[RESOLVED] Uploading a page after login

phprooky

Hi everybody, I have created 3 php files which I use to log in and the 3rd. file which I call login_success.php I have a table with 4 options to choose and each one of them opens a new php file. I know I can add a url and open the files by choosing the option, but I'm going to be very burnerable to hackers. Is there a way to upload my pages using another way.

TheoGB

Do you mean upload or do you mean display? Upload would imply you're talking about sending files from your machine to the server.

If you just mean to display them it sounds like you need to use sessions to store the login data so you only allow logged in people to view the other pages? This is fairly simple and you should be able to find examples anywhere.

session_start();

if($_SESSION['loginwasasuccess'] == "yesitwas")
{
   processing to display page
}
else
{
  echo "Not authorised to view page";
}

You'd set that $_SESSION variable value when you got a successful login. This is basic stuff. Look on line for complex hacker-proof methods of doing this.

phprooky

Hi TheoGB and thanks for your quick reply. I meant display, sorry for that, but the way I want to do it is by clicking on a url after login.

TheoGB

Okay, well what I've said will work for you, but it's hard to stop hackers. It depends on if you actually expect someone to hack your website, i.e. maliciously attack it, or if you're simply wanting to block unauthorised access to the files in question. I'm assuming it would be the latter, in which case use session data.

Check the examples here:
http://uk2.php.net/manual/en/function.session-start.php

They'll give you a good quick feel for using sessions and see if it makes sense.

phprooky

Hi TheoGB, This session command I have to added right where I check the username and password, right?

TheoGB

Yes. It makes more sense if you create a separate PHP file called something like site_sessions.inc.php

<?php
// site_sessions.inc.php

// Include this file on all php files that need to use login authority

session_start();
?>

Then in your other php files you can do this right at the very start:

<?php

include_once('site_sessions.inc.php');

Then in your check for username and password you would set $_SESSION['valid_login'] to TRUE if they're the correct values or to FALSE if they're incorrect.

Finally, on any pages where you only wish users who've logged in to see you would condition the whole page on that session variable, thus:

<?php

include_once('site_sessions.inc.php');

if  ((isset($_SESSION['valid_login']) && ($_SESSION['valid_login'] == TRUE))
{
   // Put all normal Page code
}
else
{
  // Put code to say they're not authorised to view this page and (maybe) link back to login
}
?>

What I've done there is fairly simplistic. I use http://smarty.php.net to output my pages so in fact for the 'unauthorised' option I just call the template for the login page instead of just telling them they're not authorised.

phprooky

Hi,TheoGB. I think this session thing is confusing me. Let me show you what I have to see if you can help me.
I have 3 php files.
The first one is called login.php and here I ask for the user credentials with the following code:

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
  <tr>
  <form name="form1" method="post" action="checklogin.php">
  <td>
  <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
  <tr>
  <td colspan="3"><strong>Member Login </strong></td>
  </tr>
  <tr>
  <td width="69">Username</td>
  <td width="4">:</td>
  <td width="202"><input name="myusername" type="text" id="myusername"></td>
  </tr>
  <tr>
  <td>Password</td>
  <td>:</td>
  <td><input name="mypassword" type="password" id="mypassword"></td>
  </tr>
  <tr>
  <td>&nbsp;</td>
  <td>&nbsp;</td>
  <td><input type="submit" name="Submit" value="Login"></td>
  </tr>
  </table>
  </td>
  </form>
  </tr>
</table>

2) My second file I called check_login.php with the following code:

$host=""; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name=""; // Table name 
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

3) My third and last file I called login_success.php with this code:

session_start();
if(!session_is_registered(myusername)){
header("location:login.php");
}

<table width="398" border="1" cellspacing="1">

                <td width="71">add news</td>
                <td width="117">edit / delete news</td>
                <td width="122">go to last news</td>
                <td width="75">logout</td>
              </tr>
            </table>
          <p>Login Successful! Please choose one of the options above.</p>

FROM MY THIRD FILE I WOULD LIKE TO OPEN ABOUT 2 OR 3 MORE FILES USING THE USER CREDENTIALS

TheoGB

Hi,

Okay you shouldn't use session_register. It works but you can see here:
http://uk2.php.net/manual/en/function.session-register.php

This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

There is another more fundamental error you couldn't have known about which is that you're storing the password in the session: session data can be captured and checked so you should ideally never store a username or a password in it without first encoding them in some way.

So, your code as presented but altered would be:


// Session start or create the site_sessions.inc.php type file and include it
session_start();

$host=""; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name=""; // Table name 
// Connect to server and select databse. 
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB"); 
// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
// To protect MySQL injection (more detail about MySQL injection) 
$myusername = stripslashes($myusername); 
$mypassword = stripslashes($mypassword); 
$myusername = mysql_real_escape_string($myusername); 
$mypassword = mysql_real_escape_string($mypassword); 
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; 
$result=mysql_query($sql); 
// Mysql_num_row is counting table row 
$count=mysql_num_rows($result); 
// If result matched $myusername and $mypassword, table row must be 1 row 
if($count==1){ 
   // Register $myusername, $mypassword and redirect to file "login_success.php" 
   $_SESSION['login_valid'] = TRUE;
   header("location:login_success.php"); 
} 
else 
{ 
    // Make doubly sure it's not TRUE left over from a previous login or something.
   $_SESSION['login_valid'] = FALSE;
   echo "Wrong Username or Password"; 
}

Then for login_success:

// Or use include_once on a file with session_start in it
session_start(); 

// Better to check if we have a TRUE value to do what we want rather
// than checking on a wrong value to escape out.
if  ((isset($_SESSION['login_valid']) && ($_SESSION['login_valid'] == TRUE)) 
{
         <table width="398" border="1" cellspacing="1">

                <td width="71">add news</td>
                <td width="117">edit / delete news</td>
                <td width="122">go to last news</td>
                <td width="75">logout</td>
              </tr>
            </table>
          <p>Login Successful! Please choose one of the options above.</p>}
else
{
    header("location:login.php"); 
}

Okay, so for each of your three linked to PHP files, add news, edit / delete news and go to last news, you adopt exactly the same structure as for login_succes aboe but you replace the menu code with the page code.

You can use include functionality to encapsulate parts of this code to make it easier.

phprooky

Hi TheoGB,
I did exactly as you suggested, but I'm receiving the following error:
Parse error: syntax error, unexpected '{' in /homepages/37/d119721257/htdocs/upload/admin/login_success.php on line 5

This program is checklogin.php

$host=""; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name=""; // Table name 
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername'] = TRUE;
header("location:login_success.php");
}
else
{
	$_SESSION['mypassword'] = FALSE;
	echo "Wrong Username or Password";
}

This program is: login_success.php

session_start();

if ((isset($_SESSION['myusername']) && ($_SESSION['mypassword'] == TRUE))
												  { //This is line #5
													  <table width="398" border="1" cellspacing="1">
													  <td width="71"><a href="upload_news.php">add news</td>
													  <td width="117">edit / delete news</td>
													  <td width="122">go to last news</td>
													  <td width="75">logout</td>
													  </tr>
													  </table>
													  <p>Login Successful! Please choose one of the options above.</p>
												  }
												  else
												  {
													  header("location:login.php");
												  }

bradgrafelman

The first problem in login_success.php is that the opening '(' of the if() statement is never closed (you have one more '(' than you do ')' on that line).

Your second problem will be that you can't simply throw some HTML code into the middle of a PHP script. Either [man]echo[/man] the HTML code out, or, if its a large chunk of HTML, either use [man]heredoc[/man] syntax or just escape out of PHP. Example of escaping out of PHP:

<?php

if($foo) {
?><p>This is some HTML that is output inside of an if() statement.</p>
<p>Although I try to separate all HTML from PHP scripts, you can still combine the two if you must.</p><?php
}

?>

phprooky

Hi bradgrafelman,
I fixed the problem and took all that HTML code out of my PHP code as you mentioned. Is working pretty well now. Thanks a lot for your help.