help me with protecting pages

virva

Hello!

I'm asking if you have any simple way to protect several php pages. I have a this kind of code (I call it from the pages I need to protect), but something's wrong since it brings me back to this same page again, even though it accepts the user and password. Can you help me? I guess there's something wrong with forms "action" part.

<?php
include_once("functions.php");

// register variable $userid as session variable
session_register("userid");

// if variables $login and $password are set,
// user is trying to log in
if (isset($login) && isset($password)) {

$select = "SELECT tunnus, salasana FROM kayttaja WHERE tunnus='$login' AND salasana='$password'";
$rows = db_get_array($select);

if ($rows[0][0] == $login) {
  $userid = $rows[0][0];
  // Location: header will direct the browser to another URL
  header("Location: $REQUEST_URI");
  // META tag is for browsers that don't understand Location: header
  echo "<META HTTP-EQUIV=Refresh CONTENT=\"0;URL=$REQUEST_URI\">\n";
  // And a normal link for browsers that don't support META Refresh
  echo "<A HREF=\"$REQUEST_URI\">$REQUEST_URI</A>\n";
  exit();
}
// username and password didn't match 
else {
  echo "Authentication failed<BR>";
}

}

<P>Anna käyttäjätunnus ja salasana:</P>
<FORM ACTION="<?php echo $REQUEST_URI ?>" METHOD=post>
<INPUT TYPE=text NAME=tunnus>
<INPUT TYPE=password NAME=salasana>
<INPUT TYPE=submit VALUE="Kirjaudu">
</FORM>

the_Igel

Your code looks strange, especially that $REQUEST_URI all over the place.

Here's what you should do:

in any file that needs protecting you check for session variables. If user isn't logged, then you redirect him to login.php, where is the form. You make this form post to itself (action="login.php" or miss this parameter at all). If login.php is given POSt variables with login & password, then you should check if they are correct and set the session variables. Then provide some links for user to go into your secure pages.

Hope this helps.