Here is a fully working login script using mysql. It is very secure. Just include this file at the top of all protected pages.


<?

$dbusername = "username";
$dbpassword = "password";
$db_name = "database";

// This is the page to show when the user has been logged out

// Page with login form
$login_page = "loginpage";

// Page to show if the user enters an invalid login name or password
$invalidlogin_page = "invalid login page";


//DON'T EDIT ANYTHING BELOW THIS!!!

if ($action == "logout")
{
Setcookie("loginpass","",time() -86400);
Setcookie("loginuser","",time() - 86400);
include($login_page);
exit;
}
else if ($action == "login")
{
if (($username == "") || ($password == ""))
{
include($invalidlogin_page);
exit;
}
else {
//connect
mysql_connect( "localhost", "$dbusername", "$dbpassword") or die( "Unable to connect to server!");
mysql_select_db( "$db_name") or die( "Unable to select database");

//some select queries for registering global variables and verifying user
$query = "SELECT member_id, username, password, status FROM users where username='$username'";
$insert = MYSQL_QUERY($query);
$number = MYSQL_NUMROWS($insert);

if($number != 0) {

$i = 0;
$member_id = mysql_result($insert,$i,"member_id");
$user_db = mysql_result($insert,$i,"username");
$password_db = mysql_result($insert,$i,"password");
$status = mysql_result($insert,$i,"status");

if ($password == $password_db) {
$validuser = "true";
}}
}

}
else
{
if (($HTTP_COOKIE_VARS["loginpass"] == "") || ($HTTP_COOKIE_VARS["loginuser"] == ""))
{
include($login_page);
exit;
}
else if (($HTTP_COOKIE_VARS["loginpass"] != "") || ($HTTP_COOKIE_VARS["loginuser"] != ""))
{
$username = $HTTP_COOKIE_VARS["loginuser"];
$password = $HTTP_COOKIE_VARS["loginpass"];
//connect
mysql_connect( "localhost", "$dbusername", "$dbpassword") or die( "Unable to connect to server!");
mysql_select_db( "$db_name") or die( "Unable to select database");

//some select queries for registering global variables and verifying user
$query = "SELECT member_id, username, password, status FROM users where username='$username'";
$insert = MYSQL_QUERY($query);
$number = MYSQL_NUMROWS($insert);

if($number != 0) {

$i = 0;
$member_id = mysql_result($insert,$i,"member_id");
$user_db = mysql_result($insert,$i,"username");
$password_db = mysql_result($insert,$i,"password");
$status = mysql_result($insert,$i,"status");

if ($password == $password_db) {
$validuser = "true";
}}
}
else
{
include($invalidlogin_page);
exit;
}
}
if ($validuser == "true")
{
Setcookie("loginpass",$password,time() + 86400);
Setcookie("loginuser",$username,time() + 86400);
}
else
{
include($invalidlogin_page);
exit;
}
?>


if you use it, let me know so I can feel not so worthless lol. a link to my site would be appreciated, but if you don't want to put one on then I wont care too much

ooopps, security hole.....add $validuser = "false"; to the 1st line.

last one......make sure you change the table name and have all those fields in your table. otherwise, not such a good script.

#!/usr/bin/perl

print "Content-Type: text/plain\n\n";
print "Nice Script! But I haven\'t tried it.\n";

__END__

thanks yupappa. i am on a roll.......i finished the mail password script but need a little help with the change password script. I have it all done except I don't know how to update the field in the mysql table. I tried

INSERT INTO users (password) VALUES ('$password1') where username='$username';

but I got a parse error on that line. any ideas as to what the command should be?

You're trying to change a pasword: UPDATE would work much better than INSERT ;)

i am kinda new to this.......what would the whole command be?

I don't know your db structure, but from what your 'INSERT' line looks like:

UPDATE users SET password='$password1' WHERE username='$username';

Also, if you're looking for better security, you may want to create a cookies array instead of storing user and password in two different cookies.

thanks.

Great!

Now wheres the penguin icon:angry:

#!/usr/bin/perl
use strict;

my $counter;


for($counter=0; $counter>0; $counter++) {
print "I do not know\n";
print "Chicken promised us he will get the penguin and fork fork!\n";
}

using this script, how do you stop somebody going directly to the successful login page?? So that if they did, they would be redirected to the login page?

that is the good thing about this script, there is no redirected successful login page. You save this file as say "protect.php," and include it whenever you want a page protected. If the user is valid, the page will load. Otherwise, they will get the login page. I also have a change password and get lost password if anyone wants it, just let me know.

I think that PHP sessions will be more appropriated for this...

I've used this method with cookies before and it works great.

PHP Sessions make me think of an ecommerce solution lol...

Brian