3 replies to this topic

[coolaid]

okay, i need help. i created a table named admins with two columns. one is 'admin' and the other is 'password'

i need to make a simple login script that uses session to check if the form submitted data is the same as the data in one row of the mysql table.

then i need to know how to turn that user posted data into a session.

ive already looks at thousands of php login scripts but i cant figure out how to do it.
heres my unworking script so you can see what i'm tryin to do

<?
	mysql_connect("localhost","*****","****");
	mysql_select_db("*****");

	$result = mysql_query("select * from admins where admin = '$r_admin' and password = '$r_password'");

		if(isset($_GET['admin']) && isset($_GET['password'])){
			if($_GET['admin'] != $r_admin && $_GET['password'] != $r_password){
				echo("$admin does not exist.");
			}
			else
			{
				$_session['admin'] = $_GET['admin'];
				$_session['password'] = $_GET['password'];
				echo "logged in as $admin";
			}
		}
	?>

	<form action="<? echo $PHP_SELF; ?>">
	Login Form:<br/>
	Admin:<input name="admin" /><br/>
	Password:<input name="password" name="password" /><br/>
	<input type="submit" value="Submit" />
	</form>

[liveman]

<?
 session_start(); // MUST BE FIRST LINE AFTER <? NOT EVEN A SPACE
	mysql_connect("localhost","*****","****");
	mysql_select_db("*****");
  $r_admin = $_POST['r_admin'];
$r_password = $_POST['r_password'];
	$result = mysql_query("select * from admins where admin = '$r_admin' and password = '$r_password'");
					$r = mysql_num_rows($result);
	   if(empty($r))
 {					die('<b>' . $r_admin . '</b> does not exit!');
				 
 			}
			else
			{
				$_session['admin'] = $_GET['admin'];
				$_session['password'] = $_GET['password'];
				echo "logged in as $admin";
			}
		}
	?>

	<form action="<? echo $PHP_SELF; ?>" method = "POST">
	Login Form:<br/>
	Admin:<input name="admin" /><br/>
	Password:<input name="password" name="password" /><br/>
	<input type="submit" value="Submit" />
	</form>

Edited by liveman, 23 January 2006 - 02:55 PM.

[rc69]

<?
	mysql_connect("localhost","*****","****");
	mysql_select_db("*****");
	$result = mysql_query("SELECT * FROM admins WHERE admin = '".$_POST['admin']."' AND password = '".$_POST['password']."'") or die(mysql_error());
	$r = mysql_num_rows($result);
	if(empty($r)){
		die('<b>' . $r_admin . '</b> does not exit!');
	}else{
		session_start();
		$_SESSION['admin'] = $_POST['admin'];
		echo "logged in as $admin";
	}
} // Why is this here?
	?>

	<form action="<?= $_SERVER['PHP_SELF']; ?>" method="POST">
	Login Form:<br/>
	Admin:<input name="admin" /><br/>
	Password: <input name="password" /><br/>
	<input type="submit" value="Submit" />
	</form>

Few things i should mention.
I'm curious to know, exactly where did $r_admin and $r_password come from? Because with out them, your sql query will never select a user, and you will never login.

You'll notice a comment i added after a '}', say "why is this here?", you might want to make sure you forgot to copy an if-statement or something, because if you didn't, you'll get a parse error.

You should never store an unencrypted password any where. ESPECIALLY not in a $_SESSION variable. Also, php is case-sensitive when it comes to variables, so the use of $_session wouldn't do anything...

$PHP_SELF should be what i changed it to.
http://php.net/manua....predefined.php <-- reason

I removed a name from your password field in the form

And hopefully last but not least, i want to correct livemans comment on session_start. You can have session_start() ANYWHERE in your php code... doesn't matter what is before or after it. What php.net meant by the whole "no space" thing, is nothing can be outputted to the browser before the call. Which means, unless you're using output buffering, you can't echo/print anything, and the opening <?php tag as to be the FIRST thing in your file. If theres a space, return, or single html tag before it, you'll get an error.

Edited by rc69, 23 January 2006 - 06:51 PM.

[liveman]

Ha, I didnt even see the admim/pass in input problem hehe oups