0

ok I have a login form that works and checks but I can just pout in the url to go to a specific page inside of the website I am designing and get into it without logging in, how can I remedy this? I have gone through many tutorials and every time I hit the protection script it throws me to the page I want the people not signed in to go to even if i sign in propperly.

4
Contributors
11
Replies
15
Views
4 Years
Discussion Span
Last Post by GraficRegret
0

Actually it's hard to decipher what you wan't although your thread's question is understandable; though too generalize. Can you please provide a snippets of your code, and put what you want to do in bullets? If it's ok for you.

0

Ok, What I am doing is creating an Admin area for the website to make a CMS to easily manage the website.

Here is the signin page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login</title>
</head>
<body>
<center><h1><font color="#09729f">Rise & Shine<br/>Login</font></h1>
<form action="login.php" method="post" enctype="multipart/form-data">
User Name: <input type="text" name="userName" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" value="Login" />
</form></center>
</body>
</html>

my login.php:

<?php
require 'connect_to_other_required_pages';

if(empty($_POST) === false)
{
    $username = $_POST['userName'];
    $password = $_POST['password'];

    if(empty($username) === true || empty($password) === true)
    {
        $errors[] = 'please enter a username and password';
    }else if(user_exists($username) === false)
    {
        $errors[] = 'we can\'t find that user, please contact AZ Media Production';

    }else
    { 
        $login = login($username, $password);

        if($login == false)
        {
            $errors[] = 'That username and password combination is incorrect';

        }else
        {
            $_SESSION[user_id] = $login;

            header('Location: editor.php');         
        }
    }
    print_r($errors);
}
?>

my protection function which the tutorial said is suposed to be placed at the top of any page I want protected:

if(login($username, $password) == false)
    {
        header('Location: logout.php');
        exit();
    }

and finally the login function that the login uses and the protection uses to check and see if the user name and password in $POST are correct:

function login($username, $password)
{
    $user_id = user_id_from_username($username);
    $username = sanitize($username);
    $password = $password;
    $query = mysql_query("SELECT COUNT(user_id) FROM users WHERE userName = '$username' AND password = '$password'");

    return(mysql_result($query, 0) == 1) ? $user_id : false;
}

however any time I ad in the check at the top of the pages I want to protect i get thrown over to the logout page weather I am signed in properly or not.

0

The problem's in the login function, you don't have any DB resource to reference to when execution the query.

function login($username, $password)
{
    $user_id = user_id_from_username($username);
    $username = sanitize($username);
    $password = $password;
    // Particularly in this part
    $query = mysql_query("SELECT COUNT(user_id) FROM users WHERE userName = '$username' AND password = '$password'");
    return(mysql_result($query, 0) == 1) ? $user_id : false;
}
0

what are you talking about? the login works just fine and gets me to the page I want to be in as long as I dont have the protection code at the top, and it blocks me from getting in when I put in the wrong information, as long as I go in from the login page.

0

Hi,

on your function login, you can try setting the session for that username.

for example,

    if(mysql_num_rows($query)== 1){

    ## this user exists
    ## set session for this user
    session_start(); 

    $_SESSION['thisUser'] = $username;

    }

    else{

    ## do what you want to do on failed login

    }

You protection function on top of every pages can be as simple as this

    session_start();
    if(!isset($_SESSION['thisUser']) )

    {
    ## this user is not login send them to the login page, or wherever you deemed appropriate.

    header("location:login.php");
    die();

    }
    else{

    ## this is user is authenticated at the very least :).

        $user_isLogin = true;

        $user = $_SESSION['thisUser'];



    }

Warning! There are broader topics in web security, validation, and sanitization of data you must take into consideration, before sending this script to production site.

Edited by veedeoo: info added

0

my login.php sets that upi after it checks to make sure that userName and password are correct, and I have tried that code and it still doesn't let me in when I sign in with propper information.

0

Dude,

Your controlled page does not check for any existing session. YOu need to validate if the session exist, before letting them in.

I hope I am making sense here.

0

no it doesn't now, that was a step I tried yesterday and it failed miserably. still sent me to the logout page, I belive my code was,

if(!($_SESSION[user_id] = $username))
{
    header('Location: logout.php');
    exit();
}

then I tried

 session_start();
    if(!isset($_SESSION['user_id']) )
    {
        header("location:login.php");
    }
    else{
        page code here
    }

and even reversed it, and then I tried entering $_SESSION[$username] which is completely off the wall I know just thought I'd give it a shot.

Edited by GraficRegret

0

If you're going to run an online store or ecommerce Web site, you should be aware of HTTPS - or HyperText Transfer Protocol with Secure Sockets Layer. HTTPS is a protocol to transfer encrypted data over the Web.

Edited by happygeek: Please stop posting 'fake sig' links in all your replies

0

thanks kam, I am aware of HTTPS, however I am not running either of those, I just needed to secure the web page for a general admin area so that other people dont get in and change my announcements and other information that I dont want changed on the web site.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.