1

I'm new to PHP I have html page that required username and password from user to enter the chat page 

html page
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<link rel="stylesheet" type="text/css" href="Registerstyle.css">
<title>اسجل دخولك الى الشات</title>
</head>

<body>
    <div id = "page">
        <div id = "header">
        </div>
        <div id = "container" dir = rtl>
            <div id = "menu">
                <ul>
                    <li><a href="#">تسجيل الدخول</a></li>
                    <li><a href="#">استرجاع كلمة المرور</a></li>
                    <li><a href="#">######</a></li>
                    <li><a href="#">######</a></li>
                </ul>
            </div>
            <div id = "midofcontainer">     
            <div id = "text">
                اسم المستخدم <br><br>
                كلمة المرور
            </div>      
            <div id = "form">
                <form name="log" method="GET" action="login.php">
                <input type="text" name="usr" id="usr" style="width: 242px"></input><br><br>
                <input type="password" name="pwd" style="width: 242px"></input><br><br>
                <input type="submit" style="width: 78px" value="تسجيل الدخول">
                <input type="reset" style="width: 78px" value="مسح">
            </div>
            </div>
        </div>
        <div id = "footer">
        </div>
    </div>    
</body>
</html>

and this is my php file that will check the value taht coming from html

<?php
    require 'connect.inc.php';

    $usr = $_GET['usr'];
    $pwd = $_GET['pwd'];
    $table_name = 'user';
    $query = "SELECT * FROM $table_name" ;

    $query_run = mysql_query($query);
        while($rows = mysql_fetch_array($query_run))
        {

            if ($rows['username'] == $usr and  $rows['password'] == $pwd)
            {

                include ('chatArea.php');
                exit();
            }                
            else
                include_once ('log.html');            
        }       
?>

now what I want is when the if ($rows['username'] == $usr and $rows['password'] == $pwd) return true it open a new php page and passing the username to the page I hope that make my problem clear, sorry for my bad english

Improve this question
2
  • 2
    Don't get all rows from your database to match one user, add a WHERE condition in your query. Commented Jun 14, 2013 at 22:18
  • Good point thanks :) @jeroen Commented Jun 14, 2013 at 22:20

4 Answers 4

Reset to default
2
  1. Use PDO instead of mysql_* functions.
  2. Before put the variables in the sql query use mysql_real_escape_string() to prevent SQL-injection.
  3. Use POST method instead of GET for login action.

  4. Learn about SESSIONS. Google for a good tutorial or you can follow this link: Creating a simple login-logout session using PHP

    But in your case use mysql_num_rows and change the sql query like this:

    require 'connect.inc.php';
$usr = mysql_real_escape_string($_GET['usr']);
$pwd = mysql_real_escape_string($_GET['pwd']);
$table_name = 'user';
$query = "SELECT * FROM $table_name where username='$usr' and password='$pwd'" ;
$query_run = mysql_query($query);
if(mysql_num_rows($query_run) == 1){

   include ('chatArea.php');
   exit();
}                
else {
    include_once ('log.html'); 
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

@Siamak.A.M what can I do with SESSIONS??
@BassamBadr If you want to check that the user is a valid user. You should register a session for him. then you can check if the session exist and so on ...
excuse me but your vars for get and db are different and * tut, tut :)
1

You need to use post instead of get on form as user and password in url is a big security risk.

    $usr = $_GET['usr'];
    $pwd = $_GET['pwd'];
    $table_name = 'user';
    $query = "SELECT username,password FROM $table_name WHERE username = '".mysql_real_escape_string($usr)."' limit 1";

    $query_run = mysql_query($query);
        while($rows = mysql_fetch_array($query_run))
        {

            if ($rows['username'] == $usr and  $rows['password'] == $pwd)
            {

                include ('chatArea.php');
                exit();
            }                
            else
                include_once ('log.html');            
        }  

}
Improve this answer

Comments

1

To answer your question, you would need to use sessions so that you have to authenticate only once and can check in subsequent pages that a user is logged in and you have the username stored so that you can use it whenever you need it. Then you would user a header redirect instead of an include:

login.php

<?php
session_start();

...

if (user_found_condition)
{
  $_SESSION['username'] = $usr;
  header('Location: /url/to/chatArea.php');
  exit();
}

And then in every page that requires a login, you start with:

<?php
session_start();
if (!isset($_SESSION['username']))
{
  // redirect to login
}

// use $_SESSION['username'] wherever you want to display the username

Apart from that you should not get all rows from your database to match one user, just add a WHERE condition in your query.

You should also switch to PDO or mysqli and prepared statements as the mysql_* functions are deprecated.

Improve this answer

Comments

0

you can verify username and password like this

<?php
require 'connect.inc.php';

$usr = $_GET['usr'];
$pwd = $_GET['pwd'];
$table_name = 'user';
$query = "SELECT * FROM $table_name where username = '$usr' and password = '#pwd'" ;

$query_run = mysql_query($query);
$rows = mysql_fetch_array($query_run))
if (!isempty($rows)) {
    include ('chatArea.php');
    exit();
} else {
    include_once ('log.html');            
}       
?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.