i was wondering if anyone was able to help me with a login script.

i made one in asp.. here

log_no=Request.Form("username")
password=Request.Form("password")

sql="SELECT * FROM Login WHERE Log_No='" & log_no & "' AND userpass='" & password & "'"

set db=Server.CreateObject("ADODB.Connection") 
db.Open "class"
set rs=Server.CreateObject("ADODB.RECORDSET") 
rs.Open sql, db, 3, 3 
If Rs.EOF Then 
' Die Login-Informationen sind falsch. 
response.Redirect("studentlognew.asp")
'Response.Write("login=failed") 

Else
id = rs("ID")
session ("idnum") = rs("ID")
session("logged") = "true"
Session("username") = rs("Log_No")
If rs("Admin") = True Then
session("Admin") = "true"
'Response.Write("login=admin")
response.Redirect("adminlogin.asp")
else
session("Admin") = "false"
End if
If rs("Coach") = True Then
session("Coach") = "true"
'Response.Write("login=coach")
response.Redirect("coachlogin.asp")
else
session("Coach") = "false"
End if
End If

rs.Close 
set rs=nothing 
db.Close 
set db=nothing 

i want to make the same sort of thing in php.

anyone able to help.

Hey aron.
I can sympathize as a former ASP coder myself. Here is a conversion of your script. I didn't test it, so it probably has some syntax errors.

//Assumes:
//you are connected to a datbase server. 
//You are running php 4.x. with a generic configuration

//Set vars...
$baseurl="http://www.mysite.com"; //set this to your site's homepage. this is needed for relocation (can't use relative urls). don't append with a forward slash.

//Check settings...
if (ini_get("output_buffering")!="on") generr("You must enable output buffering to allow redirection");
if ($baseurl=="" || $baseurl=="http://www.mysite.com") generror("You must enter the site's homepage (baseurl) in the script.");

//change $_REQUEST to $_GET if you use the GET method as it's safer...
$usernum=$_REQUEST["username"]; 
$password=$_REQUEST["password"];

//validate $username and $password here...
if ($usernum=="" || $password=="") generror("You must enter a username and password.");

$query="SELECT * FROM Login WHERE Log_No='".$usernum."' AND userpass='".$password."'";

//select database here, if not already selected. PHP will try to use the database connection that it last used.

$result=mysql_query($query);

if (!$result) generror("malformed query:".$query);

if(mysql_num_rows($result)==0) generror("Login Failed. Wrong username or password.");

$_SESSION["idnum"]=mysql_result($result,0,"id");
$_SESSION["logged"]=true;
$_SESSION["username"]=$_REQUEST["username"];

if (mysql_result($result,0,"Admin")=="True") {
$_SESSION["admin"]==true;
header("Location: ".$baseurl."/adminlogin.asp");
exit(); //in case redirection doesn't work
} elseif (mysql_result($result,0,"Coach")=="True") {
$_SESSION["Coach"]==true;
header("Location: ".$baseurl."/coachlogin.asp");
exit(); //in case redirection doesn't work
}

function generror($msg) {
//writes error message on current page and stops script from continuing
echo $msg;
exit;
}

Use session_start() at the very top of each page that uses sessions. it must be uses before any html code is sent to the client.

how would i write this in php.

If session ("Login") <> "true" then
response.redirect "fltindex.htm"
end if
user_id = session ("user_id")

cheers.

Originally posted by aron
how would i write this in php.

If session ("Login") <> "true" then
response.redirect "fltindex.htm"
end if
user_id = session ("user_id")

cheers.

if($_SESSION['Login']!='true')
    header('Location: fltindex.htm');

$user_id = $_SESSION['user_id'];

//Check settings...
//if (ini_get("output_buffering")!="on") generror("You must enable output buffering to allow redirection");
//if ($baseurl=="" || $baseurl=="http://www.ulterior.com.au") generror("You must enter the site's homepage (baseurl) in the script.");

the abouve script comes up with an error so i commented it out. but i would like to use it. how do i get it working.
comes up with an error.

cheers aron.

What is the error?

I included the line below to make sure you entered your own value for the $baseurl variable. The literal wasn't meant to be altered...

if ($baseurl=="" || $baseurl=="http://www.mysite.com") generror("You must enter the site's homepage (baseurl) in the script.");

You changed it to...

if ($baseurl=="" || $baseurl=="http://www.ulterior.com.au") generror("You must enter the site's homepage (baseurl) in the script.");

If you set the $baseurl to your own site's homepage then good on ya and you can delete the line above from your script. With the statement as it is, the generror() function will always get called since you changed the literal and the condition will always be true.

Here are some tips...

If you store passwords in a database, I recommend using a strong hash to cipher a password that is stored in a database in case the database is compromised. I also recommend that you use SSL if you are sending usernames and passwords in cleartext over the network. If you use session management, I would ensure that the session keys are unique and hard to guess. It is also important to validate the session.

Have fun!

Originally posted by bbisaillon
I would ensure that the session keys are unique and hard to guess. It is also important to validate the session.

Have fun!

I agree thoroughly with those tips; on the matter of ensuring good session keys, PHP's are already pretty good: it uses the current time (seconds and microseconds), a pseudorandom number generator, and any other source of entropy you specify in php.ini (such as /dev/random) and MD5's the whole mess together.