User Authentication Help

xblrules

I am really new to PHP and need some advice on authenticating users. I have a website where, when my clients login they need to be redirected to specific pages. for example 'John' goes to "page1.html", 'Sara' goes to "page2.html". I have tried to use Dreamweavers Server Behaviors to do this, however; it only redirects my clients to ONE page. Any advice on how to send specific users into different directions?

Many Thanks,
Xblrules

dagon

header() specifically header('location: ....');

xblrules

this is what Dreamweaver has created:

<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['user_name'])) {
  $loginUsername=$_POST['user_name'];
  $password=$_POST['user_password'];
  $MM_fldUserAuthorization = "user_id";
  $MM_redirectLoginSuccess = "protectedpage.php?<?php echo $row_rsUsers['user_id']; ?>=<?php echo $row_rsUsers['user_url']; ?>";
  $MM_redirectLoginFailed = "loginform.php";
  $MM_redirecttoReferrer = true;
  mysql_select_db($database_dw_bookstore, $dw_bookstore);

  $LoginRS__query=sprintf("SELECT user_name, user_password, user_id FROM users WHERE user_name=%s AND user_password=%s",
  GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 

  $LoginRS = mysql_query($LoginRS__query, $dw_bookstore) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {

$loginStrGroup  = mysql_result($LoginRS,0,'user_id');

//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;	      

if (isset($_SESSION['PrevUrl']) && true) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
}
header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

I see the header("location: " ) however; I'm unsure how to link users to the URL I want them to be redirected to.

dagon

put

error_reporting(E_ALL);

on the first line of your script.

bradgrafelman

One problem I see is here:

$MM_redirectLoginSuccess = "protectedpage.php?<?php echo $row_rsUsers['user_id']; ?>=<?php echo $row_rsUsers['user_url']; ?>";

There's actually a few problems with this line:

You're trying to use <?php ... ?> tags while you're already inside a block of PHP code.
You're trying to use echo in the middle of a string (when you shouldn't be trying to [man]echo/man anything at all in the first place).
You're referencing a variable (namely $row_rsUsers) that hasn't even been defined yet at that point in the script.

niroshan

hi xblrules,

This is just an basic idea.

login page

create a table with username, password and page name.
start the session. ex: session_start();
if the form is submited, check the username and password and if exists get the page name.

ex:
select page from <tablename> where username = '$POST['username']' and password = '$POST['password']'

use the header() to redirect to relevent page
ex: header('Location:'.$page);

Please make sure you do all the input validations and sql injection validations.

Best Regards,
niro

CoderDan

I haven't tried running this - I'm just typing it out here, so there may be a parse error slipping through, but you should get the idea:

<?php
session_start(); // must be called on every page in site, before any output (aside from headers) is sent
$error = '';
if ( $_POST['login'] )
{
	/* Should have a table containing at least the following:
CREATE TABLE users
(
	user_id int(11) NOT NULL auto_increment,
	un varchar(32) NOT NULL, // allow up to 32 char long username
	pw varchar(32) NOT NULL, // reccomend storing the pw as 6-16 chars in length, and MD5 it via either php or mysql upon insert.
	PRIMARY KEY  ( user_id )
);
	If you use a different table structure (or have an existing one) modify the query below to suit it.
	*/
	$query = "SELECT * FROM users WHERE un LIKE '".mysql_escape_string( $_POST['un'] )."' AND pw LIKE '".mysql_escape_string( md5( $_POST['pw'] ) )."' LIMIT 1 ";
	$result = mysql_query( $query ) or die( mysql_error( ) );
	if ( $user = mysql_fetch_assoc( $result ) )
	{
		$_SESSION['user'] = $user;
	}
	else
	{
		$error = "Invalid username or password.";
		// you could also add a query here to check for if username exists, and if so just set "invalid password" as the error, but this would allow
		// the verification of valid usernames by a hacker.
	}
}
else if ( isset( $_GET['logout'] ) )
{ // any page can have a link to this page (or any page with this script) with the get query: '?logout' (no value required) to log them out.
	unset( $_SESSION['user'] );
}

if ( $_SESSION['user'] ) // could also check $_SESSION['user']['user_id'] if you plan to retain this array within session after user logs out for other data.
{
	header( 'Location:logged_in.php' ); // send them to their logged in location page
	// you could also just show the 'logged in content' here, if this is on a regular page.
	// alternativly, if this is a function, then you could return the user array, or 'true' or similar to indicate the user is logged in
}
else
{
	// if this is a function you could return 'false', or this form to be displayed, or even just display the form and return false both. depends on your structure.
	// show login form
	// this should be nested somewhere inside valid html > body tag
	if ( !empty( $error ) )
	{
?>
		<p class='error'>ERROR: <?php echo $error?></p>

<?php
	}
?>
		<!-- pretty this up any way you want. tables are common, I prefer css -->
		<form method='post' action='<?php echo $_SERVER['PHP_SELF']?>'>
			<legend>Login</legend>
			<label for='un'>Username:</label>
			<input type='text' id='un' name='un' value='<?php echo htmlentities( $_POST['un'], ENT_QUOTES )?>' /><br />
			<label for='pw'>Password</label>
			<input type='password' id='pw' name='pw' /><br />
			<input type='submit' name='login' value='Login' />
		</form>
<?php
}
?>

bradgrafelman

@: Not trying to be offensive, but there are several more issues/problems with your code that the OP's. To name a few... you didn't use [man]isset/man in your first if() statement (or the one checking the $_SESSION array), you do a 'SELECT *' (a type of query I think should always be avoiding in web applications), and you use LIKE comparisons for usernames and passwords (do you want me to enter a password that's like my password, or do you want me to enter my password?).

CoderDan

bradgrafelman;10915995 wrote:
@: Not trying to be offensive, but there are several more issues/problems with your code that the OP's. To name a few... you didn't use [man]isset/man in your first if() statement (or the one checking the $_SESSION array), you do a 'SELECT *' (a type of query I think should always be avoiding in web applications), and you use LIKE comparisons for usernames and passwords (do you want me to enter a password that's like my password, or do you want me to enter my password?).

as I think I noted (or should have if i didn't) I just wrote it up, I'm sure it could use a lil polish.
however, unless you're displaying strict warnings, checking for if something isset is usually overkill, imho, using a select * is currently only pulling probably one unwanted field (the username) and again, left to the implementer to polish as desired, and like works just fine, if you check out the documentation, however yes, an = would probably be better in this instance. A like would only really be useful for a 2 tier approach on the username, which is something I won't get into here 🙂

however, the code will work perfectly as written, I believe, short of possible syntax errors, and I figured would display the concepts and use of them fairly well.

If you want me to write perfect code for you, I can do it, but I get paid for that, and this tip was for free 🙂

bradgrafelman

CoderDan wrote:
unless you're displaying strict warnings, checking for if something isset is usually overkill, imho

Well you should never be displaying any errors - they should always be logged instead! :p But yes, the error level of the messages generated is an E_NOTICE (undefined array index), but since I like to know about any errors in my scripts I usually set all of my sites up to log even E_NOTICE error messages.

CoderDan wrote:
however yes, an = would probably be better in this instance.

Better?! What if I entered my username as 'admin' (or whatever the admin username is) and my password as '%'? :p

CoderDan wrote:
If you want me to write perfect code for you, I can do it, but I get paid for that, and this tip was for free

As do I; I just try to make sure that those come here for answers leave with sound knowledge (not code); all too often we see people posting about this code that they copied-and-pasted and can't understand how they went wrong in doing that.

CoderDan

well, my usual practice on errors is to display all while in development and log real errors (but not warnings) on live.
Yes, you make a good point on like for password, that won't happen in my example due to the md5, but as a general practice, sure.

I have to admit I'm not terribly concerned about people who copy and paste, without trying to understand, but If you think that I should actually test out and ensure 100% accuracy on any tips/help I offer, I'll probably just not help anyone, I don't have the time for that. That is why I put the disclaimer on the top of my post.

Anyhows, special delivery for bradgrafelman - still never run or tested, however, but with the changes he recommended, and a couple of other items I missed:

<?php
session_start(); // must be called on every page in site, before any output (aside from headers) is sent

require 'connect_to_db_script.php'; // something to connect to the db

$error = '';
if ( $_POST && $_POST['login'] && $_POST['un'] && $_POST['pw'] ) // don't allow empty un or pw
{
	/* Should have a table containing at least the following:
CREATE TABLE users
(
	user_id int(11) NOT NULL auto_increment,
	un varchar(32) NOT NULL, // allow up to 32 char long username
	pw varchar(32) NOT NULL, // reccomend storing the pw as 6-16 chars in length, and MD5 it via either php or mysql upon insert.
	PRIMARY KEY  ( user_id )
);
	If you use a different table structure (or have an existing one) modify the query below to suit it.
	*/
	$query = "SELECT user_id, un FROM users WHERE un = '".mysql_escape_string( $_POST['un'] )."' AND pw = '".mysql_escape_string( md5( $_POST['pw'] ) )."' LIMIT 1 ";
	$result = mysql_query( $query ); // or die( mysql_error( ) ); // lets not show any errors
	if ( $result )
	{
		if ( $user = mysql_fetch_assoc( $result ) )
		{
			$_SESSION['user'] = $user;
		}
		else
		{
			$error = "Invalid username or password.";
			// you could also add a query here to check for if username exists, and if so just set "invalid password" as the error, but this would allow
			// the verification of valid usernames by a hacker.
		}
	}
	else
	{
		$error = "Login is unavilable as I messed up and messed with the db somehow";
	}
}
else if ( isset( $_GET['logout'] ) )
{ // any page can have a link to this page (or any page with this script) with the get query: '?logout' (no value required) to log them out.
	if ( isset( $_SESSION['user'] ) )
	{
		unset( $_SESSION['user'] );
	}
}

if ( $_SESSION['user'] ) // could also check $_SESSION['user']['user_id'] if you plan to retain this array within session after user logs out for other data.
{
	header( 'Location:logged_in.php' ); // send them to their logged in location page
	// you could also just show the 'logged in content' here, if this is on a regular page.
	// alternativly, if this is a function, then you could return the user array, or 'true' or similar to indicate the user is logged in
}
else
{
	// if this is a function you could return 'false', or this form to be displayed, or even just display the form and return false both. depends on your structure.
	// show login form
	// this should be nested somewhere inside valid html > body tag
	if ( !empty( $error ) )
	{
?>
		<p class='error'>ERROR: <?php echo $error?></p>

<?php
	}
?>
		<!-- pretty this up any way you want. tables are common, I prefer css -->
		<form method='post' action='<?php echo $_SERVER['PHP_SELF']?>'>
			<legend>Login</legend>
			<label for='un'>Username:</label>
			<input type='text' id='un' name='un' value='<?php echo htmlentities( $_POST['un'], ENT_QUOTES )?>' /><br />
			<label for='pw'>Password</label>
			<input type='password' id='pw' name='pw' /><br />
			<input type='submit' name='login' value='Login' />
		</form>
<?php
}
?>