PHP, cookies, and users

blondegeek

Baseband Member
Messages
23
Okay, here's a new problem for today:
I'm trying to make a web based stock management majig but first I have to set up all the authorization stuff. So I've been learning how to check back with my mysql databases for usernames and passwords, but I want to set it up so it can also be authorized by cookies.

I'll post the code on the next post. It's not the prettiest thing. It works when I log-in but if i go to the protected page without entering the information on the login page I get yelled at with "Grr. HAHAHAHA!!! You can't get in!", which is what it's suppose to do when a password or username is incorrect.

ANYWAY, I set up two cookies and I also set the php page to mail me the values of the variables assigned to equal the cookies. Whenever I login through the log-in page, it mails back both $user and $pass. But, when I just go to the protected page it only mails back a value for $pass (therefore I assume $user didn't recieve a value). I checked the cookies on my computer and they are both there. SO why can't my page get the $user when skip the log-in page?

Thanks!
 
And here's the code:
PHP:
<?php 

$PHP_AUTH_USER = $_POST['PHP_AUTH_USER'];
$PHP_AUTH_PW = $_POST['PHP_AUTH_PW'];

$user = $HTTP_COOKIE_VARS["user"];
$pass = $HTTP_COOKIE_VARS["password"];

$auth = false; // Assume user is not authenticated 

    // Connect to MySQL 

		
        mysql_connect( '*******', '********', '********' ) or die ( 'Unable to connect to server.' ); 
		
    // Select database on MySQL server 
		mysql_select_db( 'store_database' ) or die ( 'Unable to select database.' ); 

    // Formulate the query 

    $sql = "SELECT * FROM `stock_user` WHERE `username` = '".$PHP_AUTH_USER."' AND `password` = '".$PHP_AUTH_PW."'"; 
	$sql2 = "SELECT * FROM `stock_user` WHERE `username` = '".$user."' AND `password` = '".$pass."'"; 

    // Execute the query and put results in $result 

    $result = mysql_query($sql); 
	$result2 = mysql_query($sql2);
		
	while($stockusers = mysql_fetch_assoc($result)) {
		$db_user = stripslashes( $stockusers['username'] );
		$db_pass = stripslashes( $stockusers['password'] );
		}
		
	while($stockusers2 = mysql_fetch_assoc($result2)) {
		$db_user2 = stripslashes( $stockusers['username'] );
		$db_pass2 = stripslashes( $stockusers['password'] );
		}


    if ($PHP_AUTH_USER = $db_user and $PHP_AUTH_PW = $db_pass) { 
	$auth = true; }
	elseif ($user = $db_user2 and $pass = $db_pass2) {
	$auth = true; }
	else { 
		echo "Grr.";
	}
	if ($auth == true) {
	
	if (isset($user) AND isset($pass)) {
		
		}
	else {
		setcookie("user", "$PHP_AUTH_USER", time()+3600);
		setcookie("password", "$PHP_AUTH_PW", time()+3600);
	}
		
		////////////////page info ///////////////
		echo "Hello blondegeek.";
		//////////////////end page info//////////////
	}  

	else {
	echo "HAHAHAHA!!! You can't get in!";
	}
$email = "blondegeek@blondegeek.net";
mail($email, "Login", " $user\n $pass\n");
?>
 
I've not tested this, but I don't see any reason why it shouldn't work.

Code:
<?PHP
$user = $HTTP_COOKIE_VARS["user"]; 
$pass = $HTTP_COOKIE_VARS["password"]; 
//if cookie doesn't exist, check piost variables for login form information
if(($user=="")||($pass==""))
{
    $user = $_POST['PHP_AUTH_USER']; 
    $pass = $_POST['PHP_AUTH_PW']; 
}
$auth = false; // Assume user is not authenticated 
    // only connect to database if a username or password exists, else don't bother
    if (($user!="")&&($pass!=""))
    {
        // Connect to MySQL     
        mysql_connect( '*******', '********', '********' ) or die ( 'Unable to connect to server.' ); 
        // Select database on MySQL server 
        mysql_select_db( 'store_database' ) or die ( 'Unable to select database.' ); 
        $sql = "SELECT * FROM `stock_user` WHERE `username` = '".$PHP_AUTH_USER."' AND `password` = '".$PHP_AUTH_PW."'"; 
        // Execute the query and put results in $result 
        $result = mysql_query($sql); 
        while($stockusers = mysql_fetch_assoc($result)) 
        { 
            $db_user = stripslashes( $stockusers['username'] ); 
            $db_pass = stripslashes( $stockusers['password'] ); 
        } 
        if ($user = $db_user2 and $pass = $db_pass2) 
        { 
            //if user is already logged in or just logging in set cookie to expire (time from last action).
            setcookie("user", "$PHP_AUTH_USER", time()+3600); 
            setcookie("password", "$PHP_AUTH_PW", time()+3600); 
            //set auth to true
            $auth = true; 
        } 
    }

if($auth==true)
{
    ////////////////page info /////////////// 
    print "Hello blondegeek."; 
    //////////////////end page info////////////// 
}
else
{
    print "You're not logged in";
}
?>
it's loosly based on the code that you put up, but it's much more simplified and has fewer database calls.

one other thing.. I suggest that you store the passwords in the database in md5 hashes...
(I assume that you have a web form for creating accounts).

you can get an md5 hash of a string quickly and simply by using this code
Code:
$pwd = $_POST['password'];
$encpwd = md5(pwd);
 
Once again, thank you! The simplified code is far more efficient. But...I'm still having the same problem. For some reason the PHP can't pull the username for the code by the cookie I set. I can see the user name in the cookie so I know that that part of the cookie is being set, but why it's not working is just beyond me? The cookies don't have to be saved as seperate files do they?
 
I just realised that I made a mistake...
Code:
if ($user = $db_user2 and $pass = $db_pass2) 
        { 
            //if user is already logged in or just logging in set cookie to expire (time from last action).
            setcookie("user", "$PHP_AUTH_USER", time()+3600); 
            setcookie("password", "$PHP_AUTH_PW", time()+3600); 
            //set auth to true
            $auth = true; 
        }
should be

Code:
if (($user = $db_user2)&&($pass = $db_pass2)) 
        { 
            //if user is already logged in or just logging in set cookie to expire (time from last action).
            setcookie("user", "$user", time()+3600); 
            setcookie("password", "$pass", time()+3600); 
            //set auth to true
            $auth = true; 
        }

but in the event that that doesn't work.

try this cookie code...

at the very top of the file (before anything else) write
Code:
ob_start();

then to create the cookies use this code
Code:
setcookie("blondegeek1", $user);
setcookie("blondegeek2", $pass);
[code]

the check the variables in the cookies using this code

[code]
$user = @$_COOKIE["blondegeek1"];
$pass = @$_COOKIE["blondegeek2"];
 
Here's where the problem actually was. I can't believe I missed it.

This was the database query:
Code:
$sql = "SELECT * FROM `stock_user` WHERE `username` = '".$PHP_AUTH_USER."' AND `password` = '".$PHP_AUTH_PW."'";
and it needed to be
Code:
        $sql = "SELECT * FROM `stock_user` WHERE `username` = '".$user."' AND `password` = '".$pass."'";

Its always the small things that get me. Thanks again!
 
Back
Top Bottom