[REQ][200 points]Solve my login cookie problem

Status
Not open for further replies.

pokefan2

New Member
Messages
24
Reaction score
0
Points
0
I will give 200 points to whomever can fix my code to work with cookies. What I need to stay is the link to the register page, and once I am logged in, the link to logout, and a script I can use to read cookies on other pages.

PHP:
<?php

include "connect.php";

if($loggedin == '0')
{
if(isset($_POST['submit']))
{



if((!isset($_POST['username'])) || (!isset($_POST['pass']))
|| ($_POST['username'] == '') || ($_POST['pass'] == ''))
die("Please fill out the form completely. <br><br>
<a href=index.php>Continue</a>");


$player = @mysql_query("SELECT id, username, password, registered, lastlogin FROM players WHERE username = '".$_POST['username']."'");
$player = @mysql_fetch_assoc($player);

if($player['id'] == false)
die("Sorry, that user is not in our database.<br><br>
<a href=index.php>Back</a>");
else if($player['password'] != md5($_POST['pass']))
die("Wrong password!<br><br>
<a href=index.php>Back</a>");


$_SESSION['id'] = $player['id'];
$_SESSION['username'] = $player['username'];
$_SESSION['password'] = $player['password'];


$date = date("m/d/y");

$update = @mysql_query("UPDATE players SET lastlogin = '$date' WHERE id = '".$_SESSION['id']."'");

echo 'You are now logged in.';

}
else
{
echo 'You are not logged in. <br><br>
<form action=index.php method=post>
Username: <input type=text name=username><br>
Password: <input type=password name=pass><br>
<input type=submit name=submit value=Submit>
</form>
Would you like to <a href=register.php>register?</a>';
}
}
else
{
echo 'You are logged in! 
Welcome back to Wolf Magic, '.$_SESSION['username'].'!
<br><br>
<a href=logout.php>Click Here to Logout</a>';

}

?>

Thanks to whoever solves this.
 

xPlozion

New Member
Messages
868
Reaction score
1
Points
0
Hello, it's me again. I'm working on your code and will post the results when I am done. BTW, for future reference, never under any circumstance allow anything to go into the database without first properly sanitizing the string. Can create a mess if someone uses mysql injection (could erase your database)

PHP:
<?php

/**********************
FILE: login.php
MODIFIED BY: xPlozion
ORIGINAL BY: pokefan2
**********************/

// include "connect.php"; // You do not need connect.php as it's called by the page below.
include "check_user.php"; // You'll see down below ;)

if ($loggedin !== TRUE) { // Then allow this to begin. If the user is logged in, then he doesn't even see this page.
	if(isset($_POST['login'])) { // If he/she clicks the login button on the login form
		if(!empty(trim($_POST['username'])) && !empty(trim($_POST['password']))) {

			$username = mysql_real_escape_string(trim($_POST['username'])); // Escapes all ' and " being inserted into the database to prevent injection
			$password = sha1(trim($_POST['password'])); // Encrypts the password with sha1 encryption (no need to escape because it encrypts it before it's sent)

			if ($query = mysql_query("SELECT id, password, lastlogin FROM players WHERE username='$username' LIMIT 1")) { // Uses escaped username and not directly from the form and checks if it was executed properly (no errors like missing users or w/e)
				$result = mysql_fetch_assoc($query);

				if ($result['password'] == $password) { // If the the password in the database is the same as what the user sent...
					setcookie('uid', $result['id']);
					setcookie('username', $username);
					$date = date('m/d/y g:i A', time()); // Example 08/25/08 9:10 PM
					mysql_query("UPDATE players SET lastlogin='$date' WHERE id='".$result['id']."' LIMIT 1"); // Get in the habbit of using LIMIT 1 when only dealing with one field (such as in this case)
					echo "You are now logged in.";

				} else {
					die("Wrong password!<br /><br />
					<a href='index.php'>Back</a>");
				}

			} else {
				die("Sorry, that user is not in our database.<br /><br />
				<a href='index.php'>Back</a>");
			}

		} else {
			die("Please fill out the form completely. <br /><br />
			<a href='index.php'>Continue</a>");
		}

	} else {
		echo "<form action='index.php' method='post'><div>
		Username: <input type='text' name='username'><br/>
		Password: <input type='password' name='password'><br/>
		<input type='login' name='submit' value='Login'>
		</div></form>
		Would you like to <a href='register.php'>register?</a>";
	}
} else {
	echo "You are already logged in.<br /><br />
	<a href='index.php'>Continue</a>";
}

?>
PHP:
<?php

/**********************
FILE: check_user.php
ORIGINAL BY: xPlozion

DIRECTIONS:
Include this file by having:

include 'check_user.php';

on the first line of any page that you want to check the login status of the user.

**********************/

include "connect.php";

if (!empty($_COOKIE['uid']) && !empty($_COOKIE['password'])) { // Check to see if the user has the cookies set

	$uid = mysql_real_escape_string($_COOKIE['uid']);  // Again, sanitizing anything going into the database not directly defined by the script
	$check = mysql_fetch_assoc(mysql_query("SELECT username, password FROM players WHERE id='$uid' LIMIT 1"));
	if ($check['password'] == $_COOKIE['password']) {
		$loggedin = TRUE;
		$loggedin['uid'] = $uid; // You can use this variable and the one below in any part of the site, as long as you include this script 
		$loggedin['username'] = $check['username'];
	}
}

?>
Place the following code where you deem nessecary.
PHP:
if ($loggedin == TRUE) {
	echo 'You are logged in! 
	Welcome back to Wolf Magic, '.$loggedin['username'].'!
	<br /><br />
	<a href='logout.php'>Click Here to Logout</a>';
} else {
	echo 'You are not logged in.<br /><br /><a href='login.php'>Click Here to Login</a>';
}

That script still allows you to do what you needed (although I don't understand why you were calling registered in the first mysql_query... The second script allows you to check whether or not the user is logged in.

If you need to allow people that are logged in other features in the same page, then do
PHP:
if ($loggedin == TRUE) {
    // STUFF GOES HERE (JUST FOR LOGGED IN MEMBERS)
}

If there is any problem with this script, any whatsoever, please, don't hesitate to let me know, whether by PM or reply. I am _ALWAYS_ here to help people learn.
 
Last edited:

Brandon

Former Senior Account Rep
Community Support
Messages
19,181
Reaction score
28
Points
48
pokefan2: Did he solve your problem? If so you need to pay him his points.
 

Brandon

Former Senior Account Rep
Community Support
Messages
19,181
Reaction score
28
Points
48
Going to give the user one more day before admin intervention is put forth.
 

kkenny

Active Member
Messages
1,950
Reaction score
0
Points
36
Just a reminder for Brandon, it's been one day.
 

pokefan2

New Member
Messages
24
Reaction score
0
Points
0
Sorry, I have not looked at this post in a while, I shall try to test it in a minute.

I am sending the credits now.
 
Last edited:
Status
Not open for further replies.
Top