msp301 Posted May 23, 2009 Posted May 23, 2009 I am trying to make a login form for a website that will pass the username and password to session variables so that the user's login details can be retained throughout their entire session on the site. I have written a script that should return the session variable values after a login has been made, but instead this is returning nothing at the moment; am I using sessions correctly or am I missing something about how they should be set up ? Thanks <?php session_start(); if($_POST['username'] and $_POST['pass']) { if($_SESSION['username'] == $_POST['username']) { if($_SESSION['pass'] == $_POST['pass']) { echo("Already Signed In"); } else { $_SESSION['username'] = $_POST['username']; $_SESSION['pass'] = $_POST['pass']; echo("Username = ".$_SESSION['username']."Password = ".$_SESSION['pass']); } } } ?> <html> <body> <form action="<?php PHP_SELF; ?>" method="post"> Username:<input type="text" name="username"> Password:<input type="text" name="pass"> <input type="submit" value="Login"> </form> </body> </html> Quote
Deveant Posted May 23, 2009 Posted May 23, 2009 You use of $_SESSION is fine, but there is something wrong with your IF statements. For the session to be created, going by you IF logic, you already need to have a username Session created, this can be fixed by moving your else statement back on brace. Try this though: <?php session_start(); if (isset($_POST['pass'])) { $_SESSION['username'] = $_POST['username']; $_SESSION['pass'] = $_POST['pass']; } if (isset($_SESSION['username'])) { echo("Username = ".$_SESSION['username']." Password = ".$_SESSION['pass']); } else { ?> <html> <body> <form action="<?php PHP_SELF; ?>" method="post"> Username:<input type="text" name="username"> Password:<input type="text" name="pass"> <input type="submit" value="Login"> </form> </body> </html> <?php } ?> Quote
msp301 Posted May 24, 2009 Author Posted May 24, 2009 Nice, thanks for that, I realized what I had done now before with my IF statement, thanks ... The only problem that I have now is trying to get my logout function working, at the moment the script will store the username and password details as session variables whilst also comparing the information entered with my sql database to check the user exists which is all good. Now I want to end the session with "session_destroy", yet I can't seem to get my logout variable to activate the IF statement. I have tried using GET to obtain it from the form as true and activate the function as well as calling a new script in a separate file and returning a session variable "logout" Been staring at this for hours, it looks as if it should work, but maybe I'm making the wrong approach Thanks again <?php session_start(); //deletes login details from session variables on logout if($_SESSION['logout'] == "true") { session_destroy(); } //parse entered user details and compare with mysql database records if (isset($_POST['username']) and ($_POST['pass'])) { //database login details $user = "root"; $password = "password"; //connects to sql database $connect = @mysql_connect("localhost",$user,$password) or die("Unable to Connect"); //load database $database = @mysql_select_db("my_database",$connect) or die("Database Connection Failed"); //create required database query $query = "select * from customers where username=\"$username\" and password=\"$pass\""; //runs created query $result = mysql_query($query,$connect) or die("Database Query Failed"); //compares user's login details with database records $matches = mysql_numrows($result); if ($matches != 0) { //Save login details to Session variables $_SESSION['username'] = $_POST['username']; $_SESSION['pass'] = $_POST['pass']; } else { //print failed login message $msg = "Login Failed"; echo("<html><body>".$msg."</body></html>"); } } //retrive user information from database using stored Session information if (isset($_SESSION['username']) and ($_SESSION['pass'])) { //database login details $user = "root"; $password = "password"; //connects to sql database $connect = @mysql_connect("localhost",$user,$password) or die("Unable to Connect"); //load database $database = @mysql_select_db("my_database",$connect) or die("Database Connection Failed"); //create required database query $query = "select * from customers where username=\"$username\" and password=\"$pass\""; //runs created query $result = mysql_query($query,$connect) or die("Database Query Failed"); //compares user's login details with database records $matches = mysql_numrows($result); //authenticate user login if ($matches != 0) { //Display Login Welcome Message $msg = "Hello, "; //retrives user's name from the database query while($row = mysql_fetch_array($result)) { //print login result echo("<html><body>".$msg.$row["forename"]."<form action=\"./scripts/logout.php\"><input type=\"submit\" value=\"Logout\"></form></body></html>"); } } } else { ?> <html> <body> <form action="<?php $_SERVER['PHP_SELF']; ?>" method="post"> Username:<input type="text" name="username"> Password:<input type="text" name="pass"> <input type="submit" value="Login"> </form> </body> </html> <?php } ?> Quote
Deveant Posted May 24, 2009 Posted May 24, 2009 <?php session_start(); if (isset($_POST['pass'])) { $_SESSION['username'] = $_POST['username']; $_SESSION['pass'] = $_POST['pass']; } if (isset($_SESSION['username'])) { echo("Username = ".$_SESSION['username']." Password = ".$_SESSION['pass']); } else { ?> <html> <body> <form action="<?php PHP_SELF; ?>" method="post"> Username:<input type="text" name="username"> Password:<input type="text" name="pass"> <input type="submit" value="Login"> </form> <a href="./?logout=true">Logout</a> </body> </html> <?php } if (isset($_GET['logout'])) { session_destroy(); } ?> Quote
lectroburn Posted September 15, 2009 Posted September 15, 2009 The only comment I will make; is that now you have your login form operational, don't forget your SQL security: http://au.php.net/mysql_real_escape_string mysql_real_escape_string -- Escapes special characters in a string for use in a SQL statement -- Lectroburn Quote
azend Posted September 25, 2009 Posted September 25, 2009 What about securing the information through $_POST because that will be sent through in plain text right? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.