PHP Forum

**ajm22386** · 08-21-2008, 08:42 PM

i need to allow a user to post only if their logged in. i have login.htm form with session feedback processing the request. but i dont know how to restrict acess to the post.htm form. here my code.
<?php
session_start();
ini_set('arg_separator.output',';');
$con = mysql_connect("host","database","password");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("database", $con);

// process log in form
if (isset($_POST['login'])){
if (!empty($_POST['user'])){
$user = $_POST['user'];
}
if (!empty($_POST['password'])){
$password = $_POST['password'];
}

// query whether there is a user with $usr for username and $pwd for password in the users database
$result = mysql_query("SELECT * FROM users WHERE user = '$user'");
while($row = mysql_fetch_array($result))
{
$password = $row['password'];
$user = $row['user'];
}
if($user){
if($password != 'Password'){
if ( $_POST['password'] == "$password"){
$_SESSION['user'] = $_POST['user'];

setcookie("user", $user, time()+3600);
}
}
}
mysql_close($con);
}
// log out
if (isset($_GET['logout'])){
unset($_SESSION['user']);
session_destroy();
setcookie("user", "", time()-3600);
}
header( 'Location: http://www.etc.com. ) ;header to post.htm
?>

**NullPointer** · 11:06 PM

Couple things before I try to solve your problem. First off its much easier to read your code if you use PHP tags: [ PHP]code here[ /PHP] without the spaces. Second it is much much easier to read your code if you format it. Use tabs to organize blocks of code. Here is your code after I went over it:

PHP Code:


			
<?php

session_start();

ini_set('arg_separator.output',';');



$con = mysql_connect("host","database","password")

    or die('Could not connect: ' . mysql_error());

    

mysql_select_db("database", $con);



// process log in form

if (isset($_POST['login']))

{

    if (!empty($_POST['user']))

        $user = $_POST['user'];



    if (!empty($_POST['password']))

        $password = $_POST['password'];



    // query whether there is a user with $usr for username and $pwd for password in the users database

    $result = mysql_query("SELECT * FROM users WHERE user = '$user'");

    while($row = mysql_fetch_array($result))

    {

        $password = $row['password'];

        $user = $row['user'];

    }

    if($user)

    {

        if($password != 'Password')

        {

            if($_POST['password'] == "$password")

            { 

                $_SESSION['user'] = $_POST['user'];

                setcookie("user", $user, time()+3600);

            }

        }

    }

    mysql_close($con);

}



// log out

if (isset($_GET['logout']))

{

    unset($_SESSION['user']);

    session_destroy();

    setcookie("user", "", time()-3600);

}



header('Location: http://www.etc.com');

?>

Ok now...
if you want to restrict access to parts of you site there are several ways to go about it. The first way that comes to mind would be just to store the user's username and Hashed!!! password as session variables and then write a function that checks it against your database. This might not be the most secure way but its quick and dirty.

As far as I can tell right now you are not using any hashing that I can decern, you'll probably want to look up a guide to building a secure login system in PHP. Just as a rule: never store a users password as is. Hash it and use a salt as well.

Also, there are some details in your code that don't seem right to me. Such as how you check if $password is equal to 'Password' and how you set $password to $_POST['password'] and then reset it to $row['password'] without using it. At no point do you actually check the provided password with the on in the database. Here is an example of simple password checking:

PHP Code:


			
$username = $_POST['username'];



$query = 'SELECT * FROM `users` WHERE `user` = '.$username.' LIMIT 1;';

$result = mysql_query($query);

     or die('error');



$row = mysql_fetch_array($result, MYSQL_ASSOC);

//A salt is just a random string used to increase intropy when hashing

//some people choose to have a universal salt for all users. Personally

//I generate a random 3 character string for each user

$salt = $row['salt'];



$hash = sha1( sha1($_POST['password']) . $salt);

if($row['password'] != $hash)

     die('login failed');



$_SESSION['username'] = $username;

$_SESSION['hash'] = $hash;



header('Location: wherever');

//just use session start to retrieve the username and hash

//you can then compare it to the username and hash in the database

Again, different people do it different ways. This is not the best or most secure way but it works.

Hope that helps a bit.

**maxxximus** · 11:01 PM

You basic login / access check would be :

Login form would set a $_SESSION['user_name'] on successful login.

On all pages requiring login you would have a script that would check that $_SESSION['user_name'] is not set and would do a redirect to the login page.

PHP Code:


			
<?php 
// post.php

if (!isset($_SESSION)) {
  session_start();
}

$login = "login_user.php";
if (!isset($_SESSION['user_name']) ){   

  header("Location: ". $login); 
  exit;
}

// rest of post.php script
?>

**ajm22386** · 08-22-2008, 12:22 AM

omg thank so much guys you saved my bum.