stop people getting to a page..

krazy1151

Hey guys
I am currently coding a sim game..
and there are some pages that people have to log in to see as they are all different, like home pages will be different for different peoples information etc..

I need a piece of code, so when someone tries to aces a page you have to log in to see it will display a message saying "OOPS! you have to log in to view this page"
Please can anyone help?
thanks
Krazy

roscor

Try using Sessions,
once a user/memeber is logged on create a session, then at the top of your members page

<? session_start();
if (empty($_SESSION['valid_user_member'])){
 header("location:../loginpage.php");
exit();
}
?>

this will redirect to loginpage.php using the header function if the session is empty! messages can also be echoed out instead of or using exit();

hope this helps

krazy1151

Yeah
I have a file called "header.php"
with includes part of the games layout etc..

Can I put that piece of code in there
as on my ages I have to use

<?php
include ('header.php')
?>

so it will be included that way..

roscor

keep the page name relevant along with any variables you set. Try using a userlogon page, lets say userlogon.php.

The page will be a form with two text boxes username and password.

userlogon.php

<H4>You need to be Member - Restricted Area</H4>

<br>
    <FORM METHOD="POST" ACTION="logged.php">
<STRONG>Username:</STRONG>&nbsp;<INPUT TYPE="text" NAME="username" value="<? echo $user; ?>"><br><br>
<STRONG>Password:</STRONG>&nbsp;&nbsp;<INPUT TYPE="password" NAME="password" value="<? echo $passw; ?>"></p>
<P><INPUT TYPE="SUBMIT" NAME="submit" VALUE="login">&nbsp;&nbsp;<input type="reset" name="reset">
</FORM>

The destination with validation will be logged.php. As the page parses the validation is completed and errors are displayed (error1 and error2)

If validation is ok and the member has a successful login a session is created, within the members area. The previous post code will be at the top of each page and only allow logged in members access.

logged.php

if(preg_match('/^[a-zæøåÆØÅ0-9_-]{4,}$/i', $_POST['username'])){
        $user = $_POST['username'];     

    }
        else {
        $error1 .= "<font face='Verdana' size='2' color='#FF0000'>Error: on Text box USERNAME, Do not use invalid characters ? < > . , - + = ~ # @ | \ / '' ' : ; { } [ ] * ^ ! etc.";
             }   

  if(preg_match('/^[a-zæøåÆØÅ0-9_-]{4,}$/i', $_POST['password'])){
        $passw = md5($_POST['password']);
    }
        else {
        $error2 .= "<font face='Verdana' size='2' color='#FF0000'>Error: on Text Box PASSWORD, Do not use invalid characters ? < > . , - + = ~ # @ | \ / '' ' : ; { } [ ] * ^ ! etc.";
            }   

//your database connection info
include("dbinfo.inc.php");
    $conn = mysql_connect($host, $username, $password) or die(mysql_error());
    mysql_select_db($database,$conn) or die(mysql_error());

$query="SELECT * FROM your_table WHERE  username ='$user' and password ='$passw'";
$result = mysql_query($query) or die ("Could not run query.");

 if (mysql_num_rows($result) == 1) {

$_SESSION['valid_user_member']=$user;


}
 else

 {

echo "<td align='center'><font face='Verdana' size='2' color='#FF0000'>Login Failed. <br />[<a href=userlogon.php>Go back and try again</a>]<br><br>";
echo "<font face='Verdana' size='2' color='#FF0000'>NOTE: Your Member Username must be entered exactly as when you registered<br><br>";
echo "<font face='Verdana' size='2' color='#FF0000'>NOTE: Your Member Password must be entered exactly as issued </font></td><br><br>";
echo "$error1<br><br>";
echo "$error2<br>";
    exit;          

  } 

//rest of html code to display

Things to remember,

NEVER use short tags always use <?PHP
WHEREVER you use sessions <?php session_start(); needs to be the first thing on your page.
ALWAYS use validation to ensure the correct content of text boxes or malicious persons can mess up your database see
mysql injection for a heads up.
THINK about MD5 or similar to encrypt passwords
ALWAYS use error reporting when debugging/testing your code.
There countless others who know much more than us mere mortals, its just requires a polite question after we have tried to find the answer ourselves(google,PHPBuilder,www.php.net etc).

hope this helps at least a little

bradgrafelman

Just a minor correction to:

roscor wrote:
WHEREVER you use sessions <?php session_start(); needs to be the first thing on your page.

It doesn't have to be the first "thing" in your script... it just has to appear prior to the HTTP headers being sent. This means that you can't have any output before you call [man]session_start/man - this includes a blank line or space before the first <?php tag.

roscor

noted bradgrafelman,

cheers

roscor

jkurrle

One of my favorite techniques when storing a password is to use a unique "salt" for each MD5 encryption.

If your aren't familiar with MD5 encryption, it is a one way encryption algorithm that supposedly can't be reversed. The problem is, people build dictionaries of common MD5 encrypted words. To get around that, you need to "salt" the passwords with some text string to make the password unrecognizeable to dictionary attacks.

Personally, I like to combine the login ID with the password into a string, then use MD5 encryption on the whole lot. You then have a unique salt for each password.