Hi, I'm trying to sort out a login in page. I'm using this script to login: <?php $host="****"; // Host name $username="****"; // Mysql username $password="****"; // Mysql password $db_name="****"; // Database name $tbl_name="****"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // username and password sent from login form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php"); } else { echo "<html><body><center>Wrong Username or Password<br><br><a href='main_login.php'>Click Here to go back</a></body></html>"; } ?> PHP: (I removed the database login details!) And then checking the login on subsequent pages using this: <? session_start(); if(!session_is_registered(myusername)){ header("location:../../login/main_login.php"); } ?> PHP: How can I check WHICH user has logged in? I want to give access to people on some pages and not on others. There are only about 7 usernames, so I jsut want an extra check that says something like: IF USERNAME IS {a certain user} THEN SHOW THE PAGE IF NOT THEN DON'T! Code (markup): Or is there an easier/better way of doing all of this? I'm open to suggestions!
First off, you need to clean the user input from the form, because this script is completely open to SQL injection. $sql=" SELECT username FROM $tbl_name WHERE username='".mysql_real_escape_string($myusername)."' AND password='".mysql_real_escape_string($mypassword)."' LIMIT 1"; PHP: Secondly you wouldn't want to register the password as a session variable because it should stay in the database, so it can't be exploited or used anywhere else. I would do the rest something like this. $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); if($count>0){ // Register logged in session variable and redirect to file login_success.php" $user = mysql_fetch_array($result); $_SESSION['logged_in'] = true; $_SESSION['username'] = $user['username']; header("location:login_success.php"); } else { echo "<html><body><center>Wrong Username or Password<br><br><a href='main_login.php'>Click Here to go back</a></body></html>"; } PHP: On the other pages use: session_start(); if(!$_SESSION['logged_in']){ header("location:../../login/main_login.php"); } PHP: To validate for a specific user: session_start(); if(!$_SESSION['logged_in'] || ($_SESSION['username'] != 'some_username')){ //user not authorized header("location:../../login/main_login.php"); } PHP: Note that this is a very basic, and fairly insecure script still, so don't use it for anything that needs major security. If you want a decent login system, that would address user levels and simple administration take a look at this script: http://www.evolt.org/PHP-Login-System-with-Admin-Features
no code changing. Ur user name in $_SESSION['myusername']. Use it on pages. if ($_SESSION['myusername'] == "So1") { //display page1; } if ($_SESSION['myusername'] == "aquasonic") { //display another page; } and use mysql_real_escape_string as said jestep