User can enter site wihtout being registered

cybastud

Im having trouble preventing the user from entering the site without being registered.

my connect.php page looks like this...

<html>

<div align="center"><a href="Register.php">Register </a> &nbsp;
    					<a href="Login.php">Login </a> &nbsp;
                        <a href="insert.php">Insert </a> &nbsp;
                        <a href="List.php">List </a> &nbsp;
                        <a href="logout.php">Logout </a>
                        </div>
                       	&nbsp;




<?php
	$connection = mysql_connect ("localhost","root","")
		or die ("Couldn't connect to server");

$db = mysql_select_db("carsales", $connection)
	or die ("Couldn't select database");

?>

</html>

and at the top of each of my other pages I have..

<?php
include ('connect.php');//Includes database connection details
error_reporting(0);

session_start();
$_SESSION['username'] = "$username";?>

but the user can still click on the links and enter the site iwithout being registered, how do I prevent this? Any help will be much appreciated

awbrowni30

You might want to checkout the following blog post by Adam Patterson:

PHP User login with sessions

cybastud

ok I had a look, Im just a bit confused as to where I should put the code that checks the username

This is what I have now in my connect.php file with my links

<html>

<?php
error_reporting(0);
session_start();
$_SESSION['username'] = "$username";
if(!isset($_SESSION['username'])){
	    header("location:login.php");
	}

?>

<div align="center"><a href="Register.php">Register </a> &nbsp;
    					<a href="Login.php">Login </a> &nbsp;
                        <a href="insert.php">Insert </a> &nbsp;
                        <a href="List.php">List </a> &nbsp;
                        <a href="logout.php">Logout </a>
                        </div>
                       	&nbsp;




<?php
	$connection = mysql_connect ("localhost","root","")
		or die ("Couldn't connect to server");

$db = mysql_select_db("carsales", $connection)
	or die ("Couldn't select database");

?>

</html>

and then on my list page for example I have:

<html>
<head>
<title>Welcom to Carsales Warehouse</title>

</head>

<body  bgcolor="black"    style="color:white;">

<h2 align="center">List</h2>

<form Method="POST" ACTION="edit.php?car_id=$car_id">

<?php
include ('connect.php');//Includes database connection details


session_start();
$_SESSION['username'] = "$username";
if(!isset($_SESSION['username'])){
	    header("location:login.php");
	}

echo "<table border='1' align='center'>
	<tr bgcolor='#cccccc'>
	<td>Manufacturer</td>
	<td>Make</td>
	<td>Year</td>
	<td>Price</td>
	<td colspan='2'>Action</td>
	</tr>";

$SQL = "Select * FROM cars";
$result = mysql_query($SQL);

while($row = mysql_fetch_array($result)){ 
	$car_id=$row['car_id']; 
	echo "<tr><td>"; 
	echo $row['manufacturer']; 
	echo "</td><td>"; 
	echo $row['make']; 
	echo "</td><td>"; 
	echo $row['year']; 
	echo "</td><td>"; 
	echo $row['price']; 
	echo "</td><td>";
	echo "<a href=edit.php?car_id=$car_id&update=yes>Edit</a>"; 
	echo "</td><td>";

echo "<a href=delete.php?car_id=$car_id&delete=yes>Delete</a>";
echo "</tr>";
}

echo "</table>"; 

?>
</form>
</body>
</html>

but still its allowing a user to click on the list link and list information in the database

awbrowni30

So, back to using print_r($SESSION); to see if you are indeed capturing anything. Also you don't need $SESSION['username'] = "$username"; on every page.

Per your example:


<?php 
error_reporting(0); 
session_start(); 
$_SESSION['username'] = "$username"; 

echo '<pre>';
print_r($_SESSION);
echo '</pre>';

if(!isset($_SESSION['username'])){ 
        header("location:login.php"); 
    } 

?> 

<div align="center"><a href="Register.php">Register </a> &nbsp; 
                        <a href="Login.php">Login </a> &nbsp; 
                        <a href="insert.php">Insert </a> &nbsp; 
                        <a href="List.php">List </a> &nbsp; 
                        <a href="logout.php">Logout </a> 
                        </div> 
                           &nbsp; 




<?php 
    $connection = mysql_connect ("localhost","root","") 
        or die ("Couldn't connect to server"); 

$db = mysql_select_db("carsales", $connection) 
    or die ("Couldn't select database"); 

?>

Question: how and where are you setting the $SESSION['username'] when a person successfully logs in? Also what are you comparing $SESSION['username'] against to know whether someone is registered?

cybastud

ok here is my login page...

<html>
<head>
<title>Welcom to Carsales Warehouse</title>

</head>

<body  bgcolor="black"    style="color:white;">

<h2 align="center">Login</h2>

<?php
include ('connect.php');
error_reporting(0);

?>

<form Method="POST" ACTION="login.php">

<table border="2" align="center">
<tr>
<td>Username :</td><td><input name="username" type="text" maxlength="6"></input></td>
</tr>
<tr>
<td>Password :</td><td><input name="password" type="password" maxlength="6"></input></td>
</tr>
</table> 
<p align="center">
    <input type="submit" name="login" value="Log in">

</input>
</p>

</form>

<?php

$Login = $_POST['login'];
$username = $_POST['username'];
$password = $_POST['password'];

if (isset($_POST['login'])) {
	$result = mysql_query("SELECT * FROM user WHERE username='$username' AND password='$password'");

if($result) {
	if(mysql_num_rows($result) == 1) {
		session_start();
		$_SESSION['username'] = "$username";
		header("location:insert.php");

	}
	else
		echo "<p align = 'center'>Incorect login! Please try again, or proceed to <a href='Register.php'> Register </a></p>";
	}


}


?>




</body>
</html>

Then I've changed my insert page to...

<html>
<head>
<title>Welcom to Carsales Warehouse</title>

</head>

<body  bgcolor="black"    style="color:white;">

<h2 align="center">Insert Vehicle</h2>

<?php
error_reporting(0);
if(!isset($_SESSION['username'])){
	    header("location:login.php");
	}
include ('connect.php');//Includes database connection details

?>

<form Method="POST" ACTION="insert.php">
<table border="2" align="center">
<tr>
<td>Manufacturer</td><td><input name="manufacturer" type="text"></input></td>
</tr>
<tr>
<td>Make</td><td><input name="make" type="text"></input></td>
</tr>
<tr>
<td>Year:</td><td><input name="year" type="text"></input></td>
</tr>
<tr>
<td>Price</td><td><input name="price" type="text"></input></td>
</tr>
</table> 
<p align="center">
    <input type="submit" name="insert" value="Insert">

</input>
</p>
</form>

<?php
//Define variable submitted by the form
$Insert = $_POST['insert'];
$manufacturer = $_POST['manufacturer'];
$make = $_POST['make'];
$year = $_POST['year'];
$price = $_POST['price'];

if (isset($_POST['insert'])) {
	$result = mysql_query("SELECT manufacturer FROM cars WHERE manufacturer='$manufacturer'");
	$num_rows = mysql_num_rows($result);
	if($num_rows > 0){ //if number of rows is more thatn 0, the below will execute
		echo "<p align='center'>The vehicle $manufacturer already exists!</p>";

}
else{

$query = "INSERT INTO cars (manufacturer, make, year, price) VALUES ('$manufacturer', '$make', '$year', '$price')";
$result = mysql_query($query);
			if($result){
				echo "<p align='center'>The vehicle $manufacturer, $make, $year, with a price of R $price has been inserted into the database!</p>";
			}
			else{
					echo "no luck";
			}
				}
}

?>

</body>
</html>

So now it is preventing the user from entering the site if he clicks on the insert link, but when the user now tries to login with his details, he is kept on the login page and not redirected the the insert page. I have taken out the php code from my connect.php page. So on my login page i start the session and then set $_SESSION['username'] = "$username";

awbrowni30

Read up on header and remember that it must be called before any output is sent. Also, be mindful of cleaning your input against SQL Injection and storing plain text passwords in a database (extremely dangerous -- see mysql encryption/compression functions).

Your Login Page:



<?php 

include ('connect.php'); 
error_reporting(0); 

// YIKES, data is not being cleaned; read up on SQL Injection
$Login = $_POST['login']; 
$username = $_POST['username']; 
$password = $_POST['password']; 

if (isset($_POST['login']) == "Log in") { 

// YIKES, passwords are being stored plain text.
    $result = mysql_query("SELECT * FROM user WHERE username='$username' AND password='$password'"); 

if($result) { 

    if(mysql_num_rows($result) == 1) { 
        session_start(); 
        $_SESSION['username'] = "$username"; 
        header("location:insert.php"); 

    } 
    else 
        echo "<p align = 'center'>Incorect login! Please try again, or proceed to <a href='Register.php'> Register </a></p>"; 
    } 


} 


?> 

<html> 
<head> 
<title>Welcom to Carsales Warehouse</title> 

</head> 

<body  bgcolor="black"    style="color:white;"> 

<h2 align="center">Login</h2> 

<form Method="POST" ACTION="login.php"> 

<table border="2" align="center"> 
<tr> 
<td>Username :</td><td><input name="username" type="text" maxlength="6"></input></td> 
</tr> 
<tr> 
<td>Password :</td><td><input name="password" type="password" maxlength="6"></input></td> 
</tr> 
</table> 
<p align="center"> 
    <input type="submit" name="login" value="Log in"> 

</input> 
</p> 

</form> 

</body> 
</html>

Your Insert Page:

<?php 
error_reporting(0); 
session_start(); 

/* 

I would suggest comparing the $_SESSION['username'] against a database, and not just checking if it is empty/exists.  You want to check that the value exists and that the username and session are both authenticated.

*/

if(empty($_SESSION['username'])){ 

    header("location:login.php"); 

} 

include ('connect.php');//Includes database connection details 

?> 

<html> 
<head> 
<title>Welcom to Carsales Warehouse</title> 

</head> 

<body  bgcolor="black"    style="color:white;"> 

<h2 align="center">Insert Vehicle</h2> 

<form Method="POST" ACTION="insert.php"> 
<table border="2" align="center"> 
<tr> 
<td>Manufacturer</td><td><input name="manufacturer" type="text"></input></td> 
</tr> 
<tr> 
<td>Make</td><td><input name="make" type="text"></input></td> 
</tr> 
<tr> 
<td>Year:</td><td><input name="year" type="text"></input></td> 
</tr> 
<tr> 
<td>Price</td><td><input name="price" type="text"></input></td> 
</tr> 
</table> 
<p align="center"> 
    <input type="submit" name="insert" value="Insert"> 

</input> 
</p> 
</form> 

<?php 
//Define variable submitted by the form 
$Insert = $_POST['insert']; 
$manufacturer = $_POST['manufacturer']; 
$make = $_POST['make']; 
$year = $_POST['year']; 
$price = $_POST['price']; 

if (isset($_POST['insert'])) { 
    $result = mysql_query("SELECT manufacturer FROM cars WHERE manufacturer='$manufacturer'"); 
    $num_rows = mysql_num_rows($result); 
    if($num_rows > 0){ //if number of rows is more thatn 0, the below will execute 
        echo "<p align='center'>The vehicle $manufacturer already exists!</p>"; 

} 
else{ 

$query = "INSERT INTO cars (manufacturer, make, year, price) VALUES ('$manufacturer', '$make', '$year', '$price')"; 
$result = mysql_query($query); 
            if($result){ 
                echo "<p align='center'>The vehicle $manufacturer, $make, $year, with a price of R $price has been inserted into the database!</p>"; 
            } 
            else{ 
                    echo "no luck"; 
            } 
                } 
} 

?> 

</body> 
</html>

cybastud

ok im sorted..turns out that I put session_start(); on the login page instead of on the insert page.. Thanks for the help