Hi everyone,
I have a question, is there a way to show hidden fields when a user logs in.
I have googled myself to death on this. Currently i just have 2 of the same pages, only 1 has added fields for the logged in users. If its possible, i just need some thing to show a hidden fields, nothing long and drawn out. Thanks to who ever helps me on the problem.

You'll need to be a little more specific... When you say "hidden" fields, I assume in a form?

If you want to show/hide certain elements, you can use an {if} statement to determine if the user is logged in [thru sessions/cookies]. If you post code here, we can better help you out.

yeah i really dont have anything, cause i couldnt find anything on this subject.
ok say i have a mysql database being display using pagenation. To everyone, they just see what is displayed. if someone were to log in, then it would show the hidden divs or tables, such as "delete" or something. then when they log out, the delete button is hidden again?? does that clarify anything? sorry if vague

Ok, do you have a login system already set up? If not, that's your first step. Then you can use an {if} statement to determine if logged in,and if true, then display whatever content you choose to.

Here's a good tutorial on how to create a login system:
http://www.phpeasystep.com/workshopview.php?id=6

If you already have one set up, make an if statement to determine if the user is logged in.

example:


<?php

session_start();

$user = $_SESSION['user'];
$pass = $_SESSION['pass'];

if(isset($user) && isset($pass)) {
// the user is logged in
echo "<div>sample div, showing you're logged in.</div>";
} else {
echo "<span>sample span,showing you're not logged in.</span>";
}

?>

So far, thanks. The link that u gave me is the one that i use. i just posted the code again for you. well how would u incorporate this in to a form.
Step 1. User logs in on PAGE 1
Step 2. It goes to check login page where it has this code.


<?php
ob_start();
$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>




Step 3. Gets redircted back to PAGE 1 with hidden divs.

Step 4. Displays hidden divs on PAGE 1.

So my question is, would i just use the code that you gave me anywhere on my page?? or do i need to do something special with the $_SESSION??

Right, but you'd have to modify the code to switch to the session vars.

Here's the revised code:


<?php

session_start();

$user = $_SESSION['myusername'];
$pass = $_SESSION['mypassword'];

if(isset($user) && isset($pass)) {
// the user is logged in
echo "<div>sample div, showing you're logged in.</div>";
} else {
echo "<span>sample span,showing you're not logged in.</span>";
}

?>


Also, youcan remove the {else} statement to simply hide the div and do nothing else if the user isn't logged in.

HTH:)

Hi I have little concern about using the session variables. May be I do not know how to use it right. Session variable is server level variable. Therefore, can there be chance of overriding the value (userid and password), if lots of users are accessing the same moment? In other words, can session variables be used for individual login?

Thanks

Session variables are stored within the session. That is determined by the connection between the user and the server. Technically it is based on a complex tracking system involving cookies and other methods, and if that all fails then actually forcing extra values in the URLs and the forms to preserve it. (This is all behind the scenes and automatic with the browser and PHP working on standards for the web.) This is a way to track the session_id, thus making a reference for the user. It identifies the session and that session then contains values. The array $_SESSION[] contains anything you want, once the session is established.
The session will be preserved while the connection is active, and it will automatically be refreshed after a period of inactivity. Approximately 15 minutes is the length allowed for a nonactive session (though that number varies greatly by browser), and you can keep a session active for as long as you want if you keep refreshing the page fairly often. Sessions are unique to individual domains (or subdomains) and cannot be shared across domains. The session is closed when you end it through php (that's how "log out" is programmed), or by closing the browser window (a session is attached to a single browser window, though it may be used in any other open windows on the same machine/browser, but once all are closed the session is closed too).


Sessions are the best way to approach log in issues and how you should proceed. They are very secure and work well.

There is a theoretical problem with sessions that since they id is stored in a cookie (or other means) it is actually possible to "hijack" a session by stealing the id, and thus accessing someone's account. So if you were to be hacked, someone got into your cookies, and then stole your session, AND did this all within the same time it was active (within 15 minutes, or at most an hour or so), they could force access to being logged in as you.
This is unlikely especially if no hackers want to hack your site, and it is difficult to do.
If you have really important data, like bank accounts, etc., you should be aware and deal with this.
Regardless, you can make it impossible to steal a session by verifying the IP address:
1) Store the IP address when logging in, as part of the session data.
2) Each time when verifying the session id, you can check $_SERVER['REMOTE_ADDR'] against $_SESSION['stored_ip'].

That way the only stealing that can be done is from the same connection, so at the very most they could "steal" it on the same computer (or on the same local network, anyway).


In short you can think of sessions as complex automated cookies that don't fail when cookies do on some computers.

What Daniel said is right and adding an extra "fingerprint" to the session in the form of the user's ip address is a good idea. Be aware though under some circulstances a user's ip address can change from request to request. Another commonly used alternative is to store the value of the HTTP_USER_AGENT server variable and check against this each time.

A couple more things regarding the OP's question:

For the link to delete files, make sure you use a form to confirm the delete and send the delete request as a POST. Before you delete anything, make sure the request was sent via POST and that it came from your form. Do this whether there is an authenticated session or not.

Force the sessionid to stored in a cookie. Do not allow it to be appended to the URL.