Hello everyone!

I have a login script but i want to made an "if" statement where the user is logged in to be redirected to admin.php and where the user is not logged in to be redirected to login.php.

What i have now is the login script that encrypt the password and the username to md5 and after that to sha1 (i think!):

login.php

<?php

session_start();

if(isset($_COOKIE['admin']))
{
include 'config.php';

$username = $_COOKIE['admin']['username'];
$password = $_COOKIE['admin']['password'];

$username = safeAddSlashes($username);
$password = safeAddSlashes($password);

$db = mysql_connect($dbHost,$dbUser,$dbPass);
mysql_select_db($dbname,$db);

$query = "SELECT user, pass FROM login WHERE user = '$username' AND pass = '$password'";
$result = mysql_query($query, $db);
if(mysql_num_rows($result))
	{
	$_SESSION['loggedin'] = 1;
	header('Location: '.$domain.'admin.php');
	exit();
	}
}
?>
<?php include('includet/head.html')?>
<center><div class="faqeident">
	<div class="identtitull"> Paneli Administrimit Për Agalliu.Com </div>
    <div class="identifikimi">
	<form method="post" name="cookie" action="process.php" style="float:right; margin-right:130px; margin-top:50px; font-family:Tahoma, Verdana, Arial; font-size:13px; color:#4F4F4F;">
	<p><label for="username">Pseudonimi : <input type="text" name="username" id="username" /></label></p>
	<p><label for="password">Fjalëkalimi : &nbsp;<input type="password" name="password" id="password" /></label></p>
	<p><input type="checkbox" name="setcookie" value="setcookie" /> Ruaj Sesionin</p>
	<p><td width="80" height="23"><input type="submit" name="submit" value="Identifikohu" class="buton" /></td>
 <td width="80" height="23"><input type="reset" name="reset" value="Boshatis" class="buton" /></td></p>
	</form> 
    </div>
    <div class="identgabim">
    <?php
if (isset($_GET['error']) AND !empty($_GET['error'])) 
 {
	echo '<img src="imazhet/ndal.gif" alt="Operacion i gabuar" width="50" height="50" align="left"> &nbsp;&nbsp;Keni kerkuar te aksesoni një faqe të mbrojtur <br />&nbsp;&nbsp;ose të dhënat e vendosura nuk janë të sakta.';
 }

?>
	</div>
</div></center>

config.php

<?php 
$dbHost = 'localhost';
$dbUser = 'user';
$dbPass = 'pass';
$dbname = 'dbname';

$domain = 'http://localhost/joni/admini/';

function safeAddSlashes($string) {
   if (get_magic_quotes_gpc()) {
       return $string;
   } else {
       return addslashes($string);
   }
}

function Encrypt($string)
   {
       return sha1(md5($string));
   }
?>

and to prevent access of un-logged users i use:

session_start();

if(!isset($_SESSION['loggedin'])) {
   header('Location: '.$domain.'index.php?error=1');
   exit();
}

Now, i want to create that statement to index.php and when the user is logged in to be redirected to the main admin page named admin.php, or, if the user is not logged in to be redirected to login page named login.php

Thank you in advance!

    Is that your own script?

    you have some redirects in there. don't they work?

    the script is still wide open for sql injection attacks. use mysqli and prepared statements or at least mysql real escape string functionality. read up on magic quotes and the like. (there is a good resource to find out about php related stuff: www.php.net)

    that approach using the cookies is new to me. I wouldnt do it.

    For testing I would suggest: drop the includes and actually write the whole thing into one file. Makes life easier. You can still break it up when it works.

    Bjom

      Thank you for your reply Bjom!
      Yep that is my own script. I will "play" with security later but i'm having that problem with if statement.

      Can anyone help me please?

      Thank you!

        Play around with this:

        <?php
//preliminaries
DEFINE ('DOMAIN','http://localhost/joni/admini/');

function safeAddSlashes($string) 
{
   if (get_magic_quotes_gpc()) {
       return $string;
   } else {
       return addslashes($string);
   }
}

function Encrypt($string)
{
	return sha1(md5($string));
}

//start of code
session_start();

//check for form submit
if (isset($_POST['submit'])) {

$dbHost = 'localhost';
$dbUser = 'user';
$dbPass = 'pass';
$dbname = 'dbname';

$username = safeAddSlashes($_POST['username']);
$password = safeAddSlashes($_POST['password']);

$db = mysql_connect($dbHost,$dbUser,$dbPass);
mysql_select_db($dbname,$db);

$query = "SELECT user, pass FROM login WHERE user = '$username' AND pass = '$password'";
$result = mysql_query($query, $db);
if(mysql_num_rows($result)) {
	$_SESSION['loggedin'] = true;
} else {
//this is where you want to redirect, because login failed
header('Location: '.DOMAIN.'index.php?error=1');
exit(); 
}
}

//check if user is logged in - if yes redirect, if no script continues to run and shows login
if(!isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
   	header('Location: '.DOMAIN.'admin.php');
	exit();
} 


?>
<?php include('includet/head.html')?>
<center><div class="faqeident">
    <div class="identtitull"> Paneli Administrimit Për Agalliu.Com </div>
    <div class="identifikimi">
    <form method="post" name="cookie" action="process.php" style="float:right; margin-right:130px; margin-top:50px; font-family:Tahoma, Verdana, Arial; font-size:13px; color:#4F4F4F;">
    <p><label for="username">Pseudonimi : <input type="text" name="username" id="username" /></label></p>
    <p><label for="password">Fjalëkalimi : &nbsp;<input type="password" name="password" id="password" /></label></p>
    <p><input type="checkbox" name="setcookie" value="setcookie" /> Ruaj Sesionin</p>
    <p><td width="80" height="23"><input type="submit" name="submit" value="Identifikohu" class="buton" /></td>
<td width="80" height="23"><input type="reset" name="reset" value="Boshatis" class="buton" /></td></p>
    </form>
    </div>
    <div class="identgabim">
    <?php
if (isset($_GET['error']) AND !empty($_GET['error']))
{
    echo '<img src="imazhet/ndal.gif" alt="Operacion i gabuar" width="50" height="50" align="left"> &nbsp;&nbsp;Keni kerkuar te aksesoni një faqe të mbrojtur <br />&nbsp;&nbsp;ose të dhënat e vendosura nuk janë të sakta.';
}

?>
    </div>
</div></center>

        and: get the security straight better earlier than later.

        Bjom

          Thank you Bjom ... But it didn't worked ! 🙁
          Any other idea?

          Thank you again for reply!

            "It didnt worked!"

            That is not an answer. What didnt work? There might be on or the other small bug in there but you should be able to figure that out yourself.

            Also: no matter if it did or did not "worked": it is a good start for you to get things going.

              I'm new on php/mysql and i'm still learning 😉 . It didn't worked, i mean that when i'm logged in and i access login.php i receive the login form and i'm not redirected to admin.php page 🙁 !

              I forgot to post the process page of login :

              process.php

              <?php

session_start();

include 'config.php';

$username = $_POST['username'];
$password = $_POST['password'];
$time = time();
$check = $_POST['setcookie'];

$username = Encrypt($username);
$password = Encrypt($password);

$username = safeAddSlashes($username);
$password = safeAddSlashes($password);
$check = safeAddSlashes($check);

$db = mysql_connect($dbHost,$dbUser,$dbPass);
mysql_select_db($dbname,$db);

$query = "SELECT user, pass FROM login WHERE user = '$username' AND pass = '$password'";
$result = mysql_query($query, $db) or die(mysql_error());
if(mysql_num_rows($result)) {
   $_SESSION['loggedin'] = 1;

if($check) {
setcookie("admin[username]", $username, $time + 3600);
setcookie("admin[password]", $password, $time + 3600);
}

   header('Location: '.$domain.'admin.php');
   exit();
}
else
{
   header('Location: '.$domain.'login.php?error=1');
   exit();
}
?>

              Thank you very much and i will learn 😉 !

              P.S. About security, i have made this kind of modifications:

              $name = mysql_real_escape_string($_POST['name']);

              😉

                try the script that I posted above and make the form point to itself. That means: replace that "process.php" part with "login.php" and see what happens.... (sorry should have seen that and changed it before posting)

                  Write a Reply...