Article Discussion: PHP for Beginners by a Beginner: Simple Login, Logout, and Sessio

If you have any questions or comments about this article please post them here.

This forum post relates to this article

This is a very bad article, it looks like you haven´t checked that session manipulation has changed in php 4.2 version and you are stuck in php3...

You aren´t checking for the session var $_SESS[user]; but $user, and that´s why anyone can view a member area of the page, by posting a var or slice it in the ?url query.


When a user submits information, you check just for $user but not $_GET[user] so we don´t know is it´s a form var or just a var that´s has been sliced with the url?user=admin


Very unsecure code that you use in this article..i´m sorry i you take review badly.

If you weren't a PHP beginner, I probably would've been saying 'Why the hell aren't you using $_SESSION???'

But, all arrogance aside, the best way to learn is to teach...The structure of the article is good. It teaches you what you need to know and does so effectively. It's got everything necessary for a beginner to learn simple authentication and session handling.

However, as arnorg so eloquently mentioned (), it does need to be updated to support PHP 4.3.0. Instead of session_register, session_is_registered and session_unregister, use $_SESSION, isset($_SESSION['varName']) and unset($_SESSION['varName']).

register_globals is a dangerous thing - best outsmart it with the autoglobals

If you change these couple of things, the article will be improved exponentially

-Jeb.

how could I use this article to redirect a user to a different page like if user_id is 3 then you will go to /page.php?id=3


TIA

Tia:
You could do this.. however it might be in your better interest to do something like this:

In the database of users have something such as an authlevel field, and have normal users set to 1, moderators set to 2, admins set to 3, or so on.. that way when they load the page, you can have something like this function to get that access level:



I know it's not the best function, but for all intensive reasons it works for what you would need. The structure of the database may vary for you though.. Mine is set like this:

Field 1 - Auto incriment userId Field2 - The username Field 3 - The users MD5'd password Field4 - the auth level
So that should explain the return $result[3]; <It would be equal to field 4 in the database>.. and if they aren't logged in it returns 0 for guest.

You can get the access level and assign it to a variable like so:


Then from there, since you have an access level of the person, whomever they are <The authlevel field is set to default of 1> you can do a case statement if you want or a redirect, whichever..

for example


not that you have to do it that way, but it could make it easier on yourself and that way you dont have the inherant risk of people trying to forge themselves as an administrator, for example..

Sorry for the bigass post too :P

lol.. Hope that helped..

And btw, this was a decent beginners article for sessions

I'm so glad someone could finally create something for us (forever) beginners!
I have encountered the same arrogance when it comes to *some* of those who allready know the scripting language. But most people are very generous and helpful.

So please! keep up the good work and be sure that a bunch of us who know and understand less than little are very pleased.

Also, I don't feel like learning all that much of the php scripting. So I'm also glad there is a wysiwyg editor for php. And why don't I want to learn, some may ask? Because I have my head full of game making scripts so there simply isn't any more room. Plus I'm an old lady, which isn't an excuse I guess. But still...

When i goto log in with a username i created in the db i get this when i hit log in. I think its because the tutorial showed older script and its not working with the new.Any help on this would be greatly appriciated

Warning: session_start() [function.session-start]: open(/tmp\sess_247cebe1c0bc5e837b12f4919cec1dc2, O_RDWR) failed: No such file or directory (2) in C:\Documents and Settings\UserX001\My Documents\My Webs\login.php on line 48

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Documents and Settings\UserX001\My Documents\My Webs\login.php:7) in C:\Documents and Settings\UserX001\My Documents\My Webs\login.php on line 48

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Documents and Settings\UserX001\My Documents\My Webs\login.php:7) in C:\Documents and Settings\UserX001\My Documents\My Webs\login.php on line 48

Notice: Array to string conversion in C:\Documents and Settings\UserX001\My Documents\My Webs\login.php on line 49

Fatal error: Call to undefined function: array() in C:\Documents and Settings\UserX001\My Documents\My Webs\login.php on line 49

Warning: Unknown(): open(/tmp\sess_247cebe1c0bc5e837b12f4919cec1dc2, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

it looks like it's trying to write to the /tmp directory <which is what it would be for a unix machine>

Look in your php.ini file for

and change it to something like

and see if that works..

as for the other errors, put ob_start(); at the beginning of your php file and ob_flush(); at the very end

Hope that helps.

i got the error.

Parse error: parse error, unexpected T_STRING in C:\Documents and Settings\UserX001\My Documents\My Webs\login.php on line 38

Heres the whole on the page thats giving me a problem:

<?PHP
ob_start();
//check that the user is calling the page from the login form and not accessing it directly
//and redirect back to the login form if necessary
if (!isset($username) || !isset($password)) {
header( "Location: http://skata.kicks-ass.net/index.php");
}
//check that the form fields are not empty, and redirect back to the login page if they are
elseif (empty($username) || empty($password)) {
header( "Location: http://skata.kicks-ass.net/index.php");
}
else{

//convert the field values to simple variables

//add slashes to the username and md5() the password
$user = addslashes($_POST['username']);
$pass = md5($_POST['password']);


//set the database connection variables

$dbHost = "localhost";
$dbUser = "ODBC";
$dbDatabase = "members";

//connet to the database

$db = mysql_connect("$dbHost", "$dbUser") or die ("Error connecting to database.");

mysql_select_db("$dbDatabase", '$db') or die ("Couldn't select the database.");
$result = mysql_query(select * from users where username='$user' AND password='$pass', '$db');

//check that at least one row was returned

$rowCheck = mysql_num_rows($result);
if($rowCheck > 0){
while($row = mysql_fetch_array($result)){

//start the session and register a variable

session_start();
$_SESSION('$user');

//successful login code will go here...
echo 'Success!';

//we will redirect the user to another page where we will make sure they're logged in
header( "Location: check.php" );

}

}
else {

//if nothing is returned by the query, unsuccessful login code goes here...

echo 'Incorrect login name or password. Please try again.';
}
} ob_flush(); ?>

first I would recomend that you put session_start(); at the very beginning of the code...
second, I would recomending using ob_flush(); before you redirect... IE:


Also.. change $_SESSION('$user'); to $_SESSION['$user'];
Square brackets indicate an array..

see if that helps.

the error:
Parse error: parse error, unexpected T_STRING in \welcome.php on line 51


always points to this line:

$result = mysql_query(select * from users where username='$user' AND password='$pass', '$db');


sorry for bothering you justin but i am not the brightest crayon in the box.

i am a complete noobie with php. i have an FTP server host that i rent from. it has apache on it i suppose, but i am unaware if it has mysql. this article is intended for noobies such as myself, however it just jumps straight into the mysql stuff without explainin it! ;o Can someone please help me get on the right track? i.e. what i have to do to get to the mysql user db thing or w/e...... IM SO LOST!