So... my register script works fine and I think my login-script too.... but I can't be sure because on the Index.php should be "Welcome Guest" be replaced with "Welcome [current user]" when you are logged in.... Please help me... again



Index.php
<?php

//This will start a session
session_start();

$username = $_SESSION['user'];
$password = $_SESSION['pass'];

//Check do we have username and password
if(!$username && !$password){
echo "Welcome Guest! <br> <a href=login.php>Login</a> | <a href=register.php>Register</a> | <a href=members.php> Members</a>";
}else{
echo "Welcome ".$username." (<a href=logout.php>Logout</a> | <a href=members.php> Members</a>)";
}


?>




Login.php
<?php

//This displays your login form
session_start();

echo "<form action='?act=login' method='post'>"
."Username: <input type='text' name='user' size='30'><br>"
."Password: <input type='password' name='pass' size='30'><br>"
."<input type='submit' value='Login'>"
."</form>"
."<a href=index.php> Index </a>";



$pass = md5($_POST[pass]);
$user = $_POST[user];

//Connecting to database
$connect = mysql_connect("localhost", "browsergamesc", "--------");
if(!$connect){
die(mysql_error());
}

mysql_select_db("browsergamesc",$connect);

$search = mysql_query("SELECT * FROM users WHERE username='$user' ");
$check = mysql_fetch_array($search);
if($check[username] == $user){
if(md5($check[password]) == $pass){
$_SESSION[login] = true;
};
};
?>

I think I messed up the variables....

EDIT: Don't give me a link... explain it to me, please...
EDIT: My MySQL table has those clolumns: ID USERNAME PASSWORD EMAIL GELD if that helps (all varchar [ID has auto increment])
EDIT: You may have noticed that these files aren't big, because I'm currently testing around with mySQL and PHP because I started with it some weeks ago... as soon as I understood all I may make a good page

Post has been edited 3 time(s), last time on Nov 24 2008, 2:15 pm by DeVouReR.

Just add an extra if statement so it prints something else if the user is logged in.

... You're not doing the logging in with a cookie?

What's wrong with you? .

And if you DO use a cookie, please omit the password. Just a tip.

When you do mysql queries always make sure to add error handling if something is wrong. At this part:


Replace with:

As I've never seen a session be used like this "$_SESSION[login] = TRUE;", is this where the session[login] is created? Also I'm assuming these are 2 separate pages. On your form action does it link back to index? Where are you creating your username session? This line right here has no meaning: $username = $_SESSION['user']; if it's created on a separate page. I would create this session on the login page only if the username and password are correct.

For some reason you may have to put:
If this is the only problem than you can disregard the above stuff . But always remember to add error handling when doing mysql queries. Some errors only show up when you have that there. If your going to make this site live make sure to take out the error handling or add a custom error message once everything is working correctly because it gives away information you wouldn't want others to see.

Hope this helped o.o!

thanks, but there still stands "Guest" I just noticed something
is it a problem if there stays MD5 and the input field and mysql column isn't protected via md5?

Where do have assurances that these variables exist? As far as I know they are not automatically assigned, and I never see you set them.

Quote

thanks, but there still stands "Guest" I just noticed something
is it a problem if there stays MD5 and the input field and mysql column isn't protected via md5?

Not explicitly, as long as you are comparing an md5 hashed string every time. However, it is a grievous security flaw if you are storing passwords in an SQL database without hashing them. MD5 is a one-way hashing algorithm that always yields the same result for the same string.

Adding on to DT_Battlekruser response, if you store the password field with a hash in mysql the only way to decode that and check if the user password is correct is to use md5 on the password field on your form. Also, like I said before set the session username after they logged in correctly. It does nothing if you set them on index.php.

Just a thought, is your password field in mysql at least 50 characters long?

Ah, DTBK found it. In the two files given, you didn't actually create $_SESSION[]'s. You need to assign values to SESSIONs -for example,
$_SESSION['user'] = $user;

Doing $_SESSION['user'] won't automatically sessionize the $user variable.

And, srsly, consider doing it via cookies. Sessions are annoying, cookies are awesome.

ok...
thanks, I'll try it later... [edit]

EDIT: Thanks @ everyone who helped! it finally worked! woa i'm so happy
EDIT: well... I can login with each values I want... I think I forget to check if the username exists... (i'm confused because I think that it already will be checked)

Current Login.php

<?php

//This displays your login form
session_start();

echo "<form action='?act=login' method='post'>"
."Username: <input type='text' name='user' size='30'><br>"
."Password: <input type='password' name='pass' size='30'><br>"
."<input type='submit' value='Login'>"
."</form>"
."<a href=index.php> Index </a>";





$pass = md5($_POST[pass]);
$user = $_POST[user];

//Connecting to database
$connect = mysql_connect("localhost", "browsergamesc", "-------");
if(!$connect){
die(mysql_error());
}

mysql_select_db("browsergamesc",$connect);

$search = "SELECT * FROM users WHERE username='$user'";
$res = mysql_query($search) OR die(mysql_error());

$check = mysql_fetch_array($res);

if($check[username] == $user && md5($check[password]) == $pass)
{
$_SESSION[login] = TRUE;
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;
}
?>


EDIT: Solved Login Problem
something else: in some input-fields is the adress name enterd... why?

Post has been edited 3 time(s), last time on Nov 26 2008, 2:32 pm by DeVouReR.