2

Many people may use a PHP mySQL function for login sections for a website

I am trying to use this code;

ON EACH CONTENT PAGE - TO CHECK IF LOGGED IN (in the header of every content page)

<?php
session_start();
if(! isset($_SESSION["myusername"]) ){
header("location:main_login.php");
}
?>
<html>
<body>
Page Content Here
</body>
</html>

THE LOGIN SCRIPT (which is referred to by my main_login.php page)

<?php

ob_start();
$host="ClubEvents.db.9606426.hostedresource.com"; // Host name 
$username="ClubEventsRead"; // Mysql username 
$password="Pa55word!"; // Mysql password 
$db_name="ClubEvents"; // Database name 
$tbl_name="members"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>

THE LOGOUT CODE

<?
session_start();
session_destroy();

header("location:main_login.php");
exit();
?>

MAIN_LOGIN.php

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="text" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
<?php
phpinfo()
?>

but something isnt working, the page login_success.php should only be accessable when logged in, so either the logout isnt working, or, the login_success.php check isnt working. But I don't know how to tell, I have tried playing around with them both, and still no further forward

Regards

Henry

Improve this question

4 Answers 4

Reset to default
1

I have never had a problem with the following: 

unset($_SESSION[$myusername]);

The advantage here is that you are only clearing the log in session and can freely store other information in the session if needed because session_destroy() will clear ALL session data.

EDIT: Looking at your code as well, it's always sending the user to the login page if the username session is set.

Change:

<?php
session_start();
if( isset($_SESSION[$myusername]) ){
header("location:main_login.php");
}
?>

to (notice the ! before isset). You only want to redirect to the login page when the session isn't set.

<?php
session_start();
if(! isset($_SESSION[$myusername]) ){
header("location:main_login.php");
}
?>

Summary of comments:

Session[$myusername] changed to Session['myusername'] and the isset check was changed to !isset. This identified the session wasn't being set in the first place.

Improve this answer
Sign up to request clarification or add additional context in comments.

14 Comments

clearing all session data isn't an issue, I can't get it to clear any at the moment !!
login_success.php is the template page, all the content pages will be like these...
Just noticed your Session[$myusername], what does $myusername refer to here. If this is at the top of the page then this will be blank. You need Session['myusername']
code now updated to my current status, at carbonyzed.co.uk/Websites/Jason/sites/2/test/main_login.php
You are still doing: if( isset($_SESSION["myusername"]) ){. You need to do if( !isset($_SESSION["myusername"]) ){. It shouldn't take you to the login script if the session is registered.
|
1

  • session_register() is deprecated. Use of $_SESSION is preferred, as of PHP 4.1.0

    $_SESSION["myusername"] = $myusername;

  • Try session_destroy() instead of session_unset().

  • Your IF statement is also wrong :

    Change isset($_SESSION[$myusername] to isset($_SESSION["myusername"]

This is how I manage log ins :

<?php session_start();

    require_once('../header.php');

    $sql = "SELECT ID, username, FROM users WHERE username='$_POST[username]' AND password='$_POST[password]'";
    $result = query($sql);

    //If nothing is returned from the DB then the credentials are wrong.
    if (!$row = mysql_fetch_array($result)) {
        header( 'Location: ../index.php' );
        die();
    }
    else {
        $user= $row;
    }

    //All user values ( id_user, username, password, firstname, lastname, avatar ) are saved in $_SESSION for later use.
    $_SESSION['ID'] = $user['ID'];                  
    $_SESSION['username'] = $user['username'];
    //This variable is used later to verify if a used is still logged in and proceed with loading a profile.
    $_SESSION['isLoggedIn'] = 1;

    header( 'Location: ../index.php' );
?>

This is how I manage log outs :

<?php session_start();

    require_once('../header.php');

    //Session data is destroyed so as to prevent the user from accessing any profiles after disconnection.
    session_destroy(); 
    mysql_close($connection);

    header( 'Location: ../index.php' );
?>

This is how I manage page content depending on whether a user is logged in or not.

<?php session_start();

    echo "Page Content";

    if (@$_SESSION['isLoggedIn'] != 1) {
        showLogin();
    }
    else {
        showHome();
    }
?>
Improve this answer

6 Comments

so I have edited $_SESSION["myusername"] = $myusername; to be session_register("myusername"); and then session_register("mypassword"); to be $_SESSION["mypassword"] = $mypassword;
and made it session_destroy instead of unset
hmm... no such luck, take a look at carbonyzed.co.uk/Websites/Jason/sites/2/test/main_login.php UN:john // PW:1234 The pages are linked below
GENERAL CONTENT PAGE carbonyzed.co.uk/Websites/Jason/sites/2/test/login_success.php
@HenryAspden - Please update your original post with this info, don't spam comments with it.
|
0

try session_destroy(); must help..

manual: http://php.net/manual/en/function.session-destroy.php

Improve this answer

Comments

0

Your logout code should look like this:

<?php
session_start();
$_SESSION = array();
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}
session_destroy();
header("Location: main_login.php"); exit;
?>

Case sensitive

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.