what is going wrong with this??

[astralaaron]

(I have a members database setup and without the php code on the login_success.php page it logs in..but when the page checks to see if the session is not registerd it always sends me back to the main_login page...please shed some light on the problem! this is all from the tutorial at: http://phpeasystep.com/phptu/6.html)main login form on main_login.php:<form name="form1" method="post" action="checklogin.php"><input name="myusername" type="text" id="myusername"><input name="mypassword" type="text" id="mypassword"><input type="submit" name="Submit" value="Login"></form>-----------checklogin.php:<?phpob_start();$host="localhost"; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name="test"; // Database name $tbl_name="members"; // Table name // Connect to server and select databse.mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB");// Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";$result=mysql_query($sql);// Mysql_num_row is counting table row$count=mysql_num_rows($result);// If result matched $myusername and $mypassword, table row must be 1 rowif($count==1){// Register $myusername, $mypassword and redirect to file "login_success.php"session_register("myusername");session_register("mypassword"); header("location:login_success.php");}else {echo "Wrong Username or Password";}ob_end_flush();?>-----------------------login_success.php:<? session_start();if(!session_is_registered(myusername)){header("location:main_login.php");}?><html><body>Login Successful</body></html>

[astralaaron]

I just read on php.net that session_is_registerd does not work if register globals is off and that PHP5 has register globals turned off.. theres obveously a better way to do what I am trying to learn. please help me.

[astralaaron]

okay that script is working now, just had to turn register_globals On in php.iniI would still like to know about the other way I am seeing people post about without session_is_registeredthanks to anyone that tells me in advance.

[Mr_CHISOL]

Hi!You should use session_start() and the $_SESSION variable/array.Here's how it could look, using your code.Note: You should encrypt the password. I renamed login_success.php to loggedin.php as I thought it was unnessary to have a page just for telling the user that the login was successful, that can be done on the same page that shows the content, menu or whatever you have behind the login...You could also move it all into one file, it would be a bit harder to do, but you get one file and a better logic...Here's the code:main login form on main_login.php:

<?php// Start sessionsession_start();// Check if the user already is logged inif ($_SESSION['loggedin'])) {	header( 'Location: loggedin.php' );	exit();}?><form name="form1" method="post" action="checklogin.php"><input name="myusername" type="text" id="myusername"><input name="mypassword" type="text" id="mypassword"><input type="submit" name="Submit" value="Login"></form>

checklogin.php:

<?php// Start sessionsession_start();// Check if the user already is logged inif ($_SESSION['loggedin'])) {	header( 'Location: loggedin.php' );	exit();}ob_start();$host			= "localhost"; // Host name$username	= ""; // Mysql username$password	= ""; // Mysql password$db_name		= "test"; // Database name$tbl_name	= "members"; // Table name// Connect to server and select databse.  /** NOTE: you don't need the quots **/mysql_connect( $host, $username, $password ) or die("cannot connect");mysql_select_db( $db_name ) or die("cannot select DB");// Define $myusername and $mypassword$myusername = $_POST['myusername'];$mypassword = $_POST['mypassword'];/** NOTE: You should encrypt the password with either md5() or sha1() **/$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";$result = mysql_query( $sql );// Mysql_num_row is counting table row$count = mysql_num_rows( $result );// If result matched $myusername and $mypassword, table row must be 1 rowif ($count == 1) {	// Register $myusername, $mypassword and redirect to file "login_success.php"	/*** Not sure on what you were doing here, but this should work fine... ***/	$_SESSION['loggedin'] = true;	$_SESSION['username'] = $myusername; // No real need to save the password	header( "location: loggedin.php?w=loginsuccess" );} else {	echo "Wrong Username or Password";}ob_end_flush();?>

loggedin.php:

<?php// Start sessionsession_start();// Check if the user already is logged inif ((!isset( $_SESSION['loggedin'] )) ||	(!$_SESSION['loggedin'])) {	header( 'Location: main_login.php' );	exit();}?><html><body><?php// Menu etc// Status messages (as login success, new messages, item deleted etc...)if ((isset( $_GET['w'] )) && ($_GET['w'] == 'loginsuccess')) {	echo "Login Successful<br />\n";}?></body></html>

Hope that helped...God Luck and Don't Panic!

[astralaaron]

Hey thanks for posting all of that, your way looks better than what I was doing.I just copied it from a tutorial. I would like to see how to encrypt the password.. if you or someone could post that i would appreciate it!thanks again

[astralaaron]

Hey can you explain the isset code to me? what does it do.. checks to see if there is a SESSION? or what

[Mr_CHISOL]

I would like to see how to encrypt the password.. if you or someone could post that i would appreciate it!

First you need to encrypt the passwords in the db, both when you add a new user and when the user or admin changes a password.Then you need to encrypt the password on login.To encrypt the password you can use either md5() or sha1().If you use md5() the login would look something like this:

// Define $myusername and $mypassword$myusername = $_POST['myusername'];$mypassword = md5( $_POST['mypassword'] ); // Encrypt using md5$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";$result = mysql_query( $sql );

When inserting/updateing user-info, make sure you encrypt the password in the same way...

[astralaaron]

First you need to encrypt the passwords in the db, both when you add a new user and when the user or admin changes a password.Then you need to encrypt the password on login.To encrypt the password you can use either md5() or sha1().If you use md5() the login would look something like this:

// Define $myusername and $mypassword$myusername = $_POST['myusername'];$mypassword = md5( $_POST['mypassword'] ); // Encrypt using md5$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";$result = mysql_query( $sql );

When inserting/updateing user-info, make sure you encrypt the password in the same way...

thanks!whats the difference between md5 and the sha1 ?

[Anders Moen]

They like give out different characters. I don't remember how long they are, but I think md5 gives out 32 letters and numbers?Anyways, check out at php.net (www.php.net/sha1 and www.php.net/md5). Not sure if the links are right though

[astralaaron]

by the way the code you posted works great , I just need to add in the md5 to it and it should be complete right??also I would like to understand the isset code / explain please..

[Mr_CHISOL]

They use different algorithms to get the "hash" (I linked the function names to the manual pages...).A hash is a long number (often in hex) that only (should) match one string (so 'a', 'b' and 'aa' will give different hases), it's often use as a checksum to check that, i.e., the file you downloaded is the same as the one that was put on the webpage originally...md5 use a algorithm called "RSA Data Security, Inc. MD5 Message-Digest Algorithm" (RSA is often used in beginning of secure connections)sha1 use a algorithm called "US Secure Hash Algorithm 1" (sounds like it's US specific... )Don't know if there's a big difference between them, but md5 returns 32 chars and sha1 returns 40 chars...

[astralaaron]

They use different algorithms to get the "hash" (I linked the function names to the manual pages...).A hash is a long number (often in hex) that only (should) match one string (so 'a', 'b' and 'aa' will give different hases), it's often use as a checksum to check that, i.e., the file you downloaded is the same as the one that was put on the webpage originally...md5 use a algorithm called "RSA Data Security, Inc. MD5 Message-Digest Algorithm" (RSA is often used in beginning of secure connections)sha1 use a algorithm called "US Secure Hash Algorithm 1" (sounds like it's US specific... )Don't know if there's a big difference between them, but md5 returns 32 chars and sha1 returns 40 chars...

cool thanks alot you have been very helpfull!

[justsomeguy]

sha1 use a algorithm called "US Secure Hash Algorithm 1" (sounds like it's US specific... )

SHA1 isn't US-specific, but the SHA algorithms were developed by the National Security Agency and approved as US government standards. The approval means that it has been shown to be uncrackable with the current technology. As computers improve, within the next 10 years or so people probably won't be using MD5 or SHA1 any more. It is possible to crack both of those algorithms right now (by crack, you would find a certain string that produces the hash you are looking for, but not necessarily the original encrypted string), but the time it would take with the current technology makes it infeasible. Wikipedia puts it well, quoting from the standard:

These algorithms are called “secure” because (in the words of the standard), “for a given algorithm, it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, result in a different message digest.”

Recently both SHA-1 and MD5 have been put through a lot of scrutiny, with people trying to find attacks for them. Some collisions were found (a collision is where 2 messages hash to the same value), but there is not an algorithm that a current computer could run in any reasonable amount of time that would break the encryption. But, even so, the NSA is working on developing the next generation of encryption algorithms, and they are using a public competition to do it. The US government does not recommend using SHA-1 for government uses anymore because of attack research, they use one of the other SHA algorithms. SHA-1 isn't the only SHA algorithm, there are also SHA-224, SHA-256, SHA-384, and SHA-512. PHP supports all of them as well, and if you feel that SHA-1 isn't enough security you can go ahead and use one of the others, or even combine them. Personally, I think that right now SHA-1 is still perfectly fine to use for the vast majority of web applications. The attack research has found methods that can produce a collision in less time then it would take a brute force attack trying all combinations. A brute force attack would require fewer then 2⁸⁰ operations to break, which is an enormous number. It would take a modern computer several hundred years to finish. The attack research has found a method that only takes 2⁶³ operations to find a collision, which definately is a lot less time then brute force, but it is still an enormous number.Check the Wikipedia page if you want more info about SHA, including the actual hashing algorithms:http://en.wikipedia.org/wiki/SHA-1

[astralaaron]

thanks justsomeguy, good info :-)