PHP Login (Security)

wantabe2
wantabe2 used Ask the Experts™
on
I have a database I pull data from via a web browser. The database is a MySQL database. I just created a landing page I would like to enable users to enter a username & password before they can go any further. I have another table set up in my MySQL database with the following fields:

uid
uname
password
permission

The UID is a unique auto incrementing ID. The permission field is either a 0 or a 1. A 0 is view only & a 1 is an administrator. My question is, how can I adit this code so a user can enter their uname & password & then click submit then they will be taken to index.html. If they don't have a uname, they won't be able to go past the landing_page.html. Thanks
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title>ETS</title>
<style type="text/css" media="screen">@import "./includes/layout.css"; </style>
</head>
<body>
<body style="background-image:url(FadedBG.png); background-repeat:no-repeat; background-attachment:fixed; background-position:center;">

<?php
require('connection.php');
?>

<form method="post" action="" onSubmit="return checkme()">

<div id="Header"><center><b><i>Employment Tracking System</i></center> </b></div>

<center><h1>ETS</i></h1></center>

<td><b>User Name:</b> 
<input type="text" name="uname" size="30"  /><br />
</td>

<br>

<td><b>Password:</b> 
<input type="text" name="password" size="32"  /><br />
</td>

<br>

<input type="submit" value="Submit" />

</body>
</html>

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
More or less - you would have to use sessions. Not so long ago Ray Paseur wrote an article about access control:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
read it.
Most Valuable Expert 2011
Top Expert 2016
Commented:
In PHP, sessions are used to carry information from page to page of a web site.  Here is what you need to know about sessions:

1. At the very top at the start of every script without exception put session_start();
2. Add, remove or change elements in the $_SESSION associative array, like this: $_SESSION["thing"] = "thing";
3. Expect to find the things there, not only in your current page script, but in your other page scripts.

The authentication techniques in the article use the session implementation.  This requires that your client browsers accept and return cookies.  In my experience this is a requirement that is satisfied by more than 99% of all browser requests, so it does not appear to be an imposition on the user community.

The design pattern in the article, and many other interesting things, can be found in this book, which comes highly recommended.
http://www.sitepoint.com/books/phpmysql4/
F IgorDeveloper

Commented:
Some basic directions:

*The page that processes the user authentication creates some session variables
only when the user authentication is right.
*If the user auth is right, redirect to the main page
*If the user auth is incorrect redirect to the login page

*All pages that needs user authentication must start with a session_start() PHP call
*All pages that require authentication check if the session variables created in the
valid authentication are present. if  session variables don't exist, redirect to the login page.

All redirects can be perormed using the header("Location: page.php"); call
before any output is sent to the client.

Most Valuable Expert 2011
Top Expert 2016

Commented:
Not sure where you are on your project but a couple of miscellaneous notes come to mind (then I'll sign off on this question).

Cookies are headers and so it would be a good idea for you to read this page carefully:
http://us.php.net/manual/en/function.header.php

One of the common pitfalls when using headers occurs if the PHP script creates output, even invisible whitespace.  It is a law of HTTP that all headers must come first and be complete before any browser output is sent.

Since sessions rely on cookies and since cookies are headers, this kind of thing (code snippet) will not work.  That is why I emphasize that session_start() needs to be at the top of the scripts.

Best of luck with your project, ~Ray
<?php
echo "About to create the session";
session_start(); // FAILS

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial