PHP - Better Password Protected Pages / Login Form .. ??

Hi, I have the following code:

Code: [Select]
<?php

$cmd = $_GET['cmd'];

if($cmd=="") { $cmd = "adminlogin";}

// This creates the header for each of the installation pages


switch($cmd)
{

// This is the installation agreement page

case "adminlogin":
print <<<LOGIN

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Member Site Maker 1.0</title>
<link rel="stylesheet" href="style.css" type="text/css" />
</head>
<body>
<div id="head" align="center">
  <h1 id="siteName">Member Site Maker </h1>
  <br />
<table align="center" border="0" bgcolor="#CCCCCC">
<tr>
<td align="center"><span class=style1><b>ADMIN LOGIN</b></span></td>
</tr>
<tr>
<td>
<form action=admin.php?cmd=manage method=POST>
Password: <input type=text name=password1>
</td>
</tr>
<tr>
<td>
<input type=submit name=submit value=Submit>
</td>
</tr>
</table>
</form>

LOGIN;

break;


// Managing Users

case "manage":

include_once("header.html");

include_once("data/password.php");

$password1 = $_POST['password1'];
$password2 = base64_decode($password);

if ($password1 != $password2) {

print <<<BADLOGIN

<table width=953 border=1 align=center bgcolor=#00CCFF>
  <tr>
    <td><span class=style1><b><center>Failed Login</center></b></span></td>
  </tr>
  <tr>
    <td><span class=style2>Your passwords do not match. Please go back and correct this error</td>
</tr>
</table>

BADLOGIN;

} else {

echo <<<MANAGE

<!--end navBar2 div -->
<div id="navBar2">

<div id="sectionLinks">
  <ul>
      <li><a href="admin.php?cmd=manage&password1=$password1">Manage</a></li>
      <li><a href="admin.php?cmd=dashboard&password1=$password1">Dashboard</a></li>
      <li><a href="admin.php?cmd=approval&password1=$password1">Approval</a></li>
      <li><a href="admin.php?cmd=msgcentre&password1=$password1">Message Center</a></li>
      <li><a href="admin.php?cmd=logins&password1=$password1">Logins</a></li>
    </ul>
</div>
</div>
<!--end navBar2 div -->
<div id="content">
  <div class="story">
    <table width="100%" border="0">
      <tr>
        <td bgcolor="#99FF66"><div align="center"><span class="style3">Login</span></div></td>
        <td bgcolor="#99FF66"><div align="center"><span class="style3">Name</span></div></td>
        <td bgcolor="#99FF66"><div align="center"><span class="style3">Last Visited </span></div></td>
        <td bgcolor="#99FF66"><div align="center"><span class="style3">Registration Date </span></div></td>
        <td bgcolor="#99FF66"><div align="center"><span class="style3">Reset Password </span></div></td>
        <td bgcolor="#99FF66"><div align="center"><span class="style3">Delete</span></div></td>
      </tr>
      <tr>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
      </tr>
    </table>
    <h3>&nbsp;</h3>
  </div>
  
</div>
<!--end content -->

MANAGE;

}
break;

case "dashboard":


break;

case "approval":


break;
This works fine for when viewing the admin.php, I am asked for a password and then it compares the password against the encoded password before displaying the manage page.

However this does not stop someone typing http://www.mysite.com/folder/admin.php?cmd=dashboard

If they do that, it skips the password form and password check, and they can then go ahead and do whatever in the admin.php file.

How can I prevent this, so that a password check is automatically done before allowing somebody to view the page? I have tried adding the code I used in the manage section, but it doesnt work again.

Any help will be greatly appreciated, I been trying to work it out all day and run out of ideas.

Many Thanks

I have a register page that MD5 Hash's the users password and a login which also does this. However, no matter what I try it always says incorrect password. Even when I remove the MD5.


Register Code:

Code: [Select]
<?php

error_reporting (E_ALL ^ E_NOTICE);

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Member System - Register</title>
</head>
<body>
<?php


if ( $_POST['registerbtn'] ){
$getuser = $_POST['user'];
$getemail = $_POST['email'];
$getpass = $_POST['pass'];
$getretypepass = $_POST['retypepass'];

if ($getuser){
if ($getemail){
if ($getpass){
if ($getretypepass){
if ( $getpass === $getretypepass ){
if ( (strlen($getemail) >= 7) && (strstr($getemail, "@")) && (strstr($getemail, ".")) ){
require("./connect.php");

$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");
$numrows = mysql_num_rows($query);
if ($numrows == 0){
$query = mysql_query("SELECT * FROM users WHERE email='$getemail'");
$numrows = mysql_num_rows($query);
if ($numrows == 0){


$password = md5(md5("kjfiufj".$password."Fj56fj"));
$date = date("F d, Y");
$code = md5(rand());

mysql_query("INSERT INTO users VALUES (
'', '$getuser', '$password', '$getemail', '0', '$code', '$date'
)");

$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");
$numrows = mysql_num_rows($query);
if ($numrows == 1){

$site = "http://c3221281.web44.net/";
$webmaster = "Simon <admin@simon.com>";
$headers = "From: $webmaster";
$subject = "Activate Your Account";
$message = "Thanks for registering. Click the link below to activate your account.\n";
$message .= "$site/activate.php?user=$getuser&code=$code\n";
$message .= "You must activate your account to login.";

if ( mail($getemail, $subject, $message, $headers) ){
$errormsg = "You have been registered. You must activate your account from the activation link sent to <b>$getemail</b>.";
$getuser = "";
$getemail = "";
}
else
$errormsg = "An error has occueed. Your activation email was not sent.";

}
else
$errormsg = "An error has occured. Your account was not created.";

}
else
$errormsg = "There is already a user with that email.";
}
else
$errormsg = "There is already a user with that username.";

mysql_close();
}
else
$errormsg = "You must enter a valid email address to register.";
}
else
$errormsg = "Your passwords did not match.";
}
else
$errormsg = "You must retype your password to register.";
}
else
$errormsg = "You must enter your password to register.";
}
else
$errrosmg = "You must enter your email to register.";
}
else
$errormsg = "You must enter your username to register.";
}


$form = "<form action='./register.php' method='post'>
<table>
<tr>
<td></td>
<td><font color='red'>$errormsg</font></td>
</tr>
<tr>
<td>Username:</td>
<td><input type='text' name='user' value='$getuser' /></td>
</tr>
<tr>
<td>Email:</td>
<td><input type='text' name='email' value='$getemail' /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='pass' value='' /></td>
</tr>
<tr>
<td>Retype:</td>
<td><input type='password' name='retypepass' value='' /></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='registerbtn' value='Register' /></td>
</tr>
</table>
</form>";

echo $form;

?>
</body>
</html>





Login Code:

Code: [Select]

<?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();
$userid = $_SESSION['userid'];
$username = $_SESSION['username'];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Member System - Login</title>
</head>
<body>
<?php

if ($username && $userid){
echo "You are already logged in as <b>$username</b>. <a href='./member.php'>Click here</a> to go to the member page.";
}
else{
$form = "<form action='./login.php' method='post'>
<table>
<tr>
<td>Username:</td>
<td><input type='text' name='user' /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='loginbtn' value='Login' /></td>
</tr>
<tr>
<td><a href='./register.php'>Register</a></td>
<td><a href='./forgotpass.php'>Forgot your password?</a></td>
</tr>
</table>
</form>";

if ($_POST['loginbtn']){
$user = $_POST['user'];
$password = $_POST['password'];

if ($user){
if ($password){
require("connect.php");

$password = md5(md5("kjfiufj".$password."Fj56fj"));


// make sure login info correct
$query = mysql_query("SELECT * FROM users WHERE username='$user'");
$numrows = mysql_num_rows($query);
if ($numrows == 1){
$row = mysql_fetch_assoc($query);
$dbid = $row['id'];
$dbuser = $row['username'];
$dbpass = $row['password'];
$dbactive = $row['active'];

if ($password == $dbpass){
if ($dbactive == 1){
// set session info
$_SESSION['userid'] = $dbid;
$_SESSION['username'] = $dbuser;

echo "You have been logged in as <b>$dbuser</b>. <a href='./member.php'>Click here</a> to go to the member page.";

}
else
echo "You must activate your account to login. $form";
}
else
echo "You did not enter the correct password. $form";
}
else
echo "The username you entered was not found. $form";

mysql_close();
}
else
echo "You must enter your password. $form";
}
else
echo "You must enter your username. $form";
}
else
echo $form;
}
?>
</body>
</html>





Many thanks for your time and help,

Hi all,  I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login. Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat? Thanks all.

Hi.

I have made a login script, but I would wan't to encrypt the password.
I followed a tutorial and got this:
login.php
<?php
$password = "secret";

echo $password;
/* displays secret */

$password = sha1($password);

echo $password; 
/* displays e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 */
?>
<form action="validate.php" method="post">
  <label for="username">Username</label>
  <input type="text" name="username" id="username" />
  <br />
  <label for="password">Password</label>
  <input type="password" name="password" id="password" />
  <br />
  <input type="submit" name="submit" value="Submit" />
</form>
<?php
?>

validate.php

<?php
include "setup.php";

/* get the incoming ID and password hash */
$username=$_POST['username'];
$password=$_POST['password']; 
$password=md5($password); // Encrypted Password

/* establish a connection with the database */
$server = mysql_connect("$db_host", "$db_username","$db_password");
if (!$server) die(mysql_error());
mysql_select_db("$database");

  
/* SQL statement to query the database */
$query = "SELECT * FROM users WHERE Username = '$username' AND Password = '$password'";

/* query the database */
$result = mysql_query($query);

/* Allow access if a matching record was found, else deny access. */
if (mysql_fetch_row($result))
  echo "Access Granted: Welcome, $username!";
else
  echo "Access Denied: Invalid Credentials.";

mysql_close($server);  
?>

Its the line $password=md5($password); // Encrypted Password
that messes everything up.
If I delete it and login, everything is fine, if I add it it says Code: [Select]
Access Denied: Invalid Credentials
I need help with this one!
And if someone have time, give me some ideas how to make PHP scripts safer!

Regards
Worqy

(Main Objective)
I need this login class to encrypt the password before it sends it to the database for login verification.

(Alternative Solution)
Force a login with just the username and captcha no password..


This is the original working script..

<?
session_start();
include "config.php";
global $c;
include "data.php";
global $config;
require('funciones.php');
if ($_POST['username']) {


session_start(); 
if($_POST['code']!=$_SESSION['string']){ 
header("Location: login.php?error=1");
}


//Comprobacion del envio del nombre de usuario y password

$username=uc($_POST['username']);
$password=uc($_POST['password']);

if ($password==NULL) {
header("Location: login.php?error=2");
}else{


$query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error());
if(mysql_num_rows($query) == 0)
{
header("Location: login.php?error=3");
} else {
$data = mysql_fetch_array($query);
if($data['password'] != $password) {
header("Location: login.php?error=4");
}else{
$query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error());
$row = mysql_fetch_array($query);

$nicke=$row['username'];
$passe=$row['password'];

//90 day  cookie
setcookie("usNick",$nicke,time()+7776000);
setcookie("usPass",$passe,time()+7776000);


$lastlogdate=time();
$lastip = getRealIP();

$querybt = "UPDATE tb_users SET lastlogdate='$lastlogdate', lastiplog='$lastip' WHERE username='$nicke'";
mysql_query($querybt) or die(mysql_error());

header("Location: members.php");
// echo "Has sido logueado correctamente ".$_SESSION['s_username']." y puedes acceder al index.php.";
// echo "<script>location.href='index.php';</script>";
?>

<META HTTP-EQUIV="REFRESH" CONTENT="0;URL=members.php">

<?
}
}
}
}
?>

<div class="heading">Login</div><br />
<?
if($_GET['error'] == 1)
{
print "<b>Error</b> - Wrong Captcha Code<br /><br/>";
}
if($_GET['error'] == 2)
{
print "<b>Error</b> - Please supply a password<br /><br/>";
}
if($_GET['error'] == 3)
{
print "<b>Error</b> - Invalid Username<br><br>";
}
if($_GET['error'] == 4)
{
print "<b>Error</b> - Invalid Password<br /><br />";
}
?>

<form action="login.php" method="post">
    <table>
        <tr>
            <td class="midtext">Username:</td>
            <td>
            <input type="text" name="username" size="25" class="form" autocomplete="off"></td>
        </tr>
        <tr>
            <td class="midtext">Password:</td>
            <td>
            <input type="password" name="password" size="25" class="form" autocomplete="off"></td>
        </tr>
        <tr>
            <td class="midtext" valign="top">Security Code:</td>
            <td class="midtext">
            <img src="image.php" onclick="this.src='image.php?newtime=' + (new Date()).getTime();">(Click 
            to reload)<br />
            <input type="text" name="code" size="17" maxlength="17" autocomplete="off" class="form"></td>
        </tr>
        <tr>
            <td></td>
            <td align="right">
            <input type="submit" value="Login" name="loginsubmit" class="form"></td>
        </tr>
    </table>
</form>


Let me know if you need any files...

Hi guys I have a script which i've been playing around with thanks to Spiderwell: http://www.phpfreaks.com/forums/index.php?action=profile;u=35078

I have sort of merged it with another 'member managment' script which is working great.

Now i can't seem to correctly create a login page to pass the hashed password using (sha1).

Now all i want to do is verify the username and the (hashed) password according to the database and allow the user in. The script i am using to check login works fine without a hashed password in the database. But ideally i'd like to use a hashed form of password.

Can somebody show me what change i need to make in this script below in order to pass a sha1 hashed password? I'm guessing it's a really small change from the examples i've seen online, but i just cant seem to get mine to work. :|

Your help would be much appreciated.

Login Page PHP:

Code: [Select]
<form name="login" method="post" action="check_login.php3">
<p><strong>Secured Area User Log-in</strong></p>
<p>Username: <input name="bioname" type="text" id="bioname"></p>
<p>Password: <input name="biopass" type="password" id="biopass"></p>
<p> </p>
<p><input type="submit" name="Submit" value="Login"></p>
</form>

Check Login Processor (which is the file i that needs the sha1 added somewhere i think)

Code: [Select]
<?php
require_once('config.php3');

// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die("Unable to select database");


//
$loginusername = false;
$loginpassword = false;


$err = false; // default error message is empty

// The username and password sent from login.php
//the isset() basically means if its there get it, otherwise dont bother

if (isset($_POST['bioname'])) $loginusername=$_POST['bioname'];
if (isset($_POST['biopass']))$loginpassword=$_POST['biopass'];

// if either isnt filled in, tell the user, a very basic bit of validation

if (!$loginusername || !$loginpassword) $err = "please complete the form";
if (!$err) //if no error continue

{
//The following bit of coding protects from MySQL injection attacks

$loginusername = stripslashes($loginusername);
$loginpassword = stripslashes($loginpassword);
$loginusername = mysql_real_escape_string($loginusername);
$loginpassword = mysql_real_escape_string($loginpassword);

//you could add other things like check for text only blah blah

$sql="SELECT * FROM $tbl WHERE bioname='$loginusername' and biopass='$loginpassword'";

$result=mysql_query($sql);
// Count how many results were pulled from the table
$count=mysql_num_rows($result);

// If the result equals 1, continue
if($count==1)
{
session_start();
$_SESSION['user'] = $loginusername; // store session data
//please see I have used a session variable that is generic not specific, otherwise you will have to make this page different for every user
//that would be a pain in the ass, you don't need to have user1 or user2, its the value stored that relevant, not what the variable name is
header("Location: {$loginusername}/index.php3");

}
else 
{
$err = "Wrong Username or Password";
}
}// end login if statement

if ($err) // show error message if there is one
{
echo $err;
echo "<br>Please go back in your browser and try again";
}
?>


The secure page:

Code: [Select]
<?php
session_start(); 

$mypath = $_SERVER["REQUEST_URI"];
//echo $mypath; // for debugging
//now we have the path lets see if the username is in that path, i.e. test2 is inside /something/test2/index.php 
//use the built in strpos() function, which returns position of the last occurance of the string you are looking for inside another string.
//http://php.net/manual/en/function.strrpos.php

if(strpos($mypath,"/".$_SESSION['user']."/"))//on testing it failed initially as username test is found in path /test2/ so i added the slashes to stop that. so /test/ doesnt get found in /test2/
{
echo "congratulations you are the right person in the right place";
}
else
{
 session_destroy(); //kill the session, naughty person trying to come here
 header("Location: ../login.php3");
 die();// stop page executing any further
}

?>

<html>
<body>


</body>
</html>

Thanks and i look forward to your replies.

Alright, I've been assigned a project at work. I did not develop the application and the individual who did used CodeIgnited framework and mysql as the db.   Here's the problem, I'm not given much OT to do this and in our meeting the best way to proceed was to replicate the database for different parts of the organization. Basically we are a subsidiary and have been using an application that other groups within the organization want to use. Usually I would reconfigure the db schema and add org ids and in the user table add the appropriate organization to go to. However, they are not giving me enough time to do that.   So what I'm thinking is to just create a copy of the database we use (just the structure) and create a new database.   What I want to know is how to use mysql to check to see if a user exists in one database and if they don't then to go on to the next database. I understand this is a very sloppy way to do it, but it's the way we are moving forward.   I found the code to connect to the db in CodeIgnitor... how can I connect to a database, check to see if the user exists, then close that db connection and try the next database?  

    /**
     * Select the database
     *
     * @access    private called by the base class
     * @return    resource
     */
    function db_select()
    {
        return @mysql_select_db($this->database, $this->conn_id);
    }

  Thanks in advance.

Hi! I have read like crazy to find a tutorial on a login page without My_SQL. Anyway I am working on a easy login/logged out page with sessions. Here is the login page with tree users in an array. The things that I need some hints to solve is, when clicking on login the error message don't show. Instead the script goes to the logged in page right away. And when you write the wrong password you get loged in anyway.   I am not sure how or if it's possible to write a varible to a file this way. But I tried and recived a parse error with the txt varible.   When searching for topics I get more confused with the My_SQL varibles. I am near a breaking point at cracking the first step on PHP, but need some advice.

<?php 
$page_title = 'Logged in'; //Dynamic title 
include('C:/wamp/www/PHP/includes/header.html');
?> 
<?php
session_start();
//A array for the sites users with passwords
$users = array(
                'Dexter'=>'meow1',
                'Garfield'=>'meow2',
		'Miro'=>'meow3'
                );

//A handle to save the varible users to file on a new line from the last entry				
$handle = fopen("newusers.txt, \n\r")
$txt = $users;
fclose($handle);


if(isset($_GET['logout'])) {
    $_SESSION['username'] = '';
    header('Location:  ' . $_SERVER['PHP_SELF']);
}

if(isset($_POST['username'])) {
    if($users[$_POST['username']] == $_POST['password']) { 
        $_SESSION['username'] = $_POST['username'];
    }else {
        echo "Something went wrong, Please try again";
    }
}
?>

<?php 
echo "<h3>Login</h3>";
echo "<br />";
?>
<!--A legend form to login-->
		<fieldset><legend>Fill in your username and password</legend>
        <form name="login" action="777log.php" method="post">
            Username: <br /> 
			<input type="text" name="username" value="" /><br />
            Password: <br /> 
			<input type="password" name="password" value="" /><br />
			<br />
            <input type="submit" name="submit" value="Login" />
	</fieldset>
	</form> 

<?php //Footer include file 
include('C:/wamp/www/PHP/includes/footer.html');
?>

The logged in page

<?php //Header
$page_title = 'Reading a file'; 
include('C:/wamp/www/PHP/includes/header.html');
?> 

<?php 
	session_start();
	//Use an array forthe sites users  
$users = array(
                'Dexter'=>'meow1',
                'Garfield'=>'meow2',
		'Miro'=>'meow3'
                );
//
if(isset($_GET['logout'])) {
    $_SESSION['username'] = '';
	echo "You are now loged out";
	//The user is loged out and returned to the login page
    header('Location:  ' . $_SERVER['PHP_SELF']); 
}

if(isset($_POST['username'])) {
	//Something goes wrong here when login without any boxes filled
    if($users[$_POST['username']] == $_POST['password']) { 
        $_SESSION['username'] = $_POST['username'];
    }else {
        echo "Something went wrong, Please try again";
		$redirect = "Location: 777.php";
    }
}
?>
        <?php if($_SESSION['username']): ?>
            <p><h2>Welcome <?=$_SESSION['username']?></h2></p> 
			<p align="right"><a href="777.php">Logga ut</a></p><?php endif; ?>
			<p>Today Ben&Jerrys Chunky Monkey is my favorite!</p>	

<?php //Footer
include('C:/wamp/www/PHP/includes/footer.html');
?>

Hello Everyone,

I recent made a simple membership website. Every page I created works exactly how I envisioned it...
All members data from my registration form goes into my database along with their md5 Encrypted passwords with a time-stamp.
Subsequent pages have a start_session included.

I am very please with it except ONE THING. Logging in is now a problem... username is recognized but NOT the password.

Now the strange thing is that when I go into the database and copy the encrypted password and paste
it into the password field in my login page, I miraculously get into my website with NO problem.

" How do I get the registered members Encrypted Passwords to be recognized by the database when
the  registered members decide to logging in with the password that they create? "

Is there a easy fix for this?

I appreciate ALL your help...


thanks
mrjap1

Hi, I don't know why it outputs" You are now registered BUT the user name and password don't show up in the database! I want to encrypt the passwords so maybe that is problem, I don't know, please read scripts below.

here is register.php:
==============
Code: [Select]
<html>
<head></head>
<body>
<form method="post" action="" >
<p>Create a username
<input type="text" name="newUsername"/>
</p>
<p>Create a password
<input type="password" name= "newPassword" />
</p>
<p>
<input type="submit" value="Make account now" name="makeAccountSubmit" />
</p>
</form>

<?php

if(array_key_exists("makeAccountSubmit",$_POST) && !empty($_POST["newUsername"]) && !empty($_POST["newPassword"]) ) {

//IF username doesn't exist, then store new user login info to db dummydpevx
mysql_connect("localhost","root");
mysql_select_db("someDB");
$newUserName=$_POST["newUsername"];
$newPassword=crypt($_POST["newPassword"]);

$usernameQuery=mysql_query("SELECT userName FROM users WHERE userName='$newUserName'");
if(mysql_num_rows($usernameQuery)==0) {
$makeNewAccountQuery=mysql_query("INSERT INTO users userName,userPassword VALUES('$newUserName','$newPassword')");
print "You are now registered, <a href='login.php'>proceed to login</a>";
}
if(mysql_num_rows($usernameQuery)==1)
print "Username taken. Please make another one. <br />";
}

here is login.php:
============
Code: [Select]
<html>
<head></head>
<body>
<form method="post" action="">
<label>Username:</label>
<input type="text" name="username" />
<br />
<label>Password:</label>
<input type="password" name="password" />
<p>
<input type="submit" value="Login" name="Login" />
<input type="reset" value="Reset" name="Reset" />
</p>

</form>
<?php
if(array_key_exists("Login",$_POST) && !empty($_POST["username"]) && !empty($_POST["password"])) {
$attemptedUsername=$_POST["username"];
$attemptedPassword=$_POST["password"];

mysql_connect("localhost","root");
mysql_select_db("someDB");

$getLoginInfoQuery=mysql_query("SELECT userName,userPassword FROM users WHERE userName=$attemptedUsername AND userPassword=$attemptedPassword");
$getLoginInfo=mysql_fetch_assoc($getLoginInfoQuery);
$getUsername=$getLoginInfo["userName"];
$getPassword=crypt($getLoginInfo["userPassword"]);

if(crypt($attemptedPassword,$getPassword)==$getPassword) {
session_start();//NB: Start session BEFORE doing any session stuff!
$_SESSION["isAuthenticated"]="userAuthenticated";
header("Location: xmlShredderIndex.php");
exit;
}
else
print "Please register!";
}

Also, if any has time, please see my other post, it is straightforward instructions to see if you get same error as me, thanks.
http://www.phpfreaks.com/forums/index.php?topic=347639.msg1640652#msg1640652

Any help much appreciated!

Hi,

Having completed a site migration this am everything went well aside from issues with logging into and out of our site where two files are used and appear as white pages.

When logging into our site, proc_login.php is used and when logging out proc_logout.php is used.

Both processes result in a white "blank" page instead of the php files forwarding on.

I've no idea about php generally and have been trying my best to find useful and similar information online to attempt to resolve the problem.  I am now stuck.

The site works perfectly on my local web server, and what is really baffling me is the site also works perfectly on Domain B on the exact same server I'm trying to get the site running under as Domain A.  In other words as both Domain A & B are configured on the same host server I'm thinking all the inherited php/apache/mysql settings should be identical (or pretty much thereabouts) and therefore am more confused than ever! 

I simply don't know where to start therefore in resolving this problem.  I've tried looking in the error log file and have also played around with turning on error enabling on those specific php files to try and follow any errors, however the "errors" generated are no different than the ones present on sites where the login/logout process works just fine.

I've hopefully attached both files and if anyone could assist in helping me narrow down my search for a solution I'd be very appreciative.

Thanks.

hi

i need help an idea how can i separate members from admins
since i dont know how to create login form i used tutorial ( http://www.youtube.com/watch?v=4oSCuEtxRK8 )   (its session login form only that i made it work other tutorials wre too old or something)
how what i want to do is separate members and admins because admin need more rights to do
now i have idea but dont know will it work like that
what i want to do is create additional row in table named it flag and create 0 (inactive user) 1 (member) 2 (admin) will that work?
and how can i create different navigation bars for users and admins? do you recommend that i use different folders to create it or just script based on session and flag?

Hello,

I'm working on a register script, and basically I would like the user to repeat their password. And I would like PHP to compare the to passwords, and if they both match then it continues, whereas if they don't match it calls an error. Here is what I have so far:

Form:
Consists  of 2 text fields - subpass, and subconfirmpass

PHP:
$field = "subpass";
  if(!$subpass == $subconfirmpass){
  $form->setError($field, "* Passwords do not match");
  }

$field is referring to the text fields in where the user inputs their password
$form is keeping track of errors in user submitted forms and the form field values that were entered correctly.

I would appreciate your help,

Thanks 

Hello,

My user login script saves their passwords into my SQL in a md5 encryption.

I am currently working on a 'forgot password' that sends the password to their email.

The code that pulls out the password is this:

 echo $req_user_info['pass'];

Now is there a way to decrypt the 'pass' (currently nothing is displayed - not even the encryption code)

Please help - Ollie