Hi,
I'm new to PHP, and learning some tutorial to create a login feature which includes 4 pages:
1/ login --> this is a form <form action="login_check.php" method="post">
2/ config.php --> with info of host, username, password, connect to mysql
3/ login_check.php --> to process the form:


<?php
session_start();
include 'config_pc.php';
$username=$_POST["username"];
$password=$_POST["password"];
if(!empty($username)&&!empty($password)){
$query="SELECT*FROM member WHERE username='$username' and password='$password'";
$result=mysql_query($query,$connection) or die("Can't execute!");
$count=mysql_num_rows($result);
if($count==1){
$_SESSION['user_logged']=$username;
$_SESSION['user_password']=$password;
Header('Location:member.php');
} else {
echo "You've entered wrong username/password. Please enter again!";}
} else {
echo "You forgot to enter something!";}
?>


4/ member.php--> after successful login

what should I put in the member.php so that it can only accessed after logging in. Right now if e.g. I type http://localhost/member.php, I can go directly to the member.php page. I know it has something to do with SESSION but don't know how.

Also, right now it seems that my username and password fields are not casesensitive, how to make them become case sensitive?

Thanks!!!!!!

well.... what's the point in logging in? ..so you have your're signed in.
As such, the member.php page must CHECK that they are logged in. It'll be basicaly the same code as the login page, but will just verify their session password/username, instead of logging them in with it. Make sense?

As for case sensitivity... usernames shouldn't be case sensitive. some people like "Daniel" others like "daniel".... let them pick. You can use stringtolower($var) (*I think that's the function*) make it lowercase for checking purposes.
As for the password, it should be case sensitive... not sure why it wouldn't be.

Thank you for your fast response.
For the member.php page--only member can see, I add this at the very beginning:


<?php
session_start();
if(!session_is_registered($username)){
header("location:login.php");
}
?>


What I want is if user hasn't signed in yet, they'll be redirected to the login.php page even if they type in e.g. http://localhost/member.php.
But somehow it didn't work.
Even when I type in the correct username and password, I'm still in the login.php page -- which seems like has been refreshed -- all the text I entered has been erased.

Did I do sth wrong? Thanks!

hmm.... I dunno about the session_is_registered function.

That's also not secure, really, 'cause all they need is a username.

Here's what I'd do:

they log in.
their password and username are stored as session vars, or cookie vars, whatever.
at the top of the member page and anything else that requires login, have this code:
(***assume that $pass and $user are from the session/cookie vars... get those how you want)

<?php
$query = "SELECT [*password*] FROM [*table*] WHERE [*username*]=$user";
$result= mysql_assoc(mysql_query($query));
if ($result['password'] != $pass) {
die("REDIRECT HERE");
}
//THEN PUT THE REST OF YOUR STUFF HERE, and it'll only be accessible
//if their stored pass = the pass they logged in with.
//The die("") function will end execution of the page, sending no data after it;
//they won't get the stuff after the login check,
//even for a split second before they're redirected.
?>


In short, just have it check at the top of the page whether for password in the database for the username is equal to the password they have in their cookie/sessionvar from logging in.



Random note: if you want to not store the person's actual password, you could use md5() to encrypt it.
Basically, it takes a string, and outputs a 32 character string that will be the same for the same input, but is irreversible...
if your password is "abc" then md5("abc") will always be the same, but you can't ever figure out what the password is from the stored md5 value.
it feels more moral in some ways.
Also, all you have to do then is, when the log in, have it check if the md5 of their password equals the stored md5 value for their password; if they are equal, then the passwords are also equal, but its more secure for people.
this is unrelated and not neccessary, but nice to know.

As for case sensitivity... usernames shouldn't be case sensitive. some people like "Daniel" others like "daniel".... let them pick. You can use stringtolower($var) (*I think that's the function*) make it lowercase for checking purposes.Rubbish; usernames are always case-sensitive. The function is strtolower().
header("location:login.php");HTTP Location: headers should always have an absolute URI value.

For my forum, they aren't case sensitive. If you're talking about ftp or a secure area, then that would make sense. But as for stuff like forums, etc, I suggest not making them case sensitive.
Afterall, it would be very confusing if "daniel" and "Daniel" were two different members.
Thanks on the string.
And, yes, if security is the number one concern, make them case sensitive.

as for stuff like forums, etc, I suggest not making them case sensitive.I don't think I've ever come across a case-insensitive username.
Afterall, it would be very confusing if "daniel" and "Daniel" were two different members.To check that the handle isn't registered, that's fine; but when logging in... I don't know why, it just isn't done.

I don't think I've ever come across a case-insensitive username.
Try logging in on any IPB board. (http://thebrbforums.com is mine)

True on the second thing, but, still, why not make it work for what they want.
For my forum, the username is stored in lowercase, then they get to type their name how they like it as they log in... kinda like AIM.
Where if you login as "Daniel" your posts are "Daniel", but "daniel"..."daniel", yet its tied either way to the "daniel" account in the database. Kinda confusing, but makes sense for being user-friendly.


EDIT: Haha! Log out, Twey, log in with CAPS. It works. Here, I mean. :D

Hm, s&#244; shimasu. Funny I never noticed that.

Ha, yeah. I'm amused.

You're right about security.

I think forums do it like that so people don't get confused whether they capitalized or not.

For more secure things, it does get confusing ;)

For most secure things, usernames tend to be all-lower-case, stemming from the tradition of having all-lower-case usernames in UNIX.

Hi, I am a beginer in php, and need a little help, in this case am just like a noob in everything related to php, I cannot even make comparation between html, javascript and php (if there are some). Anyway please help me, I had read all the all other post in this topic but I couldn't understand much, first, I need a register file and I don't know how to make it, I think there is necesary more than one file for that, then how I make the connection to the login file? And how I make the login file? Just like in the exemple before? But how I make the files and open them, because I tried but I couldn't succeded. I am very very comfused. I had tried to make that login file but all I had obtain was a blak page. Please help me.

Thanks

And I have another question: what is mysql and how i use it?

And sorry but I still have a question, how can i make a sistem for recuperating losted password?

I cannot even make comparation between html, javascript and php (if there are some).Then before asking questions, please, learn the basics. This (http://www.w3schools.com/php/default.asp) is a good tutorial.
what is mysql and how i use it?MySQL is a database package. As for how you use it, as I said, cover the basics first.
And sorry but I still have a question, how can i make a sistem for recuperating losted password?Basics basics basics :)
Oh, and there's an "edit" button in the corner of your posts.

Thank you Twey, I will start right now to read the tutorial and I will come back soon.

hi,
I wanna develop a hospital management system using PHP. with login and stuff. I dont know anythng about it. Can anyone help?

If you don't know anything about PHP its best to learn tutorials, if you have a fair idea about it but are asking about which way you should go i'd do this:

page 1: login script/ with verification - you will have to use the isset function, create cookies or sessions here
page 2: your other stuff, in this page you will check if the person has indeed logged in.

Also make sure that people who already have logged in can not access the login script page.