<option value=100>100</option>
</select>
<input type="submit" name="submit" value="OK"/>
</form>
I want to transfer the value selected by user to a session so that I can load the value in other pages. The value of posts per page is carried by variable $ppp; so, file1 contains the code $_SESSION['ppp'] = $ppp; That seems to work great; the system updates correctly the session's value as user submits different numbers of posts-per-page.
The problem is in page2.php: it doesn't update to the new user's selection; I already have a session active in that page so I don't need session_start(). To call the session, I use the line $ppp=$_SESSION['ppp']; When user changes the selection from 50 to 100 posts per age, for example, the value of page1.php changes as expected, but the value transferred to page2.php doesn't change, appears to remain with the default value the page loads with. I don't know if the problem is that I already have a session going. Can you have more than one session running simultaneously in a page? Can anybody help? Thanks in advance!
Sept Most of my website is written in php4. My hosting server has support for both 4 and 5 just by changing file extension. .php which is the default supports 4, .php5 of course supports 5. The problem I am having is that the pages with the .php5 extensions are not recognizing session variables. Is there something I should be doing differently in 5 for my session variables? For example a variable request like this returns 0 print $_SESSION['FULLNAME']; Please Help!! Thank you in advance? I've recently made a profile system for my site, and I'm not sure if it's injectable. I tried doing Code: [Select] REMOVED/index.php?page=profile&player=select * from members where username = srbuckey5266 Does this mean I'm good? It didn't work. I've been meaning to move on to OOP for a while now that I've grasped the concept of OOP in java quite well and I'm doing good so far in PHP OOP. One question that I have floating around though is: When would protected be of any use? I understand what protected does, it's just I don't see how it could ever stop an error from happening. Is there an example for how it would be able to stop an interference from occurring? If i declare protected variable in a class how can i access those variable in other class inheriting that class? Can anyone post example code? If you use htaccess to restrict a directory can you still use the include function to include a file from that directory? Hello all, i am go9090go. Today i made a domains for a jar file people can upload from my website. I made this to make the jar file close source and its easy to update. Now i made a java classloader and everything i made works. The classloader call a php document with the password and username. The pass and name will be checked inside a databse and if its inside i use header() to load the jar file. But when i just go to my main domain i get the index of the site and people can easly download the jar file without have to walk thru the php pass checker. So i want to place the jar file inside a protected folder,and i want that only way you get acces to this jar is by the php file. How can i get a file from a protected folder? here is the php used when the jar file is not inside a protected folder: <?php $DBName = "name";//name database $DBUser = "name";//user $DBPassword = "pass"; //passs $DBHost = "host"; //might be different mysql_connect($DBHost, $DBUser, $DBPassword); mysql_select_db($DBName); $username = $_GET['username']; $password = $_GET['password']; $IP = $_SERVER['REMOTE_ADDR']; $string = "Java"; $pos = strpos($agent, $string); if (!strpos($_SERVER['HTTP_USER_AGENT'], "Java")) { echo("Your Auth has been banned for trying to breach security."); //mysql_query("delete from users where username='$username'"); exit(); } $query = "select * from users where name='$username' and pass='$password'"; mysql_query($query); $num = mysql_affected_rows(); if ($num > 0) { header('Location:script/Script.jar'); } ?> now i want to use the header to a file inside a folder that is protected : so how can i make the header() methode to open script.jar inside a protected folder. The folder haves name and pass: blabla,balbla for exempel thanks for help I'm writing a script that opens a webpage and pulls out the pictures for editing. The problem I'm having is the pictures are protected from hotlinking with htaccess. The script is on a different domain. I know it's possible to do this but after much searching and experimentation I can't work it out. Any ideas? in this page http://maximaart.com/newscp/ i have this problem Code: [Select] Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/maximasy/public_html/newscp/index.php:1) in /home/maximasy/public_html/newscp/index.php on line 2 my source code is <?php session_start(); include_once("config.php"); include_once("functions.php"); $errorMessage = ''; if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { if ($_POST['txtUserId'] === "$user" && $_POST['txtPassword'] === "$pass") { // the user id and password match, $_SESSION['basic_is_logged_in'] = true; require("main.php"); exit;?> I am trying to create an index page which contains registration and login field the problem that i get is on successful login a warning is displayed session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\xampp\htdocs\Eventz.com\index.php:116) in C:\xampp\htdocs\Eventz.com\index.php on line 235 This is the login part of my index.php this tag is inside an html table below the login form I also have a registration form and its php code above the login form Code: [Select] <?php if (isset($_REQUEST['pass'])) { $id=$_POST['id']; $pass=$_POST['pass']; $conn =mysql_connect("localhost","root",""); if (!$conn) { die('Could not connect: ' . mysql_error()); } /* checking connection....success! */ $e=mysql_select_db('test', $conn); if(!$e) { die(''.mysql_error()); } else { echo 'database selected successfully'; } if (isset($_REQUEST['id']) || (isset($_REQUEST['pass']))) { if($_REQUEST['id'] == "" || $_REQUEST['pass']=="") { echo "login fields cannot be empty"; } else { $sql=mysql_query("Select email,password from login where email='$id' AND password='$pass'"); $count=mysql_num_rows($sql); if($count==1) /* $count checks if username and password are in same row */ { session_start(); $_SESSION['id']=$id; echo "</br>Login Successful</br>"; } else { echo "</br>invalid</br>"; echo "please try to login again</br>"; } } } } ?> Any help or suggestion would be appreciated I am having trouble resolving an error. Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/s519970/public_html/header.php:27) in /home/s519970/public_html/admin/login.php on line 2 What I can gather is I can't use "header (Location: 'admin.php')" after i've used session_start(). I have tried to replace the header (Location: 'admin.php') with this: echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; I've been trying to read up on solutions but haven't been able to get it sorted. If anyone can offer some advice that would be greatly appreciated as im new to php. Code: [Select] <?php session_start(); if(isset($_SESSION['user'])) echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; ?> <div id="loginform"> <form action="dologin.php" method="post"> <table> <tr> <td><span>Username:</span></td> <td><input type="text" name="username" /></td> </tr> <tr> <td><span>Password:</span></td> <td><input type="password" name="password" /></td> </tr> <tr> <td colspan="2" align="right"><input type="submit" name="login" value="Login" /></td> </tr> </table> </form> </div> I have tried using require_once('yourpage.php'); before my <head></head> tags in the header document where I've specified the html information but this doesn't seem to work. I've been advised to use ob_start("ob_gzhandler"); but I am not sure how to implement this. Any advice is greatly appreciated! Okay, I downloaded a PHP Script called RadiPanel which is a User System type thing and uploaded and installed it to my website. Now The problem with RadiPanel is, I have to add users/members to it as there is no registration process. So within the Admin page on RadiPanel I have taken the script out, now when I try view it as a "non logged in" user it just shows a white blank page, I was wondering if anyone here could determine just from the code below what I have to take out/delete in order for the public to view the page fully? Thanks guys Code: [Select] <?php if( !preg_match( "/index.php/i", $_SERVER['PHP_SELF'] ) ) { die(); } if( $_GET['id'] ) { $id = $core->clean( $_GET['id'] ); $query = $db->query( "SELECT * FROM users WHERE id = '{$id}'" ); $data = $db->assoc( $query ); $data['ugroups'] = explode( ",", $data['usergroups'] ); $editid = $data['id']; } ?> <form action="" method="post" id="addUser"> </div> <?php if( $_POST['submit'] ) { try { $username = $core->clean( $_POST['username'] ); $password = $core->clean( $_POST['password'] ); $email = $core->clean( $_POST['email'] ); $habbo = $core->clean( $_POST['habbo'] ); $dgroup = $core->clean( $_POST['dgroup'] ); $query = $db->query( "SELECT * FROM usergroups" ); while( $array = $db->assoc( $query ) ) { if( $_POST['ugroup-' . $array['id']] ) { $ugroups .= $array['id'] . ","; } } $password_enc = $core->encrypt( $password ); if( !$username or ( !$password and !$editid ) or !$dgroup or !$ugroups ) { throw new Exception( "All fields are required." ); } else { if( $editid ) { if( $password ) { $password = ", password = '{$password_enc}'"; } else { unset( $password ); } $db->query( "UPDATE users SET username = '{$username}'{$password}, email = '{$email}', habbo = '{$habbo}', displaygroup = '{$dgroup}', usergroups = '{$ugroups}' WHERE id = '{$editid}'" ); } else { $db->query( "INSERT INTO users VALUES (NULL, '{$username}', '{$password_enc}', '{$email}', '{$habbo}', '{$dgroup}', '{$ugroups}');" ); } echo "<div class=\"square good\">"; echo "<strong>Success</strong>"; echo "<br />"; echo "User added!"; echo "</div>"; } } catch( Exception $e ) { echo "<div class=\"square bad\">"; echo "<strong>Error</strong>"; echo "<br />"; echo $e->getMessage(); echo "</div>"; } } ?> <table width="100%" cellpadding="3" cellspacing="0"> <?php $query = $db->query( "SELECT * FROM usergroups" ); while( $array = $db->assoc( $query ) ) { if( in_array( $array['id'], $data['ugroups'] ) ) { $groups[$array['id'] . '_active'] = $array['name']; } else { $groups[$array['id']] = $array['name']; } if( $array['id'] == $data['displaygroup'] ) { $dgroups[$array['id'] . '_active'] = $array['name']; } else { $dgroups[$array['id']] = $array['name']; } } echo $core->buildField( "text", "required", "username", "Username", "The new username.", $data['username'] ); echo $core->buildField( "password", "<?php if( !$editid ) { ?>required<?php } ?>", "password", "Password", "The new password." ); echo $core->buildField( "text", "", "email", "Email", "The new email (optional).", $data['email'] ); echo $core->buildField( "text", "", "habbo", "Habbo name", "The new Habbo name (optional).", $data['habbo'] ); echo $core->buildField( "select", "required", "dgroup", "Display group", "The user's display group.", $dgroups ); echo $core->buildField( "checkbox", "required", "ugroup", "Active usergroups", "The user's active groups.", $groups ); ?> </table> </div> <div class="box" align="right"> <input class="button" type="submit" name="submit" value="Submit" /> </div> </form> <?php echo $core->buildFormJS('addUser'); ?> Hi there, There's something wrong with this register form, it's submitting without validation. Code: [Select] <?php require_once('./includes/connectvars.php'); // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); if (isset($_POST['submit'])) { // Grab the profile data from the POST $username = mysqli_real_escape_string($dbc, trim($_POST['username'])); $password1 = mysqli_real_escape_string($dbc, trim($_POST['password1'])); $password2 = mysqli_real_escape_string($dbc, trim($_POST['password2'])); $firstname = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); $lastname = mysqli_real_escape_string($dbc, trim($_POST['last_name'])); if (!empty($username) && !empty($password1) && !empty($password2) && ($password1 == $password2) && !empty($firstname) && !empty($lastname)) { // Make sure someone isn't already registered using this username $query = "SELECT * FROM users WHERE username = '$username'"; $data = mysqli_query($dbc, $query); if (mysqli_num_rows($data) == 0) { // The username is unique, so insert the data into the database $query = "INSERT INTO users (username, password, join_date, first_name, last_name) VALUES ('$username', SHA('$password1'), NOW(), '$firstname', '$lastname')"; mysqli_query($dbc, $query); // Confirm success with the user echo '<p>Your new account has been successfully created. You\'re now ready to <a href="login.php">log in</a>.</p>'; mysqli_close($dbc); exit(); } else { // An account already exists for this username, so display an error message echo '<p class="error">An account already exists for this username. Please use a different address.</p>'; $username = ""; } } else { echo '<p class="error">You must enter all of the sign-up data, including the desired password twice.</p>'; } } mysqli_close($dbc); ?> <p>Please enter your username and desired password to sign up to Mismatch.</p> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <legend>Registration Info</legend> <label for="username">Username:</label> <input type="text" id="username" name="username" value="<?php if (!empty($username)) echo $username; ?>" /><br /> <label for="password1">Password:</label> <input type="password" id="password1" name="password1" /><br /> <label for="password2">Password (retype):</label> <input type="password" id="password2" name="password2" /><br /> <label for="first_name">first name:</label> <input type="text" id="first_name" name="first_name" /><br /> <label for="last_name">last name:</label> <input type="text" id="last_name" name="last_name" /><br /> <input type="submit" value="Sign Up" name="submit" /> </form> </body> </html> I've had this problem for a while now and can't figure it out, any suggestions are appreciated. Thank you. |
|||||||