Hi everyone I have developed a php login system within the header page of a website. Everything works fine (wont log in unless username and passwords match etc). The one problem I have is that if I click on another link inside the header page that opens up a new php file (this new php includes the header file), the log in system resets itself and therefore the user will have to log in again. here is the code: <? // PHP code section require_once("includes/connect.php"); session_start(); //if(isset($_POST["username"]) && $_POST["username"] != "") { $username = $_POST["username"]; $password = $_POST["password"]; //} ?> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>DVD Haven</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <link rel="stylesheet" type="text/css" href="styles.css"> <script type="text/javascript" src="script.js"></script> </head> <body> <table border="0" align="center" width="800" cellspacing="0" cellpadding="0"> <tr> <td colspan="7"><a href="assignment01.html"><img src="header.jpg" height="84" width="800" alt="header" border="0" title="Go to Home Page"/></a></td> </tr> <!-- Menu --> <tr class="menu"> <td><a href="products.php" onmouseover="menu('products','Over')" onmouseout="menu('products','Norm')"> <img name="products" src="images/products.jpg" width="103" height ="36" alt="products" border="0"/></a> </td> <td><a href="reviews.php" onmouseover="menu('reviews','Over')" onmouseout="menu('reviews','Norm')"> <img name="reviews" src="images/reviews.jpg" width="91" height ="36" alt="reviews" border="0" /></a> </td> <td><a href="register.php" onmouseover="menu('register','Over')" onmouseout="menu('register','Norm')"> <img name="register" src="images/register.jpg" width="93" height ="36" alt="register" border="0" /></a> </td> <td><a href="stores.php" onmouseover="menu('stores','Over')" onmouseout="menu('stores','Norm')"> <img name="stores" src="images/stores.jpg" width="82" height ="36" alt="stores" border="0" /></a> </td> <td width="431" height="36" align="right" class="loginText"> <? $query = "SELECT * FROM regouser WHERE username='$username' AND password='$password'"; $result = mysql_query($query); $num_records = mysql_num_rows($result); if($num_records != 1) { ?> <form name="login" method="post" action="<? echo $_SERVER['PHP_SELF']; ?>"> <input type="text" name="username" size="10" value=""> <input type="password" name="password" size="10" value=""> <input type="submit" value="Login" class="button"> </form> <? }else{ echo "Thankyou, " . $username = $_POST["username"] . ", you are now logged in."; ?> <form name="logout" method="post" action="#"> <input type="button" value="Logout" class="button" onclick="javascript:window.location = 'includes/logout.php'"> </form> <? } ?> </td> PHP:
do all your files have session_start() ? also, what do you mean they have to log in again? the login form displays again? or they cant access sites that need to be logged in? maybe you should set some session names $_SESSION['name']=username
<form name="login" method="post" action="<? echo $_SERVER['PHP_SELF']; ?>"> PHP: Vulnerable to XSS $username = $_POST["username"]; $password = $_POST["password"]; ... $query = "SELECT * FROM regouser WHERE username='$username' AND password='$password'"; $result = mysql_query($query); PHP: Vulnerable to SQL injection As for the having to log back in, I don't see anything that checks to see if the person is logged in or not.. Do what Lordy said with sessions for that.
To make a correct login system, first you need to 1. get login information from user (which you do) 2. compare it to the database information (which you also do) Then, if information is correct 3. set a session, for both username and password $_SESSION['username'] = $username; $_SESSION['password'] = $password; 4. When you are loading the page (each page, each time), make it check session: if(isset($_SESSION['username']) && isset($_SESSION['password'])) { compare login and password to database information: if it matches - show user logged in message if it doesn't match - show user login } if no session was found - show user login Also, as Flash mentioned, you need to sanitize your input, to avoid SQL injection. You can use addslashes() function.
session_start() should be the first thing you call on every web page. Lots of good advice already. Clean your varibles and make sure you check the session variables instead.