Login Script Help

Napster

I have this login script and here it is

<?php

setcookie("user",$username,time()+(3*86400));

?>
<html>

<body>
<?php
include("colours.inc.php");
?>
<?php                                  //10

//Made by Josh Weissbock

include("jocey.inc.php");

$connection = mysql_connect($host, $user,$password)
or die ("Couldn't connect to server.");

mysql_select_db($database, $connection)
or die ("Couldn't select database.");                      //20

$result = mysql_query("SELECT * FROM members WHERE username='$_POST[username]'");
$array = mysql_fetch_array($result,MYSQL_ASSOC);

$result2 = mysql_query("select count(*) as num_users FROM members WHERE username = '$_POST[username]'"); 
$row = mysql_fetch_array($result2,MYSQL_ASSOC); 

if ($_POST[username] == "" or $_POST[password] == "")
{ 
echo "Username or Password is blank";             //30
}
elseif ($row[num_users] < 0)
{
echo "No such username"; 
}
elseif ($array[usertype] == "outcast")
{
echo "You have been outcasted from Elarune"; 
}
elseif ($_POST[password] != $array[password])                   //40
{
echo "Incorrect password";
}
elseif ($_POST[password] == $array[password])
{
$username = $array[username];
echo "You have been logged in";
echo "<br><a href='home.php'>Go Home</a><br>\n";
}

?>
</body>
</html>

and there are a couple ways to login without passwords, I can not figure out how to stop this can someone please help

Napster

Can anyone help

HalfaBee

You set the username cookie at the begining, but never delete it if there is a problem.

HalfaBee

Napster

But you have to set it at the top or it wont work, am I correct?

Half a bee has got to be visa vee it's entity

HalfaBee

But if your setting it as a good login at the start and it is not, then what happens?

Halfabee

Napster

but I read u have to set cookies at the top of the page as the first output or else it wont work, though if you dont type in the correct password it wont let u login. To login with out the password all you do is put any password hit login then hit back and refresh and u are logged in?

HalfaBee

Yes, you have to set the cookie before any OUTPUT.
Do your checking before the output and set the cookie appropriately.
Then do the outputing.

HalfaBee

Napster

so what exactly would a output be

HalfaBee

Output is any character sent to the browser. So make sure your <?php tag is the very first char's of the file, no newlines or spaces.

Output in php is normally echo'ed or print'ed inside the tags and anything outside the tags is output.

HalfaBee

Napster

so i am taking it, as long as this <?PHP is at the top I can set cookies any where on the page. So then I want to set my cookies after I make sure everything is ok

HalfaBee

As long as you don't output anything it will work.
The logic and script of checking the username should not output anything.
Just keep error messages as strings to output later.

HalfaBee

Napster

I am kinda confused on what u are saying, you say to make sure <?php is first but then u say dont output any thing and what does

Just keep error messages as strings to output later

Mean

HalfaBee

If you do

echo "Your username does not exist";
or
?>
<html>
<body>
<?

This is output.

HalfaBee

Napster

so if I keep my script the exact same except for moving

setcookie("user",$username,time()+(3*86400));

elseif ($_POST[password] == $array[password]) 
{ 
setcookie("user",$username,time()+(3*86400));
$username = $array[username]; 
echo "You have been logged in"; 
echo "<br><a href='home.php'>Go Home</a><br>\n"; 
}

it will work?

HalfaBee

No. because output has already occurred before this.
If you want to keep the script the same put

ob_start();
At the begining of the script.
and after the cookie has been set do

ob_end_flush();

This turns on output_buffering and outputs the html after you have processed everything.

Halfabee

Napster

so i would go

<?php

ob_start()
setcookie("user",$username,time()+(3*86400));
ob_end_flush();

?>
<html>

<body>
<?php
include("colours.inc.php");
?>
<?php //10

HalfaBee

The ob_start() is correct.

You need to move the setcookie() to where you are sure the user used the correct password

and move the ob_end_flush() to the very last line of the script.

Halfabee

Napster

and echos will still work after the ob_start() right