[mzllr]

so this is something that i had wanted to put on my site for a while but got put to the backburner b/c i didn't have the time or patience to sit down and learn it. well, i recently got it all working and i wanted to stick it up here in case anyone else was curious as to how to set up a login page.

for this to work, you'll need php and mysql running on your server.

first, you'll need to create a database (i named it 'client_login') and set up tables 'uid', 'pass', and 'site' (text, not null). so here, you'll enter the person's user id, their password, and the site that they will be redirected to when they login.

my next post will contain the html/php code, then i'll explain how it works....

[mzllr]

index.php

[? if (!$HTTP_POST_VARS['submit']) { ?]

[html]

[head]

[/head]

[body]

[form name="form" method="post" action="[? echo $PHP_SELF ?]"]
[input type="text" name="uid" value="user"][br]
[input type="password" name="pass"][br]
[input type="submit" name="submit" value="LogIn"]
[/form]

[/body]

[/html]

[? } else {

$connect = mysql_connect("localhost", USER, PASSWORD);
$select = mysql_select_db(DATABASE, $connect);

$query = "SELECT * FROM TABLE WHERE uid= \"$uid\" AND pass= \"$pass\"";
$result = mysql_query($query, $connect);

// if row exists - login/pass is correct
if (mysql_num_rows($result) == 1) {

// initiate a session
session_start();

// register the user's ID and permission level
session_register("SESSION_UID");
session_register("SESSION_SITE");
list($uid, $pass, $site) = mysql_fetch_row($result);
$SESSION_UID = $uid;
$SESSION_SITE = $site;

// redirect to main menu page
header("Location:$SESSION_SITE");
mysql_free_result ($result);

// close connection
mysql_close($connection);

} else {

// redirect to error page
header("Location:error.php");
exit;

} } ?]

[mzllr]

[? if (!$HTTP_POST_VARS['submit']) { ?]
this says that if there is no value for 'submit', display all the code within the first set of brackets.

[form name="form" method="post" action="[? echo $PHP_SELF ?]"]
this says that once the 'submit' button is pressed to reload the same page. but now there is a value for 'submit', so it will skip the first section and start reading everything below [? } else { ?] .

$connect = mysql_connect("localhost", USER, PASSWORD);
$select = mysql_select_db(DATABASE, $connect);

$query = "SELECT * FROM TABLE WHERE uid= \"$uid\" AND pass= \"$pass\"";
$result = mysql_query($query, $connect);
this opens a connection to your mysql server and runs a query to check to see if the user id and password match. replace USER, PASSWORD, DATABASE, and TABLE with your actual values.

// initiate a session
session_start();

// register the user's ID and permission level
session_register("SESSION_UID");
session_register("SESSION_SITE");
list($uid, $pass, $site) = mysql_fetch_row($result);
$SESSION_UID = $uid;
$SESSION_SITE = $site;
to pass variables between pages and to validate that the person trying to access your client's site has the privileges to do so, you need to create a session.

the other parts not listed are commented as to what they do.....

[mzllr]

so now you've got the initial login page set-up, but now you need to keep unauthorized people from accessing your client's site (stored in variable $SESSION_SITE).

at the beginning of the page, you need to add a couple of lines of php code that check to see if a session has been initiated and who initiated it.

the code to do this is provided below....

[mzllr]

some_clients_page.php

[?

session_start();
if(!session_is_registered("SESSION_UID"))
{
header("Location:error.php");
exit;
}

?]

[html]

[head]

[/head]

[body]

[/body]

[/html]

[mzllr]

[?

session_start();
if(!session_is_registered("SESSION_UID"))
{
header("Location:error.php");
exit;
}

this basically says that if no session has been initiated by SESSION_UID, then the person will be redirected to an error page.

if everyting validates, then they will be able to view all the code below....

i customized mine a bit to work for my needs, but to see it in action goto http://mikezeller.com/development/macnn

userid: macnn
pass: macnn

hope this helps some people out.....

[Amorya]

Nice tutorial!

One thing I recommend is encrypting the passwords before they are stored. When you add the passwords to the database, make sure they are MD5 encrypted (there are tools to do that on the net - use google).

Then, change

$query = "SELECT * FROM TABLE WHERE uid= \"$uid\" AND pass= \"$pass\"";

to

$query = "SELECT * FROM TABLE WHERE uid= '$uid' AND pass= '".md5($pass)."'";

Then, if anyone did manage to hack into your database, they wouldn't be able to acquire any useful passwords.


Amorya

[mzllr]

cool, thanks for adding that...

[mzllr]

i found this for taking your passwords and generating an md5 hash...