Suggestions needed

RevoverDrive

Here are 2 links to the design I will be referring to.

Before login.
http://dynamic4.gamespy.com/~unrealcore/ucore/index.php

After Login.
http://www.planetunreal.com/unrealcore/staff/rev/webs/x_series/member.htm

Its an update to my current site which is all HTML. Needless to say its a pain in the arse to update. As of right now the new design is very simple PHP using includes().

$Header and $body are the 2 main includes. Within the body I have $col1 and col2 which are the navigation colomns and then there is $login for the form and $features for those that are logged in, and finally whatever $variable i decide for the content region. currently its $news is loaded under the banner ad.

Reasons for the massive use of include(). I have several staff members that help maintain/generate content. For the most part they are relatively new to HTML...web design period, so when it comes to updating I usually have to do it. The navigation columns are subject to change at any given time as with any other part of the deign.

The issues I am facing.

I want members to be able to login and stay logged in if they so choose to. And with that, when they visit the site a cookie is read and includes the right $variable. Ex. $login is changed to $features. The if() Else() is understood. I just stumped with the cookies and what code is needed to verify the user is logged in.
Navigation -
I wish to have all my content as $variables, so when a link is clicked it changes the current content $variable to the selected. Hence again the large amounts of updating being done by HTML noobs.

3.I haven't seen a single tutorial on navigation anywhere. A link would be helpful.

Site must be secure.

All suggestions are welcome and aprreciated. Even if it means a total rewrite of the current structure.

I have access to MySQL also.

Thanx in advance. 😃

planetsim

To keep people logged in Cookies are the way to go. Security for them isnt very good. As they can be tempered with. Not to say you can also try to use sessions as well.

To clarify you would need to things. I usually for make sure the cookie exists by doing this

isset($_COOKIE['cookiename'])

from there we need to make sure the cookie hasnt expired. So

!empty($_COOKIE['cookiename']) for some reason works.

using Vars for links. Usually means there is something gonna happen

Most likely you are after links like this

index.php?id=1

etc

and from that goes to another page.
You'd need to use switch statements to include the files. There isnt really a tutorial. PM me to ask exactly what is required you maybe wanting to use mysql Where statement.

Security. IF it needs to be extremely high Cookies wont do. You'd need sessions as they cannot be altered. But the bad side is session hijacking. You can read about that in the manual.

You may wanna try SSL if it really needs to be secure

Twist

I did a script just like this a little while ago and here it is:

<?php
function cookieTest($login, $pass){
if (isset($login) && isset($pass)){
databaseTest($login, $pass);
}else{
include "loginform.html";
exit;
}
}

function login($login, $password){
	databaseTest($login, $password);
	setcookie("cookiename","$login",time()+33177600, "/", "domain");
	setcookie("cookiepass","$password",time()+33177600, "/", "domain");
}

function databaseTest($login, $password){
	$dbhost = "localhost";
	$dbuser = "dbuser";
	$dbpass = "dbpass";
	$dbname = "dbname";
	$dbtable = "dbtable";
	$dblink = mysql_connect($dbhost, $dbuser, $dbpass);
	if (! $dblink){
		die("Couldn't connect to database: ".mysql_error());
	}
	mysql_select_db($dbname, $dblink) or die("Couldn't opem $db: ".mysql_error());
	$result = mysql_query("SELECT * FROM $dbtable");
	$testnum = (mysql_num_rows($result) - 1);
	while ($val = mysql_fetch_assoc($result)){
		$loginarray[] = $val["loginname"];
		$passwordarray[] = $val["password"];
		$emailarray[] = $val["emailaddy"];
	}
	mysql_close($dblink);
	for ($i = 0; $i<=$testnum; $i++){
		if ($loginarray[$i] == $login){
			if ($passwordarray[$i] == $password){
				$logingood = true;
				break;
			}else{
				$logingood = false;
				break;
			}
		}
	}
	if ($logingood){
		return true;
	}else{
		echo("Login failed.");
		exit;
	}
}

// functions end
// main script
if ($action == "login"){
login($login, $password);
}else{
cookieTest($cookiename, $cookiepass);
}
?>

Basically this file is just included in any page and if they are logged in it does nothing but if they aren't logged in it presents them with a form to login. Here is the loginform.html I used:

<html><head><title>Login</title></head><body><div align="center">
<form method="post" name="login" action="?action=login">
<input type="text" name="login" size="25" value="Login"><br>
<input type="text" name="password" size="25" value="Password"><br>
<input type="submit" value="Login"></form></div></body></html>

You will of course need to edit the script some with your database info. Only main problem with the script is that it stores the password in the open without encrypting it or anything. That is something I was planning to add but never got around to it. Also I am willing to bet that someone who isn't as new to PHP as I am could probably write a much more streamlined version but this one gets the job done. Actually just looking at it now I see a few ways to improve it but this should get you started.

daphreeek

on the topic of this cookie security, i have 2 disagree with you. cookies can be very secure (more so than sessions) if u do it rite.

I use a table (usually called "online") and it has 3 fields: user_id, online_id, and exp

user_id refers to my members table where each user has a unique user_id

online_id is a random number generated when the user logs in.

exp is time()+$sumtime ($sumtime normally 10mins) which is set on login and everytime the user accesses any page so if they are inactive - they get logged out.

on login, i make 2 cookies: user_id and online_id (normally with a sitename prefix) and set them 2 the same values as above. i set thier expiry to about a day normally (cookies not used for loggout - done with online database - means i dont have to change the expiry on the cookies on each page)

at the top of every page i include a file 2 delete all the entries in "online" that have the field "exp" less than time() (logs out inactive users)
this included file also checks online_id and user_id from cookies against the database (because both are random 10 digit numbers, very hard 2 guess/mess with cookies)

Thats it.

Another great thing about this is that you have a "Users Online" list already made for you

sounds hard but not much code at all. E-mail me for furthur details

Matt
phreeeky@hotmail.com