PDA

View Full Version : Members only area



Rohan72
11-01-2007, 06:45 AM
I have a members area on my website. And have both the script to create a name and password, and to login to the members area. To my own surprise I managed them both to work.
My problem now is that anyone still can access that members area, as long as they know the name of that page. How can i make that page secure so that if they give in the url of the page, they can not get in.
The only way to enter that page would be by login in.
Is it also possible to log the users out as soon as they close the protect page?

Here is the login script (I hope this is enough information):


<?php
ob_start();
$host="localhost"; // Host name
$username="***"; // Mysql username
$password="***"; // Mysql password
$db_name="***"; // Database name
$tbl_name="leden"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$lid=$_POST['lid'];
$pasw=$_POST['pasw'];

// encrypt password
$pasw_md5=md5($pasw);

$sql="SELECT * FROM $tbl_name WHERE lid='$lid' and pasw_md5='$pasw_md5'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
echo "Beste ", $lid, ", we verbinden u nu door...";
session_register("lid");
session_register("pasw");
header("location:memb1.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

djr33
11-01-2007, 09:05 AM
Use sessions and check that the password stored in the session (you may want to encode it, such as with md5()), matches the stored password in the script. If not, kick them out to the login.
http://twey.co.uk?q=loginscript is an example you could check out, if a bit complex.

Rohan72
11-01-2007, 09:35 AM
The 2 variables (lid, pasw) are stored in a session (I hope).

But i have completely no idea how to recall them, how or what to compare and how to kick to the login page if needed.

djr33
11-01-2007, 09:55 AM
$_SESSION['variablename']

Just compare that to what it SHOULD be, at the top of the page. If not, then dump them back to the login. You may want to create a config.php page and include that, for easy storage of the username/password variables.

Rohan72
11-01-2007, 10:02 AM
Ok... seems I took a big leap instead of a small step.

I guess i have to look elsewhere to get an example of some kind...

thanx anyway

djr33
11-01-2007, 10:13 AM
I took a closer look, and it wouldn't be hard to update that to work, at all.

Pretty simple:

1. Change $_POST for the name/pass to $_SESSION, then you get the stored value.

2. On this script, do store the pass/username in $_SESSION....
$_SESSION['pass'] = $pass;

3. Then change the script to be if NOT equal, then redirect to the login page, and include that in any members only pages.

Rohan72
11-01-2007, 08:07 PM
thanks for the help, but it's still chinese for me...

Like I said before, I'm glad i could adjust this script a bit so it would do what i wanted.

I'm completely lost. So i'll probably dismiss the members area completely

djr33
11-01-2007, 09:21 PM
To learn or not to learn. That is the question.

Rohan72
11-02-2007, 12:14 AM
Solved ... and it works!!!!!!

Miracles can happen after all... :D