All geek questions in one place

How to protect the page only for registered users?

I created a login form that works great. But I realized that the page that my user accesses can still be accessed by anyone. How to protect access to the page only for viewing registered?

Do I need to place a script on a success page?

Here is my check_login.php:

<?php $host="localhost"; // Host name $username="xxx"; // Mysql username $password="xxx"; // Mysql password $db_name="xxx"; // Database name $tbl_name="xxx"; // Table name // Connect to server and select database. mysql_connect("$host", "$username", "$password") or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // username and password sent from form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); $count=mysql_num_rows($result); $user_info = mysql_fetch_assoc($result); if( isset($user_info['url']) ) { session_register("myusername"); session_register("mypassword"); header('Location: ' . $user_info['url']); //Redirects to the supplied url from the DB } else { header("location:error.htm"); } ?>
+6
source share
4 answers

Each page should begin with

 session_start();

and you should not use session_register( "variablename" ) since PHP version 4.2, use

 $_SESSION["variable"] = value;

so an example of a page with logged verification would be:

 <?php session_start(); if($_SESSION["loggedIn"] != true) { echo("Access denied!"); exit(); } echo("Enter my lord!"); ?>

and script login:

 <?php /* ... db stuff ... */ if( isset($user_info['url']) ) { $_SESSION["loggedIn"] = true; $_SESSION["username"] = $myusername; header('Location: ' . $user_info['url']); //Redirects to the supplied url from the DB } else { header("Location: error.htm"); } ?>
+6
source

On a page that requires a user to log in to check if they have a valid session. If you do not send them to the login page.

 if (!$_SESSION['myusername']) { header('location: /login.php'); exit; }
+3
source

In each page / content with limited access, you must authenticate the client / user. If people were crazy, you would have to have the user fill in their details (username / password) on each page, but thanks to the “HTTP cookies” we should not do this.

+2
source

Basically, you should use session management to keep track of whether the user is in an authentication session or not. If not, you (re) direct them to the index page; if so, you give them access to the resource they requested.

To use sessions, put your session setup functions at the top of every PHP script inside your application (setup functions include a session handler, cookie domain and cookie name) and say session_start() . Then check if the login flag was defined in the current session, for example $_SESSION["user_is_logged_in"] . On the authentication page, you of course define $_SESSION["user_is_logged_in"] = true; at a certain stage.

+1
source

Source: https://habr.com/ru/post/893463/

More articles:


All Articles