Making a Login

Royalmike

Okay, so what I have is a Login page where you select your name from a drop down and I have a password field. How can I make it so that you can only see the next page if your password for the selected user is right, and if it isn't, then take you back to the login page. I have four users made and have set passwords for each.


<form method="post" action="data.php" enctype="multipart/form-data">
      <table cellpadding = "10px" border="2">
         <tr>
            <td align="center">
            User:
            <select name="user">
               <?php
                  mysql_connect(localhost, "root", "password");
                  @mysql_select_db(bus) or die ("Unable to connect to database.");

              $query= "SELECT name FROM bus_user";
              $result = mysql_query($query);
              if(mysql_num_rows($result))
              {
                 while($row = mysql_fetch_row($result))
                 {
                    print("<option value=\"$row[0]\">$row[0]</option>");
                 }
              }
           ?>
           </select>
           </td>
        </tr>
        <tr>
           <td>
           Password:
              <input type="password" name="password"/>

<!--Help! -->
               </td>

        </tr>
        <tr>
           <td align="center">
           Vehicle:
           <select name="vehicle">
              <?php
                 mysql_connect(localhost, "root", "password");
                 @mysql_select_db(bus) or die ("Unable to connect to database.");

                 $query = "SELECT name FROM bus_vehicle";
                 $result=mysql_query($query);
                 if(mysql_num_rows($result))
                 {
                    while($row = mysql_fetch_row($result))
                    {
                       print("<option value =\"$row[0]\">$row[0]</option>");

                    }
                 }
              ?>
              </select>
              </td>
           </tr>
           </tr>
              <td align="center">
                 <input type="submit" name = "Login" value = "Login" />
              </td>
           </tr>
        </table>
     </form>
  </center>
  </body>
  </html>

Let me know if you need the next page of code instead

tron00

Do you have the password stored in a database or flat file?

Royalmike

In a table named bus_user in a database named bus

ragedigital

$result = mysql_query("SELECT name FROM bus_user WHERE name='".$_POST['user']."' and password='".$_POST['password']."'");

$records = mysql_num_rows($result);

if($records == 0){
    header("Location:login.php");
    exit;
}

bpat1434

Please note that you should NEVER put user-input (i.e. text-fields, check-boxes, form fields, etc.) directly into SQL queries. This is a huge security issue (one which the developers of PHP can't save you from). To that end, the [man]mysql_real_escape_string/man function should be used to properly escape all user-input before database work (when using a MySQL database).

Also, be aware that typically using plain-text passwords are not what you want to do. Typically passwords are hashed with a special "salt" that no-one can guess (or shouldn't be able to guess). The point of this is so that you're not comparing actual passwords but rather you're really comparing the hashed values of the password and whatever salt. A good example is:

$password = $_POST['password'];  // From form field with name attribute = "password"
$username = $_POST['username']; // From form field with name attribute = "username"

$password = sha1(md5(substr($username, 0, 5)) . $password);

The first 5 letters of the username serves as a "salt" and also helps prevent duplicate hashes, since typically usernames are unique across a site, so will each password hash 😉 It's still possible to hack; however, it adds a degree of difficulty.

The basics to denying anyone access to a section of your site is usually done via [man]sessions[/man] or [man]cookies[/man]. Both do the same thing (store data through site refreshes); however, cookies store the data user-side (so in a text file on their computer) while sessions are server-side (stored in a text file on the server). Typically a cookie is used for people that don't want to have to sign in every time, which just points the script to an old session ID or raises a flag which means that they're logged in. But that's more advanced than you probably need right now.

Anyway, with sessions you need to use [man]session_start/man to properly start a session, and then you can write to the $SESSION super-global. Typically checks are done on the $SESSION super-global array to see what's set in them. A typical way is to see if $SESSION['authenticated'] is set. Sometimes it will be a simple boolean check:

if($_SESSION['authenticated'])
    // Let them in

Other times, it can be for a specific value:

if($_SESSION['authenticated'] == 'current member')
    // Let them in
elseif($_SESSION['authenticated'] == 'expired member')
    // Show them the renewal page

You can store just about anything you want in the session array, and it will travel with the user between page visits. So when user A goes from index.php to members.php, there can be some information about them (where they came from, what links they've visited on your site, what path they took to get to that page, etc.).

All of this stuff has been covered in the forums here multiple times, and I believe there are a couple articles on this site about authentication. I suggest you read up on sessions over at www.php.net and become familiar with them since many times they are the simplest and easiest to implement for a "secure" area on your site.

And of course, if you have any questions or trouble, feel free to ask.