Login and post

blen

Ok so I am pretty new to php.

Basically what im trying to do is have an admin interface for my website, so I can log in, and post "news" items to the main page.

I can log in, get to the post form, but when I post it says "You are not logged in." Can anyone help me with my code?

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Add an entry!</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>

<?php
$conn = mysql_connect("localhost","usr","pwd");
$db = mysql_select_db("kendall_users");
$username = $POST["username"];
$password = $POST["password"];
$result = MYSQL_QUERY("SELECT * from bk_login WHERE username='$username'and password='$password'")
or die ("Name and password not found or not matched");
$worked = mysql_fetch_array($result);
$username = $worked[username];
$password = $worked[password];

if($worked) 
{
//logged in
	if($_POST['submit']) {
	//submit is hit
	//then connect as user
	//change user and password to your mySQL name and password
	mysql_connect("localhost","usr","pwd"); 
	//select which database you want to edit
	mysql_select_db("kendall_news"); 
	//convert all the posts to variables:
	$title = $_POST['title'];
	$content = $_POST['content'];
	$date = $_POST['date'];
	$time = $_POST['time'];
	//Insert the values into the correct database with the right fields
	//mysql table = news
	//table columns = id, title, content, who, date, time
	//post variables = $title, $content, '$who, $date, $time
	$result=MYSQL_QUERY("INSERT INTO news (id, title, content, date, time)".
	"VALUES ('NULL', '$title', '$content', '$date', '$time')"); 
	//confirm
	echo "You posted a news entry."; 
  	}
	else
	{
	//put out form
	?>
<form method="post" action="add.php">
	<TABLE>
		<TR>
			<TD>Title:</TD>
			<TD><INPUT TYPE='TEXT' NAME='title' VALUE='Random Update' size=60></TD>
		</TR>
		<TR>
			<TD>Content:</TD>
			<TD><INPUT TYPE='TEXT' NAME='content' VALUE='' size=60></TD>
		</TR><br>
		<TR>
			<TD>Date:</TD>
			<TD><INPUT TYPE='TEXT' NAME='date' VALUE='<? echo date("M.j.y"); ?>' size=60></TD>
		</TR>
		<TR>
			<TD>Time:</TD>
			<TD><INPUT TYPE='TEXT' NAME='time' VALUE='<? echo date("g:i a"); ?>' size=60></TD>
		</TR>
		<TR>
			<TD></TD><br>
			<TD><INPUT TYPE="submit" name="submit" value="submit"></TD> 
		</TR>
	</TABLE>
</form>
<?php
	}
}
else 
{
//not logged in
echo "You are not logged in.";
}

etully

The problem is that the username and password aren't being passed to the page that posts the news.

When you enter your u/p on the form and click "login" and go to the next page, the form data is delivered to the second page. The second page HAS the username and password to check against the database. But then when you click a link of any kind and go to another page, that username and password are forgotten so when you get to the page to post your news, it doesn't see a username and password - so it says you are not logged in.

There are a few ways to solve this problem. Some are easy but not very secure. Some are harder to learn and program but they are more secure. As you learn more about security, you will be able to make sure that you are covering all your bases and aren't letting someone hack your admin area.

The simplest (and least secure) way to make this work is to cookie the username and password. This way, every page you arrive at is able to check the browser's cookie and see if you are aurthorized. I include this example simply to illustrate why you are seeing the problem in the first place. Once you cookie the u/p, it will be available to every page solving your problem.

The problem is that (A) if you walk away from the machine, someone could sit down at your computer and be logged in as you, and (😎 if they view your cookies (Firefox: Edit -> Prefs -> View Cookies), they can see your username and password so they can log in as you anytime they want in the future.

The technique I use is this:

Ask them for their username and password
Check the database to see if they are authorized
Generate a random 20 character string.
Cookie it in their browser
write it to a database with the current time and their IP address

Then, on the top of every page, I simply check their cookie to find their ID number and check the database to see if that ID was used from that IP address in the last 15 minutes. If yes, then they are logged in and I reset the time stamp on that ID number to the current time. This way, they are automatically logged out after 15 mins of not viewing a web page. If someone copies the code number, it's not good on any other computer or anytime in the future... and the username and password are never stored in the browser.

That's just one technique - it works well for me - there are others that are as good or better. Many people like to use the session variable which is fine too.

Good security is harder than I can cover in this forum. Make sure you understand what the risks are and you can protect against them.

blen

ok thanks! I will definitly read up on cookies and sessions. Thanks again.