sessions and authentication

lovinlazio9

hi everyone...i'm trying to figure out how to make use sessions and include and authentication file on my site so that only those logged in are able to comment and what not..... i'm kind of confused b/c the book that i'm using as a reference has not helped and i've looked all over the net... anyway...here are my scripts so far...my login script is as follows...

<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#022B54">
<tr>
<td colspan="3"><strong><font color="#BABAA0" face="Verdana">Member Login </strong></td>
</tr>
<tr>
<td width="78"><font color="#BABAA0" face="Verdana">Email</td>
<td width="6"><font color="#BABAA0" face="Verdana">:</td>
<td width="294"><input name="Email" type="text" id="Email"></td>
</tr>
<tr>
<td><font color="#BABAA0" face="Verdana">Password</td>
<td><font color="#BABAA0" face="Verdana">:</td>
<td><input name="Password" type="password" id="Password"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>
  <p align="left"><input type="submit" name="Submit" value="Login"></p>
</td>
</tr>
</table>
</td>
<center>
</form>

and then my checklogin.php file that obviously checks the login....

<?

include "dbcon.php"


// username and password sent from login form
$Email=$_POST['Email'];
$Password=$_POST['Password'];
$table= "register";

// Encrypt Password
$encrypted_password=md5($Password);

$sql="SELECT * FROM register WHERE Email='$Email' and Password='$encrypted_password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $Email and $Password, table row must be 1 row

if($count==1){
// Register $Email, $Password and redirect to file "login_success.php"
session_register("Email");
session_register("Password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

and then my login_success.php file...

<?
session_start();
if(!session_is_registered(Email)){
header("location:login.php");
}
?>

<html>
<body>
Login Successful
</body>
</html>

now i'm just wondering where do i go from here? i know theres a lot more that needs to happen with the sessions and all....and i guess i would like to create an authenticate file that i can just include on all the files that require a login. I'm not 100 percent sure but i'm assuming the authenticate file will make sure that a session has started before allowing the user to see that page? ....any help will be greatly appreciated.... thanks....

suntra

First...

$Email=mysql_real_escape_string($_POST['Email']); 
$Password=$_POST['Password'];
$table= "register";

// Encrypt Password
$encrypted_password=md5($Password);

$sql="SELECT * FROM register WHERE Email='$Email' and Password='$encrypted_password'";

Make sure to ALWAYS use mysql_real_escape_string() when using a string from the "outside world" to avoid to MySQL injection...

So...

$Password=$_POST['Password'];
$table= "register";

// Encrypt Password
$encrypted_password=md5($Password);

$sql="SELECT * FROM register WHERE Email='$Email' and Password='$encrypted_password'";

Now... session_register() is OLD ! And most of the time, it causes problems... so use $_SESSION instead... very simple :

To set a session variable :
$_SESSION['var name'] = value

To get a session variable :
$_SESSION['var name']

So login_success.php should be :

<?
session_start();
if(!isset($_SESSION['Email'])){
header("location:login.php");
}
?>
[code=php]

And for the other files, I'll let you try ;)

lovinlazio9

okay great....so do i have to escape the Password field as well? or b/c its set to password people can't inject MySQL into it?

and thank you, i'm new to this so anything helps!....as for the session_register() being old...do i do turn this:

if($count==1){
// Register $Email, $Password and redirect to file "login_success.php"
session_register("Email");
session_register("Password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

into this? :

if($count==1){
// Register $Email, $Password and redirect to file "login_success.php"
$_SESSION["Email");
$_SESSION["Password"];
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

suntra

No...

$_SESSION["Email"] = $Email;
$_SESSION["Password"] = $Password;

The password doesn't need to be escaped because you use MD5()... so it will always be a 32-character string containing 0-9 and a-f...

And you can notice that above, $Email is already "translated" with mysql_real_escape_string(), BUT with correct addresses, it should not make any changes because noone has an address with ', ", or some other special chars, in them...

So remember...

To set a session variable :
$SESSION['the name of the var'] = the value of the var;
ex : $SESSION['Email'] = $Email;
the value is either a string, a variable, an integer, a boolean, etc.

To get a session var :
$SESSION['the name of the var'];
ex : echo $SESSION['Email'];

lovinlazio9

oh okay cool thanks...that makes sense...

Weedpacket

And in the interests of efficiency, the database query can be improved a fair bit as well:

$sql="SELECT count(*) FROM register WHERE Email='$Email' and Password='$encrypted_password'";
$result=mysql_query($sql);

$count=mysql_result($result,0);

Get the database to do the database-related stuff.

lovinlazio9

hi sorry, can you explain what the database query does that makes it more efficient than the other one? i just want to learn...thanks!

suntra

lovinlazio9 wrote:
hi sorry, can you explain what the database query does that makes it more efficient than the other one? i just want to learn...thanks!

Much more efficient...

YOU asked the db to return ALL results...

Weedpacket suggests a query that will return ONE result... so much less time spent unusefully and much less memory needed ! This query simply asks the number of results...

lovinlazio9

oh alright... that makes sense... i put the code in now...and this is what it looks like...

// username and password sent from login form
$Email=mysql_real_escape_string($_POST['Email']); 
$Password=$_POST['Password'];
$table= "register";

// Encrypt Password
$encrypted_password=md5($Password);

$sql="SELECT count(*) FROM register WHERE Email='$Email' and Password='$encrypted_password'";
$result=mysql_query($sql);

$count=mysql_result($result,0); 
// If result matched $Email and $Password, table row must be 1 row

if($count==1){
// Register $Email, $Password and redirect to file "login_success.php"
$_SESSION["Email"] = $Email;
$_SESSION["Password"] = $Password; 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

but now when i actually log in...all it does is refresh the log in page pretty much? do i have to change the if($count==1) statement now as well b/c i changed the database query statement?

sorry again for all this hassle, i just don't have the best grasp on all this right now!

also....by using the:

$_SESSION[$Email] = $Email

and so on.... it actually starts the session? so in every page on my site that i want to have for members only, i need to to write code that checks to see if

$_SESSION[$Email] = $Email....has a session started and then allow the page to be viewed?

something kind of like...

(check to see if user has started session code)
if user has started session
header (secure page)
else
header (login)

am i right?