0

I'm new in PHP. As a newbie, I started my first project. I made a login system for my webapp. But there's a problem. When I try to access the index or main page, it asks for login, but when I'm try to access some other page, it doesn't ask me for login.

How can I manage the same restriction for all pages? My login code is here.

<?
$connection=mysql_connect("localhost","admin","");
if(!$connection)
{
    die("Database Connection Failed: " . mysql_error());
}
//Select a database to use
$db=mysql_select_db('vss',$connection);
if(!$db)
{
    die("Database Selection Failed: " . mysql_error());
}
$username=$_POST['username'];
$password=$_POST['password'];
//
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
//
$query="SELECT *FROM user where username='$username'AND password='$password'";
$result=mysql_query($query);
$count=mysql_num_rows($result);
// If result matched $username and $password,table row must be 1 row
if($count==1){
// Register $username, $password and redirect to file "example.php"
session_register("username");
session_register("password");
header("location:http://localhost/vss/main.php");
}
else {
echo "Wrong Username or Password";
}
?>

I just added:$userok=$count;after the line $count==1 Then I added I just added:$userok=$count;after the line $count==1 Then I added Call.php-><?php if($userok!=1); { header("location:localhost/vss/logindo.php";); } ?> I added include(call.php) in the top of restricted pages.But,when i click the button every time it ask for login.How can I make logged user until he press "logout". I added include(call.php) in the top of restricted pages.But,when i click the button every time it ask for login.How can I make logged user until he press "logout".

Improve this question
2
  • Beware SQL Injection: php.net/manual/en/security.database.sql-injection.php Commented Jul 17, 2011 at 9:39
  • Another tip: Don't use only the count to validate if the user is valid. Use: if ($username == mysql_result($result, 0, 'username')) Commented Jul 17, 2011 at 9:49

3 Answers 3

Reset to default
1

I won't discuss the security of this since you are learning. What you could do is the following: 1) below the line if($count==1) add something like $userok=1; and on the else part add $userok=0; 2) rename the above .php to something like init.php, 3) on the top of all the other pages do something like "

   include ('init.php');
   if (!($userok==1)) { 
      echo "Please do not call this directly, login first";
      exit;
   }

you could replace the echo "please login" with a header("Location: http://...") redirecting to your login page.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I just added:$userok=$count;after the line $count==1 Then I added Call.php-><?php if($userok!=1); { header("location:localhost/vss/logindo.php"); } ?> I added include(call.php) in the top of restricted pages.But,when i click the button every time it ask for login.How can I make logged user until he press "logout".
you must use sessions and store the $userok in a cookie. After successful authentication, set the a cookie with setcookie(), and then on each page check the cookie with the $_COOKIES['mycookie'] variable. To prevent the cookie from expiring while the user is using the page, re-set the cookie each time.
0

Note the important words of marto Please make sure your sql is safe I see you are already using mysql_real_escape_string also look at prepared statements

Also as sesssion register is DEPRECATED as of PHP 5.3.0. use just $_SESSSION["username"] and it is not really necessary to put password in session

Once you have the values in session you can check them on the top of every page (use an include for this) Although I would advise against using any specific data in session just consider setting something like logged_in as session var

e.g. 

if(empty($_SESSION["username"])
{
  //redirect to login
}
else
{

}
Improve this answer

Comments

0

Typical approach would be to check on all pages if username session is set. You can easily achieve it, for example, with front controller pattern. If it's not, you redirect user to login page.

Furthermore, I see you aren't hashing user passwords. It's not very secure approach. You should have a look on how to deal with passwords in PHP. Also, registering password session is pretty useless and potentially insecure.

And as @marto mentioned in comment, you should be aware of SQL injection possibilities in your script. It's not that hard to prevent it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.