Hi there, I have a website that people register and log into , but i cant seem to figure out how on the member pages, how to make it that when your not a member it will give you the login.php page instead of going to the page itself? can someone help? Elaine
ok i got the registration part : <? include 'db.php'; $msg = "First Name is a required field. Please re-enter your information!"; $msga = "Last Name is a required field. Please re-enter your information!"; $msgb = "Email Address is a required field. Please re-enter your information!"; $msgc = "Username is a required field. Please re-enter your information!"; $msgd = "Your membership information has been mailed to your email address! Please check it and follow the directions!"; $msge = "Your email address has already been used by another member in our database. Please submit a different Email address!"; $msgf = "The username you have selected has already been used by another member in our database. Please choose a different Username!"; // Define post fields into simple variables $first_name = $_POST['first_name']; $last_name = $_POST['last_name']; $email_address = $_POST['email_address']; $username = $_POST['username']; $info = $_POST['info']; /* Let's strip some slashes in case the user entered any escaped characters. */ $first_name = stripslashes($first_name); $last_name = stripslashes($last_name); $email_address = stripslashes($email_address); $username = stripslashes($username); $info = stripslashes($info); /* Do some error checking on the form posted fields */ if((!$first_name) || (!$last_name) || (!$email_address) || (!$username)){ if(!$first_name){ echo "<script langauge=\"javascript\">alert(\"".$msg."\");</script>"; } if(!$last_name){ echo "<script langauge=\"javascript\">alert(\"".$msga."\");</script>"; } if(!$email_address){ echo "<script langauge=\"javascript\">alert(\"".$msgb."\");</script>"; } if(!$username){ echo "<script langauge=\"javascript\">alert(\"".$msgc."\");</script>"; } include 'form.php'; // Show the form again! /* End the error checking and if everything is ok, we'll move on to creating the user account */ exit(); // if the error checking has failed, we'll exit the script! } /* checking and ensuring that the user's email address or username does not exist in the database */ $sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'"); $sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'"); $email_check = mysql_num_rows($sql_email_check); $username_check = mysql_num_rows($sql_username_check); if(($email_check > 0) || ($username_check > 0)){ if($email_check > 0){ echo "<script langauge=\"javascript\">alert(\"".$msge."\");</script>"; unset($email_address); } if($username_check > 0){ echo "<script langauge=\"javascript\">alert(\"".$msgf."\");</script>"; unset($username); } include 'form.php'; // Show the form again! exit(); // exit the script so that we do not create this account! } /* Everything has passed both error checks that we have done. It's time to create the account! */ /* generate a random password for the user and encrypt it, email it and then enter it into the db. */ function makeRandomPassword() { $salt = "abchefghjkmnpqrstuvwxyz0123456789"; srand((double)microtime()*1000000); $i = 0; while ($i <= 7) { $num = rand() % 33; $tmp = substr($salt, $num, 1); $pass = $pass . $tmp; $i++; } return $pass; } $random_password = makeRandomPassword(); $db_password = md5($random_password); // Enter info into the Database. $info2 = htmlspecialchars($info); $sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, info, signup_date) VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', '$info2', now())") or die (mysql_error()); if(!$sql){ echo 'There has been an error creating your account. Please contact the webmaster.'; include 'contactus.php'; } else { $userid = mysql_insert_id(); // Let's mail the user! $subject = "Your Membership at The Truth Discovered!"; $message = "Dear $first_name $last_name, Thank you for registering at our website, http://www.thetruthdiscovered.com! You are two steps away from logging in and accessing our exclusive members area. To activate your membership, please click here: http://www.thetruthdiscovered.com/activate.php?id=$userid&code=$db_password Once you activate your memebership, you will be able to login with the following information: Username: $username Password: $random_password Thank You The Staff This is an automated response, please do not reply!"; mail($email_address, $subject, $message, "From: The Truth Discovered Webmaster<admin@thetruthdiscovered.com>\n X-Mailer: PHP/" . phpversion()); echo "<script langauge=\"javascript\">alert(\"".$msgd."\");</script>"; include 'index.php'; } ?> PHP: then the log in is : checkuser.php <?php /* Check User Script */ session_start(); // Start Session include 'db.php'; $msg = "You could not be logged in! Either the username and password do not match or you have not validated your membership! Please Try again!"; $msga = "Please enter ALL the information!"; // Conver to simple variables $username = $_POST['username']; $password = $_POST['password']; if((!$username) || (!$password)){ echo "<script langauge=\"javascript\">alert(\"".$msga."\");</script>"; include 'login.php'; exit(); } // Convert password to md5 hash $password = md5($password); // check if the user info validates the db $sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'"); $login_check = mysql_num_rows($sql); if($login_check > 0){ while($row = mysql_fetch_array($sql)){ foreach( $row AS $key => $val ){ $$key = stripslashes( $val ); } // Register some session variables! session_register('first_name'); $_SESSION['first_name'] = $first_name; session_register('last_name'); $_SESSION['last_name'] = $last_name; session_register('email_address'); $_SESSION['email_address'] = $email_address; session_register('special_user'); $_SESSION['user_level'] = $user_level; mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'"); header("Location: members/login_success.php"); } } else { echo "<script langauge=\"javascript\">alert(\"".$msg."\");</script>"; include 'login.php'; } ?> PHP: now let me tell you alot of people have been telling me that it is old code, but i got it from a tutorial on creating member ship log ins, i am very new at this and i have been playing around with this for about a few weeks so i am familur with it so far , but to add and make it do stuff is hard for me , i appreciate the help ELaine
First of all I suggest you to use one of the following functions to prevent SQL Injection: mysql_real_escape_string or htmlspecialchars Use them on the $_POST['username'] and other things you use in other queries... In the members page put some code like that: if(!isset($_SESSION['first_name'])) Header("Location: login.php"); PHP:
Im sorry i dont no what to do with that ? if(!isset($_SESSION['first_name'])) Header("Location: login.php"); PHP: where would i put that ? and the mysql_real_escape_string where would i put that on my $username = $_POST['username']; Elaine
// func: redirect($to,$code=307) // spec: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html function redirect($to,$code=301) { $location = null; $sn = $_SERVER['SCRIPT_NAME']; $cp = dirname($sn); if (substr($to,0,4)=='http') $location = $to; // Absolute URL else { $schema = $_SERVER['SERVER_PORT']=='443'?'https':'http'; $host = strlen($_SERVER['HTTP_HOST'])?$_SERVER['HTTP_HOST']:$_SERVER['SERVER_NAME']; if (substr($to,0,1)=='/') $location = "$schema://$host$to"; elseif (substr($to,0,1)=='.') // Relative Path { $location = "$schema://$host/"; $pu = parse_url($to); $cd = dirname($_SERVER['SCRIPT_FILENAME']).'/'; $np = realpath($cd.$pu['path']); $np = str_replace($_SERVER['DOCUMENT_ROOT'],'',$np); $location.= $np; if ((isset($pu['query'])) && (strlen($pu['query'])>0)) $location.= '?'.$pu['query']; } } $hs = headers_sent(); if ($hs==false) { if ($code==301) header("301 Moved Permanently HTTP/1.1"); // Convert to GET elseif ($code==302) header("302 Found HTTP/1.1"); // Conform re-POST elseif ($code==303) header("303 See Other HTTP/1.1"); // dont cache, always use GET elseif ($code==304) header("304 Not Modified HTTP/1.1"); // use cache elseif ($code==305) header("305 Use Proxy HTTP/1.1"); elseif ($code==306) header("306 Not Used HTTP/1.1"); elseif ($code==307) header("307 Temorary Redirect HTTP/1.1"); else trigger_error("Unhandled redirect() HTTP Code: $code",E_USER_ERROR); header("Location: $location"); header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0'); } elseif (($hs==true) || ($code==302) || ($code==303)) { // todo: draw some javascript to redirect $cover_div_style = 'background-color: #ccc; height: 100%; left: 0px; position: absolute; top: 0px; width: 100%;'; echo "<div style='$cover_div_style'>\n"; $link_div_style = 'background-color: #fff; border: 2px solid #f00; left: 0px; margin: 5px; padding: 3px; '; $link_div_style.= 'position: absolute; text-align: center; top: 0px; width: 95%; z-index: 99;'; echo "<div style='$link_div_style'>\n"; echo "<p>Please See: <a href='$to'>".htmlspecialchars($location)."</a></p>\n"; echo "</div>\n</div>\n"; } exit(0); } PHP: else { echo "<script langauge=\"javascript\">alert(\"".$msg."\");</script>"; include 'login.php'; redirect("/index.php", 307) } PHP: I think that should work. I got this from http://www.edoceo.com/creo/php-redirect.php . I would of put the header function the other guy said but he already said it.
Put that code in the members page before everything, between <?php ?> tag $username = mysql_real_escape_string($_POST['username']); PHP:
ok done mysql_real_escape_string is on all the $_POST's , but can you just tell me what that statement does besides the one i had ? just so i can know for futur reference and to actually learn this i appreciate it Elaine
I found a better one, just put this in your else statement: echo "<meta http-equiv='Refresh' content='2; URL=login.php'/>"; PHP: I have not tested that.
This way works fine, there is another one: echo "<script type=\"text/javascript\">document.location='login.php';</script>"; PHP:
oh boy im confused so i put $username = mysql_real_escape_string($_POST['username']); on every members page that i want people to log into ? and then put echo "<meta http-equiv='Refresh' content='2; URL=login.php'/>"; as an Else statement? , do any of these go into my register.php file ? or do they all go into my multiple member pages that are only accessable after you log in ? ELaine
No, make another page with all that code and then in the member pages put an include. include_once("checklogged.php"); PHP: Or something... nico_swd, I didn't so a computer with JavaScript disabled yet :\
im getting very confused now , i dont no where anything goes ! i have a register.php file to register and add information to the database, then i have a checkuser.php to verify the users log in when they want to log in, now all those things you guys stated go in which ones ? Elaine
As I said before, my code is to place in a page that only logged in members can access... Put it in the top of the page but in exchange of the Header line put the code of D_C
ok i like that include thingy, that i can handle , so i will put all this : <?php if(!isset($_SESSION['first_name'])) Header("Location: login.php"); $username = mysql_real_escape_string($_POST['username']); { echo "<script type=\"text/javascript\">document.location='login.php';</script>"; } ?> PHP: then the include file in the member pages? ELaine
You right but the code is as the following: <?php if(!isset($_SESSION['first_name'])) echo "<script type=\"text/javascript\">document.location='login.php';</script>"; ?> PHP: Then include it... About the mysql_real_escape_string you need to use it in the register page with all the data came from the form and as well in the login, but in the login page only for the username.
Oh my im so happy , thank you for all your help , i will test it all out now , i will let you know in a few i appreciate it thank you thank you Elaine
Sorry, but this is SO insecure. All pages will be visible for everyone by simply disabling JavaScript on the browser. At LEAST send an exit() after the echo.