I'm making a site where i want every1 who sees the site to be loged in... So I've mad three scripts... first one is securety.php whitch goes like this: [php]<?PHP
include 'data.php';
include 'login.php';
if ($_POST['loginUser'] && $_POST['loginPass']){
$result = mysql_query("SELECT * FROM admins WHERE aUser = '{$_POST['loginUser']}'");
$num = mysql_numrows($result);
for ($i=0;$i<$num;$i++){
if (md5($_POST['loginPass']) == mysql_result($result,$i,'aPass')){
$logedin = true;
}
if ($logedin == true){
setcookie('logedin','true',time()+3600);
$logedin = true;
}
}
} elseif ($_COOKIE['logedin'] == true){
$logedin = true;
}
if ($logedin != true){
die (loginForm());
}
?>[/php] This works fine... the loginForm() is a function on the login.php whitch looks like this: [php]<?PHP
function loginForm(){
?>
<form action="<?PHP echo $_SERVER['REQUEST_URI']; ?>" method="POST">
<b>Brukernavn: </b><input type="text" name="loginUser" /><br/>
<b>Passord: </b><input type="password" name="loginPass" /><br/>
<input type="submit" value="login" />
</form>
<?PHP
}
?>[/php]... Now this also works fine but what is the problem is that when i make a site looking like this [php]<?PHP
include 'securety.php';
echo "IT WORKS!!!";
?>[/php] I don't get any IT WORKS!!! showing... Pleas help...

I don't know if it works, but try this:

[php]<?php

function loginForm(){
echo '
<form action="
'.
$_SERVER['REQUEST_URI'].
'
" method="POST">
<b>Brukernavn: </b><input type="text" name="loginUser" /><br/>
<b>Passord: </b><input type="password" name="loginPass" /><br/>
<input type="submit" value="login" />
</form>
';
}

//1: something was posted
if ($_POST['loginUser'] && $_POST['loginPass']){
// Take the user name and pass and clean them and put them into variables
$password = mysql_real_escape_string(trim(htmlspecialchars(striptags($_POST['loginPass']))));
$username = mysql_real_escape_string(trim(htmlspecialchars(striptags($_POST['loginUser']))));

$result = mysql_query('SELECT * FROM admins WHERE aUser = `'.$username.'`');

while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
if ( md5($password) == mysql_fetch_assoc($row["aPass"]) ){
setcookie('logedin','true',time()+3600);
$madeit = true;
// Now that we sent a cookie we have to refreash the page so that the cookie will be sent back to us!
// Remeber you cant use a cookie on the same request you make it!
header('Location: '. $_SERVER['REQUEST_URI']);
}
}
if ($madeit != true) { echo 'Error! Invalid password!<br>'. loginForm(); }

//2: the person already had a cookie set
} elseif ($_COOKIE['logedin'] == true){
echo'you made it!';
} else {
//3: first page visit
loginForm();
}
?>[/php]

Now this is a bad way to do a login... never store users in a cookie as anyone can just make one that has the data you just stuck in it.

Store the data in sessions instead.


cookies and sessions

Yea i know, but this site doesn't need to be that secure... You arn't allowed to register yourself... But only one problem... It is supose to work like this... I have a folder called admin, and inside that folder i have a script caled securety.php... The script you just wrote... Than, in every other script in that folder i have this at the start: [php]<?
include 'data.php'; //Just the connection to the database
include 'securety.php';
?>[/php]... I need to make shure that if the user is not loged in the securety-script stops the page from viewing WHITOUT CHANGING THE URL, than when the user is signed in the page is displayed... Thats why i've used 'REQUEST_URI' instead of 'PHP_SELF'... Can you help me whith that???

It doesn't matter, all I would need to do to bypass your login is make a cookie called "logedin" and set it equal to "true". Then I am in.

So... Have you tried using sessions instead? This is a somewhat simple script that I have used for making a secure login.

Let me know how it goes...

Nah, that's not what i wan't... Before I've used [php]<?PHP
if (!$_COOKIE['logedin']){
header("Location: login.php");
?>[/php] whitch works great... Only problem is that I changes the url and goes to another page, whitch i think is anoying... I could use [php]<?PHP
if(!$_COOKIE['logedin']){
header("Location: login.php?fromURL={$_SERVER['REQUEST_URI']}")
}
?>[/php] than in the login.php add [php]<?PHP
//Lots of loggincode above...
if ($logedin){
//If login was successfull get the getvariable fromurl
$to = $_GET['fromURL'];
if ($to){
//If $to exists, go there...
header("Location: $to");
} else {
//If not $to exists, go to the index
header("Location: index.php");
}
} else {
//If login failed, go to login again...
header("Location: login.php");
}[/php]

I think i made it... Take a look: [php]<?PHP
include 'data.php';
if (!logedIn()){
if (!$_POST['login']['name']){
loginForm();
} else {
if(logIn($_POST['login']['name'],$_POST['login']['pass'])){
die(redirect($_SERVER['REQUEST_URI']));
} else {
echo "Noe gikk galt.. Pr?v igjen<br/>\n<br/>\n<br/>";
die(loginForm());
}
}
}
function logedIn(){
if ($_COOKIE['logedIn']){
return true;
} else {
return false;
}
}
function loginForm(){
?>
<form action="<?PHP echo $_SERVER['PHP_SELF']; ?>" method="POST">
<b>Brukernavn</b> <input type="text" name="login[name]" /><br/>
<b>Passord</b> <input type="password" name="login[pass]" /><br/>
<input type="submit" value="login" />
</form>
<?PHP
}
function login($uname,$pass){
include 'data.php';
$pass = md5($pass);
$query = "SELECT * FROM admins WHERE aUser = '$uname' AND aPass = '$pass';";
$arr = sqlite_array_query($dbc,$query);
if ($uname == $arr[0]['aUser'] && $pass == $arr[0]['aPass']){
if (setcookie("logedIn",$arr[0]['aId'],time()+3600)){
return true;
} else {
return false;
}
} else {
return false;
}
}
function redirect($url){
header("Location: $url");
}
?>[/php]