Php/sql script help

software development

#1

I want the script to be able to when people enter a wrong user name or password to be forwarded to a differnt page like http://mysite.org/wrong.php how would i do it
here is the script i have right now

<?php /* (c) Frontier Virtual All Rights Reserved This is the downloads section of the website. Last Modified- 6/16/08 */ ?> <?php $username = $_COOKIE['loggedin']; if (!isset($_COOKIE ['loggedin'])) die( "Please Loginin Before Viewing this page Click here"); echo "You are logged in $username"; ?> <?php include('includes/header.php'); ?> <td width=650

valign=top class=contentNav>

<span

class=“pirepflight”>Download Center

<p align="left"

class=“td5b” style=“font-weight: bold; font-style: italic”> Frontier Fleet

Package

<p

align=“center” class=“contentNav” ">Our current fleet package that works

with X32 systems.

<p align="center" class="contentNav"

">Download

It!

<?php include('includes/footer.php') ?>

#2

Use the header function to redirect.
http://www.php.net/manual/en/function.header.php

Something like:
if(isset($_POST[‘pass’]) && $_POST[‘pass’] != $stored_pass){
header(“location: wrong.php”);
}

But watch out, if your script is sending output to the browser before using the header func you will get an error. You can use output buffering to get around this.

http://www.php.net/outcontrol


#3

As jewelryblaze said, the header function is the quickest way to force a redirect. But I noticed you have no checks to see if a user is really a user. Checking to see if a cookie exists is one thing, but you need to force check to see if that user is who they say they are. Make sure when you set the cookie upon login, its encrypted so they cant modify the data by hand. Then on the page there, you should have another script that does the cookie checks so you dont need to worry about modifying every page, over and over, to make sure they all do the same checks.

First things first, when you set the cookie after the login and you check the data in the database or flatfile, do the setcookie something like this:
$cookiedata = $username . ‘:::’ . md5($password);
setcookie(‘loggedin’, $cookiedata, time()+3600);
This will store the username and password under the loggedin cookie, allowing you to validate data. use your own scheme for how you store cookie based passwords, as md5 can be cracked depending on how simple the password is. i’d assume you have md5 passwords stored in the database, so i would re-encrypt the password over with a salt. you can do it one of 2 ways, force a salt for the whole site, or individual user. for now, assume the whole site, and assume the salt is mmms2n and assume the passwords are in the db as md5, and the $password var is the md5 encrypted password from the database.
in that case, you would do md5($password.$salt); and have salt set as $salt = ‘mmms2n’; this will help avoid people cracking the passwords.

now to the check, you would do something like below, assuming you implemented the above as well. im going to shorthand some of it as its 3am and i need to be leaving for work shortly. so you might need to change parts here and there, if i do actually shorthand it. I might make some syntax errors as I use my own script for user systems that is easy to re-implement without having to do much. I’ll comment the goal of each line, below each line, so you can see it what im trying to attempt

<?php if (!isset($_COOKIE['loggedin'])) { header("location: login.php"); //cookie doesnt exist, sent to login page. $cookiearray = explode(':::', $_COOKIE['loggedin']); // cookie exists, explode, vars now 0 for username, 1 for salted password $usern = $cookiearray[0]; //need username $getuserinfo = mysql_query("SELECT id, password FROM db_users WHERE username = '$usern' LIMIT 0,1"); // call db, get password, id from db to check password $userpassword = md5(mysql_result($getuserinfo, 'password').$salt); // salt the db password if ($userpassword != $cookiearray[1]) { setcookie("loggedin", time()-6400); header("location: wrong.php"); } //salted pw from db doesnt match cookie pre-salted pw. forward to wrong.php echo 'You are logged in '.$usern; //if we got here, they not only have a cookie, but have the right pw in the cookie, this is $usern by the cookie, but you could change the above usern line to username, this was just incase you decide to use ids, the preferred method, instead of usernames, in the cookie. ?>

Hopefully that helps. Maybe when I get home tonight, I’ll try and clarify a bit. If you’d like, I could lend you a hand with it as you need it, but im not using any messengers now, so pm me here and ill send you a way to contact me.


#4

thanks i will give this a try. Also i don’t really need a secure session because i really got nothing to hide. If they want to go thought the trouble of edit data then let them


#5

It wouldn’t hurt to implement the cookie idea anyway. Firstly, it’s a good learning experience and secondly, who knows, the script you’re writing could well end up becoming popular if you choose to release it in the future.

Maximum Cash Discount on any plan with MAXCASH