Need some advise please

[hugomax]

I am quite new to php and Mysql.
I am having problems with getting data from the mysql database when Im directed to another page.
Using a log in script when it posts it checks that data from the mysql exists then directs me to an alternative page, if the data isnt in the mysql database it stays on the same page...simple so far.

If i use this code it will direct me to the "getin.php" page but I can not get any of the data of the user from the mysql into the "getin.php" page it seems to loose it. (Below is the code for login.php)

<?php

include 'config.php';

ob_start();
echo "<left><font size=1><font face=\"verdana\"><b> Please enter your details here to log in</b></left></font><br><br>";
echo "<left><font size=1><font face=\"verdana\"><font color=\"red\">If you are a new user please click the register link below..<br></font>";
echo "<form action=\"./login.php\" method=\"POST\">";
echo "NTID: <br><input type=\"text\" name=\"ntid\"><br>";

echo "Pass: <br><input type=\"password\" name=\"password\"><br>";
echo "<input type=\"submit\" value=\"Login!\">";
echo "</form>";
echo "<br>Click <a href=\"reg/register.php\"><u>here!</u></a> to register your details";
echo "<br>Cant Login? Click <a href=\"recovery.php\"><u>here!</u></font></a>";

$connection = @mysql_connect($hostname, $user, $pass)
or die(mysql_error());
$dbs = @mysql_select_db($database, $connection) or
die(mysql_error());

$sql = "SELECT * FROM `users` WHERE ntid = '$_POST[ntid]' AND password = '$_POST[password]'";
$result = @mysql_query($sql,$connection) or die(mysql_error());
$num = @mysql_num_rows($result);

if ($num != 0) {
$cookie_name = "auth";
$cookie_value = "fook";
$cookie_expire = "0";
$cookie_domain = $domain;

setcookie($cookie_name, $cookie_value, $cookie_expire, "/", $cookie_domain, 0);
header ("Location: http://" . $domain . "getin.php");

ob_end_flush();

exit;
}
?>

If I change the post command to read echo "<form action=\"./getin.php\" method=\"POST\">";
Then I can go directly to the "getin.php" page and can get the users details by using the code below within the "getin.php" script, but the drawback is that you can still get to the "getin.php" page without typing the correct username or password, then it wont show the details from mysql which is great but I would prefere it if they cant get passed the login page...

<?
include 'config.php';
$conn = mysql_connect("localhost","mydatabase","mypassword");
$db = mysql_select_db("mydatabase");

$firstname = $_POST["firstname"];
$surname = $_POST["surname"];
$phonelogin = $_POST["phonenumber"];
$location = $_POST["location"];
$ntid = $_POST["ntid"];
$password = $_POST["password"];


$result = MYSQL_QUERY("SELECT * from users WHERE ntid='$ntid'and password='$password'") or die ("Name and password not found or not matched");

$worked = mysql_fetch_array($result);

$firstname = $worked[firstname];
$surname = $worked[surname];
$phonelogin = $worked[phonenumber];
$location = $worked[location];
$ntid = $worked[ntid];
$password = $worked[password];

if($worked)

?>

<? echo "$firstname$surname $phonenumber $location $ntid"; ?>



What I want to do is have it so that the user cant go any further if they type incorrect details in the login page....but if they do type the correct details, it directs them to the "getin.php" page and Im able to pull information about the user from the database.

Sorry if its all a bit confusing...but if anyone can help or give me guidance I would really appreciate it, as I have a big red dot at the front of my head where Ive been banging it against the wall for the last few days.

Thanks

Hugo

[superjadex12]

the easiest way i know is to create a login.php that submits the form to itself to validate the user:

PHP Code:

function LoginForm ($Name, $Email,$L_Error) {
?>

<form name="login" method="post" id="login" action="<?=$_SERVER['PHP_SELF'];?>">
<p><strong style="color:red;"><?=$L_Error;?></strong>
<P>
Email
<input name="email" type="text" id="email" value="<?=$Email;?>" size="25">
Password
<input name="password" type="password" id="password" size="25">
<input type="submit" name="submit" value="Login" style="margin-left:50px;">
</form>

 
<?
}
if ($_POST['submit']=='Login') {
            
    $email = mysql_real_escape_string($_POST['email']);
    $password = mysql_real_escape_string($_POST['password']);
        
    if ($password =='' OR $password ==' '){
        echo LoginForm($password,$email,'Password is blank');
        exit();
    }
    if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){
        echo LoginForm($name,$email,'Invalid email format');
        exit();
    }
    else {    
        


        $password = sha1($_POST['password']);        
        $query="SELECT cust_id, pshash, email, first, last FROM users WHERE email='$email' and pshash='$password' ";
            
        $result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
        if (mysql_num_rows($result) > 0) {
            while($row = mysql_fetch_array($result)) {
                $_SESSION['cust_id'] = $row[cust_id];
                $_SESSION['email'] = $email;
                $_SESSION['user'] = "$row[first] $row[last]";                              //get any other data from db and store in session
                header("location:getin.php");
            }
        }
        else{
            echo LoginForm('',$email,'Password does not match email');
        }
    }
}
else{    
    echo LoginForm('',$email,'');
}

this is the login form i currently use. Basically the page checks of the form has been submitted, if it has, it validates the user input: correct syntax non hostile code etc, if validation fails, it displays the form updated with an error message (passed through the 3rd function argument). if validation passes it queries the database. Note i have the sha1 hash so you'll have to have the hashes stored in the db. if the db returns a row then some useful (but non sensitive info about the user is stored in the session array and finally the user is taken to your "getin.php" page via the header: And of course if the db returns zero rows, then the pages refreshes to display the form complete with error message.

all the user pages can then start with session_start(); then check for a session value for example:

PHP Code:

$session_start();
if(!isset(name)){ 
    header("location:login.php");
    die();
} 


this is a simple check that will only allow users who have logged in (and thus defined the session vars, and users who haven't logged in will be directed to login page.

Let me know if this makes sense, an the code should parse, but i did some uick hacking (changed some vars and names for security reasons) so i apologize for any missed semi-colons , quotes, etc ....

OH AND P.S.

Your code could benefit greatly from jumping in and out of php.
I'm sure you know your code is very hard to read. Just jump out of php when you have a lot of html to write!! and if you insist on using the echo , then you'll find it easier to use the single quotes ' ' rather then the double , that way you dont have to escape so many doubt quotes!

[hugomax]

Many thanks superjadex12
I will try that, and thanks so much for taking the time to reply.