Wayfarer247 Posted July 3, 2008 Share Posted July 3, 2008 Alright, so I have posted this on a few other forums, but I love you guys and wanted to give you all a shot at this problem too. Also, if any well known people here would like access to the editor and try to get this to work, PM me. Because I really want it to work. Problem: Creating a dynamic Game using PHP and Database. Users has to log on. I need to make sure the user has logged on before accessing certain pages. At the moment, they can simple go to the restricted pages without logging on. I am trying to solve this issue using PHP Sessions. here is the site. Here are the relevant pieces of Code as well: Index: <?php session_start(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <?php $_SESSION['test'] = Ethan; ?> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Wonder Game</title> <meta name="generator" content="TextMate http://macromates.com/"> <meta name="author" content="Ethan Mick"> <!-- Date: 2008-06-30 --> <link rel="stylesheet" type="text/css" href="http://wondergame.freehostia.com/open/MainDesign.css" /> </head> <body> <div id="main"> <div id="header"><p>Here there will be a Logo!</p> <?php echo $_SESSION['test']; ?> </div> <div id="leftbar"> <p>Welcome to</p> <h1>Wonder</h1> <p>the game of economic Domination.</p> <p>Because Wonder is the in the Pre-alpha stages, only people who have a code may sign up. This is to keep the riff-raff out while we prepare the game for the masses. This site will be updated as soon as the internal workings of the game are complete.</p> <p>Thank you for your cooperation.</p> <p>If you are curious about this game and want more information, we have set up a <a href="http://wondergame.freehostia.com/blog/">blog</a>, and it has a <a href="http://wondergame.freehostia.com/blog/?page_id=4">Change log</a> for recent changes.</p> </div> <div id="rightbar"> <form action="http://wondergame.freehostia.com/open/WonderLogin.php" name="userlogin" method="post"> Username: <input type="text" name="username" id=""> Password: <input type="password" name="password" id=""> <input type="submit" value="Submit"> If you have a testing code, Redeem it <a href="http://wondergame.freehostia.com/open/register.html">here.</a> </div> </body> </html> WonderLogin.php: <?php session_start(); ?> <?php ob_start(); $user = ($_POST['username']); $pass = md5($_POST['password']); $con = mysql_connect("mysql4.freehostia.com","ethmic_ethmic","Password"); if (!$con) { die('Could not connect: ' . mysql_error()); } echo "It Connected"; echo " "; mysql_select_db("ethmic_ethmic", $con); $query = "SELECT username, password FROM wonder_users WHERE Username='". $user ."' AND Password='". $pass ."'"; $result = mysql_query($query) or die ( mysql_error() ); if(mysql_num_rows($result) == 1) { header('Refresh: 5; url=http://wondergame.freehostia.com/closed/home.htm'); setcookie("wonder_define_login", "login_true", time()+360000000); $_SESSION['user'] = $user; $_SESSION['logged_in'] = TRUE; echo $_SESSION['user']; echo "<h1>Log in successful.</h1>"; echo " "; echo "You have been logged in successfully. You should be redirected shortly. If not, please click the link below."; echo " "; echo "Please go here: http://wondergame.freehostia.com/closed/home.htm"; exit; } else { echo "did not log in."; } ob_flush(); ?> home.htm: <?php session_start(); ?> <?php if(!$_SESSION['logged_in']) { header("Location: http://wondergame.freehostia.com"); } ?> <html> <head> <title>Wonder: The Game of Economic Domination</title> <link rel="stylesheet" type="text/css" href="http://wondergame.freehostia.com/common.css" /> </head> <body> <p>welcome <?php echo $_SESSION['user']; echo "Does this PHP work? Do you see your username?"; ?> </p> <p>How are you?</p> <a href="http://wondergame.freehostia.com/game/resourceupdate.php">Test Game Mechanics!</a> </body> </html> So, what happens, is the user logs on through the form on the index. It goes to the PHP file which checks if they are a valid user, if so, they are pushed ahead. Now, I put sessions starting on all the pages, and what needs to happen is in the WonderLogin.php, it needs to add the Variable, "$_SESSION['logged_in'] = TRUE;" and have that be seen by all the others pages to test if the user logged on or not. I know vairables can be stored; on "WonderLogin.php" it echoes " $_SESSION['user'] = $user;" and that happens. It jus doesn't happen on "home.htm" Any ideas? And again, if you think that by looking at all the code for a while on the Server would allow you to figure it out, send me a PM. I want to be able to log in effectively!!! Erm, if you want me to make a Username for you too, send a PM. We require ppl to have registration codes to keep out riff-raff. Thank you!!!! Link to comment Share on other sites More sharing options...
Mark K Posted July 3, 2008 Share Posted July 3, 2008 Maybe i am looking at it wrong. But don't you have to name the home.htm file to home.php for the PHP code to work? Unless your host has it so that .htm files will be processed like PHP files.... Link to comment Share on other sites More sharing options...
Wayfarer247 Posted July 3, 2008 Author Share Posted July 3, 2008 O.o Maybe, I thought that PHP imbedded in HTML worked regardless of the file extension. I will change that around and see if it works. I changed the names. Home.htm is now "Home.php" and I changed the Links as well. and... erm... I think it may have worked. I will respond again when I have tested this more. But if sooo... I learned something new, and THANK YOU. **Edit** I went to: http://wondergame.freehostia.com/closed/home.php And if you haven't logged on, you get redirected to the homepage! JUST WHAT I WANTED!!!! Yeah! Thank you! I didn't know something like that could be the issue. Thank you a lot! Link to comment Share on other sites More sharing options...
Mark K Posted July 4, 2008 Share Posted July 4, 2008 No problem. Glad I could help! I feel all smart now Link to comment Share on other sites More sharing options...
Mark K Posted July 4, 2008 Share Posted July 4, 2008 On a side note. Your PHP code looks really good. But I would recommend using mysqli to run your SQL queries. The way you have it setup, it is very easy to have a "sql injection" attack on your website. MySQLi is new in PHP5, is the latest and greatest, and prevents sql injection so why not use it http://devzone.zend.com/node/view/id/686 <?php $mysqli = new mysqli("servername", "user", "password", "database"); if (mysqli_connect_errno()) { printf("Connect failed: %s\n", mysqli_connect_error()); exit(); } /* prepare statement */ if ($stmt = $mysqli->prepare("SELECT username, password FROM wonder_users WHERE Username = ? AND Password = ?)) { $stmt->bind_param("ss", $user, $pass); $stmt->execute(); /* bind variables to prepared statement */ $stmt->bind_result($user, $pass); /* fetch values */ if ($stmt->fetch()) { header('Refresh: 5; url=http://wondergame.freehostia.com/closed/home.htm'); setcookie("wonder_define_login", "login_true", time()+360000000); $_SESSION['user'] = $user; $_SESSION['logged_in'] = TRUE; } /* close statement */ $stmt->close(); } /* close connection */ $mysqli->close(); ?> Link to comment Share on other sites More sharing options...
Wayfarer247 Posted July 11, 2008 Author Share Posted July 11, 2008 Hey thanks. I am pretty sure every person has told me my code is vunerable to injection. >.< Guess I should really fix it. I was much more concerned about getting it to work than anything else. Once I get my new server setup, I will go about "securing" it. Thank you! Link to comment Share on other sites More sharing options...
Recommended Posts