FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Protecting members area?





ncwdavid
Hey, I want to password protect my members area on my site using php and my sql if that is possible. I already have a register form and a register.php which work fine and a login which also works fine but now I want to passowrd protect some pages so only members can view them. How do I do this? Thank You!
LukeakaDanish
well...you could put something like the following at the beginning of all member's only pages:

Code:

if (!$logged_in) {
   include('you_are_not_logged_in.php');
   exit;   
}

//put the rest of the page here...


Shouldnt be much harder than that!

Of course you may want google to be able to see it anyway - you could read about the robot.txt file (i tihnk thats what its called).
ncwdavid
It doesn't work. What is $logged_in supposed to be defined as?
LukeakaDanish
ncwdavid wrote:
It doesn't work. What is $logged_in supposed to be defined as?


You said you already has a login script.

Just change $logged_in to whatever SESSION variable your login script uses...

(I expect it uses sessions - they tend to do that...)
SlowWalkere
Like Luke said, use an if statement to check if the user is logged in. There should be some kind of session variable that either contains their username or has a true value that means they are logged in. Put it at the very top of the page, before any html is sent, so that the user can be redirected.

I'll elaborate a bit on what you could put in the "not_logged_in" section.

What you'll probably want to do is redirect the user to another page. In that case, use the php header() function like this...
Code:
header("Location: login.php");


Where you redirect them to depends on how you want to handle not-logged in users. You could be mean and gruff and send them to an error page that says something like "You are not logged in! This content is classified, and only authorized viewers can see it!"

But, a more user-friendly way would be to re-direct the user to the login page, emit an error message there, and after the user logs in send them back to the original page they wanted to view.

You can send them to the login page using the header() function described above. When I use an error message like that, I usually put the message in a session variable, $_SESSION['errors']. Then, at the top of any page that is likely to get an error message sent to it, I check if there are any, output them if necessary, and unset the session variable. This way you can pass a message like "You need to log-in before accessing that page."

Finally, redirecting the user back to their intended location depends on how your login script works. I include a log-in check at the top of every page on the site, so the login form could be set to have the intended site as its action element.

If you need to send the login data to a processing page first, then send the intended page in a hidden input element. Then, in the processing page, use another header() function to go to the hidden input, and if its not set then use the default action element.

Hope that provides some useful ideas.
- Walkere
Rhysige
One final thing I didnt spot in other responses (sorry if someone had it) but I made the screw up once of assuming everyone would be nice and redirect when I told them to... dont Razz People do turn javascript off to get aroundsecurity so ALWAYS include a statement like die(); after the redirect so that even if they dont leave they also dont see the page.
avk
Here the $logged_in variable actually comes form a page like loggin.php or somethiong like that which u should create on your own.

The page must check that if the user has been logged in or not.

eg.. if u are using session then if the session variable exists then the user is logged in and then it takes the $logged_in variable as tru and then the user will be able to access the page or else it will return $logged_in as false and then the user will be directed to a page called as 'you_are_not_logged_in.php'

I think this should make all the things clear.

if u want the script then just reply to this post and then u will get the reply as soon as possible
SlowWalkere
Rhysige wrote:
One final thing I didnt spot in other responses (sorry if someone had it) but I made the screw up once of assuming everyone would be nice and redirect when I told them to... dont Razz People do turn javascript off to get aroundsecurity so ALWAYS include a statement like die(); after the redirect so that even if they dont leave they also dont see the page.


If you're using javascript, then that will be a problem. But, then again, that's the problem with using javascript for anything that is essential to your site (like logging in).

But, if you use php to check the log-in status and do the redirect with the header() function, there's no way the user can get around it. The header() will execute on the server side before the page is displayed, and the user will get the new page instead of the one he originally requested. As far as I know, there's no way for the user to abort that header() call and continue to load the original page without actually logging in.

- Walkere
hexkid
SlowWalkere wrote:
As far as I know, there's no way for the user to abort that header() call and continue to load the original page without actually logging in.


It is possible to not follow redirects; to make it easy for clients that *do* ignore redirects, I always do
Code:
// ...
if (!$loggedin) {
  header('Location: http://www.example.com/login.php');
  exit('Redirected to the <a href="login.php">login</a> page.');
}
// ...
so if the client does not follow the redirect it will get a page with a standard link to the login page.

ignoring redirect
Code:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.example.com/private.php");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, 'name=username;pwd=password');
$page = curl_exec($ch);
curl_close($ch);
echo '<pre>', htlentities($page), '</pre>';
?>
LukeakaDanish
hexkid wrote:

ignoring redirect
Code:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.example.com/private.php");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, 'name=username;pwd=password');
$page = curl_exec($ch);
curl_close($ch);
echo '<pre>', htlentities($page), '</pre>';
?>


The thing is:

However clever you are, its impossible to get around an "exit;" statement. If you dont allow redirects, all your gonna get is a blank page - not the page you wanted...
hexkid
LukeakaDanish wrote:
The thing is:

However clever you are, its impossible to get around an "exit;" statement. If you dont allow redirects, all your gonna get is a blank page - not the page you wanted...


Right!
That's why I always use an exit() after a redirect header() Smile

You will see the "protected" content if you do something like
Code:
#####################
### DON'T DO THIS ###
#####################
if (!$loggedin) {
  header('Location: login.php');
  ## no exit() here!!!
}
echo '"protected" content.';
netpro
this may be can help :

<?php
session_start();
include "your_mysql_conf.php";

$login = mysql_query("select * from table_name where (username = '" . $_POST['username'] . "')
and (password = '" . md5($_POST['password']) . "')",$conn);
$rowcount = mysql_num_rows($login);
if ($rowcount == 1) {
$_SESSION['username'] = $_POST['username'];
header("Location: protected_area.php");
}
else
{
header("Location: public_area.php");
}
?>


any comment about this script ?

thanks
hexkid
netpro wrote:
any comment about this script ?


Yes. Don't pass user input directly into SQL.

Apply mysql_real_escape_string() (md5() is ok too) before using user input in SQL commands.

Code:
$login = mysql_query("select * from table_name where (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . md5($_POST['password']) . "')",$conn);


There's not much wrong the user could do for your specific query, but sanitizing user input is always good no matter what.
AndreyL
I have used session variables to protect some pages from being viewed by not logged visitors and it works pretty well.
Related topics
Invision Power Board 3 BETA
Dreamweaver Help!
Counter
members area
Secure website with password?
Simple login system
cost of a website
Plz Help
Search !!!
Line Counter
Tutorials Submiter
How many members?
Need help with Members area/link adder
Members script with pm and admin area
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.