PHP Registration with sessions and user access - php

Im trying to understand how to build a user registration with PHP and MySQL.
I have built a form that the user can fill out and the information is then stored in my table.
error_reporting(E_ALL);
include_once ('connection.php');
// Required field names
$required = array('firstname', 'lastname', 'email', 'password', 'accounttype');
// Loop over field names, make sure each one exists and is not empty
$error = false;
foreach($required as $field) {
if (empty($_POST[$field])) {
$error = true;
}
}
if ($error) {
echo "All fields are required.";
} else {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = md5($_POST['password']);
$accounttype = $_POST['accounttype'];
$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES (:firstname,:lastname,:email,:password,:accounttype)";
$stmt = $dbh->prepare($query);
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':email', $email);
$stmt->bindParam(':password', $password);
$stmt->bindParam(':accounttype', $accounttype);
$stmt->execute();
if(!$query){
echo 'Whoops, something went wrong!';
} else {
echo $accounttype;
if($accounttype == '1'){
header ('Location: /england/dashboard.php');
exit;
};
if($accounttype == '2'){
header ('Location: /ireland/dashboard.php');
exit;
};
};
};
When the users completes the form they're either reidrected to a different page based on their account type.
On those pages I need to somehow check to see if the user is of accounttype 'X'. So if they land in
header ('Location: /ireland/dashboard.php');
their account type value will be equal to 2, so only people with an account type of 2 can visit the above mentioned.
I've read about session variables, but where do I set these?


session_start(); // this at top of page
if($accounttype == '1'){
$_SESSION['accountType'] = 1; // or $accounttype
header ('Location: /england/dashboard.php');
exit();
};
if($accounttype == '2'){
$_SESSION['accountType'] = 2; // or $accounttype
header ('Location: /ireland/dashboard.php');
exit();
};
In england/dashboard.php
session_start();
if($_SESSION['accountType'] !== 1) header('location: login.php');
In ireland/dashboard.php
session_start();
if($_SESSION['accountType'] !== 2) header('location: login.php');


Start the session where you built form ,
session_start();
$_SESSION['account_type'] = 2;
and in the dashboard.php just get your session variable to check the account type.
if(($_SESSION['account_type'] == 2)) {
header('`dashboard.php');
} else {
// someother page or restrict access
}


simply begin your php script with session_start();
assign session vars with $_SESSION['whatever'] = "something";
You must begin your script with session_start(); on any page you wish to use session variables though.
To destroy a session and all associated vars simply use session_destroy();


One way to do this:
Use a 'Head/Config' file that you require_once() on every page
In this file store info in the session variable like this:
$_SESSION['myCustomValue'] = $accountType;
Then based on what is stored in there you can redirect:
if ($_SESSION['myCustomValue'] = 2):
header ('Location: /ireland/dashboard.php'); // oh yea!
endif;


First at least SHA1 hash the password. Store the result of that and not the actual password in your database. To test for login, you SHA1 hash what they gave you and compare the hashes. You should also salt the password before hashing, but just hashing would be a good start.
Also give your user record an id that can be used as the primary key.
You basically do a start_session() first thing in your script. This will either start a new one or attach to the one they have.
Then after they login/register and you know what their user id is store it in the session with $_SESSION['userid'] = $userid;
To test for login: isset($_SESSION['userid']) will return true.
Edit
Once you alter your table to have the id as an auto incrementing, primary key, your insert above does not need to change, but you get that ID by calling $dbh->lastInsertId()


You need to decide what you want to store in session data. When a person completes the form, passes validation and is saved in the DB, you might want to do this:
if(!$query) {
echo 'Whoops, something went wrong!';
} else {
session_start();
$_SESSION['account_type'] = $accounttype;
// Carry on functionality...
}
And at the beginning of your script, you can prevent existing users accessing the registration form:
session_start();
if(isset($_SESSION['account_type'])) {
header('Location: /ireland/dashboard.php');
}

Related

Implementing a check for user levels

I'm attempted to create a login authentication system using PHP. So far I've managed to query the DB to check if a username/password given by the user matches any rows in the DB. However I have a column in the DB named "isadmin" which stores a boolean value. I want to implement a check if true/false. Depending on the result depends on which php file is loaded (included).
EDIT: I have two php files, both containing the same HTML displaying the index page of a website. However, one php file is for regular users, the other is for admin users which will contain added features. When a user enters their username and password, I want a check for the user level of that login, Once the check is done it should show the appropriate php page.
$stmt = $pdo->prepare('SELECT * FROM Reg_User WHERE username = :username AND password = :password');
$details = [
'username' => $_POST['username'],
'password' => sha1($_POST['password'])
];
unset($_POST['submit']);
$stmt->execute($details);
if ($stmt->rowCount() > 0) {
$user = $stmt->fetch();
$_SESSION['loggedin'] = $user['user_id'];
echo 'Logged in as ' . $_POST['username'];
include 'index.php';
}
else {
echo 'Sorry, your username and password could not be found Please <a href="login.html">try again
or register!</a>';
}

A simple if/else statement will do it.
if ($user["isadmin"]) {
echo "Logged in as an admin.";
#you can include your related php page here.
} else {
echo "Logged in as an user.";
#you can include your related php page here.
}

There's no sanitizing of user input in your code, this is a must in a login system, try this after your login form.
info: I don't use PDO, $con is the MYSQLI connection.
<?php
// Handle log in
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
// Sanitize username input
$username = strip_tags($username);
$username = trim($username);
$username = mysqli_real_escape_string($con, $username);
$username = urldecode($username);
// Sanitize password input
$password = strip_tags($password);
$password = trim($password);
$password = mysqli_real_escape_string($con, $password);
$password = urldecode($password);
}
?>
Your site should be set to https only, if it is ignore this link: htaccess redirect to https://www and you should be providing either a secure session cookie or a secure persistent cookie for users who are able to log in successfully. The code underneath this paragraph should be at the very top of your page before any html. This example is for time related persistent https secure cookie set to 1 day after which it will expire. You could use a session cookie but I find this annoys people if they frequent your site quite often, they don't want to have to log in again the same day if they close and reopen a browser or tab.
<?php
// All this code goes right at the top of your page before anything else!
function addcookie() {
global $condition;
if ($condition == "green") {
global $nameofcookie;
setrawcookie('loggedin', $nameofcookie, strtotime('+1 day'), '/', '', isset($_SERVER["HTTPS"]), true);
echo "<script>window.location.replace('https://example.com/mypage');</script>";
}
}
?>
The above code is will set a secure cookie using a function because you only want it firing after a successful login. The name of the cookie really should be random and unique, something based on microtime would work well. Make sure it's not anything important which could identify the user!IMPORTANT: the name of the cookie for reference should be created at the time of account creation and added to the users table so you can identify users and represent their login details.
Standard security measures should also include a separate table of the ip, time, date and username of who logged in. If your site is busy the table will fill quickly so you could set a cron job to clean old records to keep the size down, in that case you will need to add a column for datetime to identify the age of records.
Handling the login...
<?php
$condition = "red";
if (isset($_POST['login'])) {
$select_login = "select * from Reg_User where username='$username' and password='$password'";
$connect_login = mysqli_query($con, $select_login);
$rows_login = mysqli_num_rows($connect_login);
if ($rows_login == 0) {
// code here to handle failed logins, I would record them and use a 3 strike method
}
// Handle successful logins, add cookie
else {
while ($row_login=mysqli_fetch_array($connect_login)) {
// Retrieve cookie name here from table
$nameofcookie=$row_login['cookie'];
$condition = "green"; // This allows you to add the cookie
addcookie();
}
}
}
?>
Retrieving the cookie to authenticate users...
<?php
if (isset($_COOKIE['loggedin'])) {
$cookie = $_COOKIE['loggedin'];
$select_authenticated_user = "select * from Reg_User where cookie='$cookie'";
$connect_authenticated_user = mysqli_query($con, $select_authenticated_user);
while ($row_authenticated_user=mysqli_fetch_array($connect_authenticated_user)) {
// Retrieve values here from table
$logged_in_user=$row_authenticated_user['username'];
$logged_in_admin=$row_authenticated_user['isadmin'];
// Resolve admin status
if ($logged_in_admin == TRUE) {
$type = "admin";
} else {
$type = "member";
}
}
// Echo statement for logged in user with admin or not status, you could change the echo to a variable name if you want to use this in a specific place on your page.
echo "Welcome $logged_in_user<br/>
Type: $type
";
}
?>
Here's a link for obtaining IP's: How to get the client IP address in PHP

How to get two fields while creating session?

In my login page I am using a phone number and password fields only to login, thereafter, I am creating and storing a session using the phone number.
Insted, I want to echo the username currently logged in to display the current user becasue in my case I am currently only able to display the phone number of the logged in user. How do I do that?
Here is my login script
<?php
// Starting Session
session_start();
include "../script.php";
$error=''; // Variable To Store Error Message
if (isset($_POST['signin'])) {
if (empty($_POST['signinphone']) || empty($_POST['signpassword'])) {
$error = "Phone or Password is invalid";
}
else
{
// Define $username and $password
$phone=$_POST['signinphone'];
$password=$_POST['signpassword'];
// To protect MySQL injection for Security purpose
$phone = stripslashes($phone);
$password = stripslashes($password);
$phone = pg_escape_string($db, $phone); // Set email variable
$password = pg_escape_string($db, $password); // Set hash variable
$pass_crypted = password_hash($password);
// SQL query to fetch information of registerd users and finds user match.
$sql="SELECT usr_id, usr_email, usr_first_name, usr_last_name,
usr_encrypted_password,
usr_salt, usr_stos_id, usr_pers_id, usr_username, usr_updated_at,
usr_created_at, usr_enabled, usr_role_id, usr_jbrn_id,
usr_mobile_number,
stp_acc_id, usr_location, usr_mobile_imei, usr_type
FROM js_core.stp_users
where usr_mobile_number='$phone'
AND usr_encrypted_password='$password'";
$result=pg_query($db, $sql);
$rows = pg_num_rows($result);
if ($rows == 1) {
$_SESSION['phone']=$phone; // Initializing Session
$_SESSION['username'] = pg_fetch_object($result)->usr_last_name;
header("location: ../index.php");
} else {
//echo "0 results";
echo "Try Again the credentials you entered don't much ours";
}
; // Closing Connection
}
}
?>
and Here is my sample code where I want to display the username inplace of the phone
<li>
<?php
if(isset($_SESSION['username'])) {
echo '<li>'. $_SESSION["username"] . '</li>';
echo '<li>
Log Out</li>';
} else {
echo '<a class="signing" href="#login" data-toggle="modal" data-target="#signIn">Login </a>';
}
?>
</li>

There is not one answer to your question.
I'm posting this because it contains an example of all the things that have been mentioned in the comments to your question.
Firstly, you'll notice that there is a new $db connection that uses the PDO. This is the generally accepted way to handle DB connections and is relatively easy to install (if your php version doesn't have it) - there are plenty of examples on SO. I'd assume you'd want this in your script.php since it's common.
I've also swapped out the password hashing function for the native BCRYPT password_hash() function. When you sign the user up, you would then use it like so:
$encryped_password = password_hash($_POST['signpassword'], PASSWORD_BCRYPT);
This contains a uniquely salted password with the default cost.
Following that, you can fetch the user as you were, with the small adjustment to make it a prepared statement. This provides SQL Injection protection and generally makes things cleaner.
You'll then see that after the row is fetched, you can compare the password with the password_verify() function.
Finally to your original issue - I've set the PDO mode to object, so you can access and assign as many properties as you need to in the same way. Only the properties in the SELECT clause will be available in that object.
// Starting Session
session_start(); //I'd suggest this should also go in your script.php
$db = new PDO('pgsql:dbname=mydb;host=localhost;user=myuser;password=mypass');
include "../script.php";
$error=''; // Variable To Store Error Message
if (isset($_POST['signin'])) {
if (empty($_POST['signinphone']) || empty($_POST['signpassword'])) {
$error = "Phone or Password is invalid";
}
else
{
// SQL query to fetch information of registerd users and finds user match.
$sql = 'SELECT usr_id, usr_email, usr_first_name, usr_last_name, usr_encrypted_password
usr_stos_id, usr_pers_id, usr_username, usr_updated_at,
usr_created_at, usr_enabled, usr_role_id, usr_jbrn_id,
usr_mobile_number, stp_acc_id, usr_location, usr_mobile_imei,
usr_type
FROM js_core.stp_users
WHERE usr_mobile_number = :phone_number';
$stmt = $db->prepare($sql);
$stmt->execute(['phone_number' => $_POST['signinphone']]);
if ($row = $stmt->fetch(PDO::FETCH_OBJ)){
if(password_verify($_POST['signinpassword'], $row->usr_encrypted_password)) {
$_SESSION['phone'] = $row->usr_mobile_number; // Initializing Session
$_SESSION['username'] = $row->usr_username;
header("location: ../index.php");
} else {
//valid user, invalid password
}
} else {
//Invalid user
echo "Try Again the credentials you entered don't much ours";
}
}
}
I've made the assumption that you're running at lease PHP 5.5 for the password_hash, but there is a polyfill if not.

Can't enter the home page, always directing back to login page

As this page is owned by it users, so it has each credentials to enter it which it is by using login form of php (that's what I know so far, I am not very good in php, to be honest).
The problem I do really guess about this must be in the using of session function (and this is the most complicated things to me know, I am not very familiar of using this.)
In the config of the form, I set the session like this (Well, I just copy paste the code from somewhhere) as follow:
// User Redirect Conditions will go here
if($count==1)
{
// Save type and other information in Session for future use.
$_SESSION[type]=$row[0];
$_SESSION[Region]=$row[1];
$_SESSION[myemail]=$myemail;
// if user type is ACTAdmin only then he can access protected page.
if($row[0] == 'ACTAdmin') {
header( "location:index.php");
}
else {
header( "location:login.html");
}
}
else
{
header("location:login.html");
}
// Closing MySQL database connection
$dbh = null;
In the head of the home page (and in each all related pages), I write a session start there like this:
<?php
include('UserSessionAdmin.php');
?>
In which it will get the data from UserSessionAdmin.php:
<?php
session_start();
if($_SESSION[type]!='ACTAdmin'){
header('location:login.html');
exit();
}
include('configPDO.php');
?>
What is included in the configPDO.php is here:
<?php
// mysql hostname
$hostname = 'mysql.com';
// mysql username
$username = 'alkushh';
// mysql password
$password = 'alkush';
// Database Connection using PDO
try {
$dbh = new PDO("mysql:host=$hostname;dbname=user", $username, $password);
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>
It's been more than two days for me just to solve it but I don't have any idea how to. Some people who are experts in here may help me with this thing, please.
Thank you and regards,
Here is the full script that define the $count==1
<?php
// Start Session because we will save some values to session varaible.
session_start();
// include connection file
include("configPDO.php");
// Define $myusername and $mypassword
$myemail=$_POST['myemail'];
$mypassword=$_POST['mypassword'];
// We Will prepare SQL Query
$STM = $dbh->prepare("SELECT Type,Region FROM user WHERE myemail = :myemail AND mypassword = :mypassword");
// bind paramenters, Named paramenters alaways start with colon(:)
$STM->bindParam(':myemail', $myemail);
$STM->bindParam(':mypassword', $mypassword);
// For Executing prepared statement we will use below function
$STM->execute();
// Count no. of records
$count = $STM->rowCount();
//just fetch. only gets one row. So no foreach loop needed :)
$row = $STM -> fetch();
// User Redirect Conditions will go here
if($count==1)
.....
.....

Here it is
if ( $count == 1 ) {
$_SESSION['login_id'] = $row['id']; // i prefer to name it login_id, you can use $row['id'] or $row[0]. but i prefer to write with the column name
if ( $_SESSION['login_id'] == 1 ) { // it means if login id = 1 then go to index.php
header("location: index.php");
} else {
header("location: login.html");
}
}
else { header("location: login.html"); }
i cut session region because you didnt have a region column and also i cut session myemail because you didnt need it
UserSessionAdmin.php
<?php
session_start();
if ( $_SESSION['login_id'] == 0 || $_SESSION['login_id'] == '' ) {
header('location: login.html');
exit();
}
require_once('configPDO.php');
?>

Please turn on your error reporting to see, that there is no constants such as type, Region, myemail. Use " or ' around parameter of session:
if (strcmp($_SESSION['type'], 'ACTAdmin') !== 0) {
header('location:login.html');
exit();
}

Redirecting to another page, using variables from the first one

I have created the following scenario.
I have the index.php file which shows the mainpage. On this there are two fields - User Id and password enclosed in a form tag. The submit button calls the login.php file.
Login.php validates the user id, password etc
Once validation is successful, I want the login.php page to take me to MyDashboard.php page (passing the User Id and Password along).
I tried Header in PHP but does not work. I also tried to do a Javascript window.location.href and tried to call it on $(document).ready but nothing happens.
Please help.
--- Edit ----
here is the code after modification
<?php
include_once('./library/Common.php');
$_EmailId = trim($_POST['validemailid']);
$_Password = trim($_POST['password1']);
$_Rememberme = trim($_POST['rememberme']);
// Get the username from the Email Id by searching for #
$_UName= substr($_EmailId, 0, strpos($_EmailId, '#'));
$_Password = md5($_Password);
session_start();
$_SESSION['username'] = $_UName;
$query = "select username, firstname, password_hash,userstatus from users where username = ? and emailid = ?";
$dbconn = new mysqli('localhost', 'root', '','myDB');
if($dbconn->connect_errno)
{
print getHTML('ERROR', "Error in connecting to mysql".$dbconn->connect_error);
}
if(!($stmt=$dbconn->prepare($query)))
{
print getHTML('ERROR',"error in preparing sql statement".$dbconn->error);
}
if(!($stmt->bind_param('ss',$_UName,$_EmailId)))
{
print getHTML('ERROR',"error in binding params in sql statement".$stmt->error);
}
if(!$stmt->execute())
{
print getHTML('ERROR',"Execute failed: (" . $stmt->errno . ") " . $stmt->error);
}
$result=$stmt->get_result();
$row = $result->fetch_assoc();
$_dbpwd = $row['password_hash'];
$_userstatus = $row['userstatus'];
$errstatus = false;
if ($row['username'] != $_UName)
{
print getHTML('ERROR',"User does not exist with the given email id: ".$_EmailId);
$errstatus = true;
}
if(($row['password_hash'] != $_Password) && !$errstatus)
{
print getHTML('ERROR',"Password does not match");
$errstatus = true;
}
if(($row['userstatus'] != 'ACTIVE') && !$errstatus)
{
print getHTML('ERROR',"User is inactive. Please check your email for activation");
$errstatus = true;
}
if(!$errstatus)
{
$_SESSION['firstname'] = $row['firstname'];
$chksession = "SELECT sessionid FROM USERSESSIONS WHERE USERNAME = ? AND ENDDATE IS NULL";
if(!($sessionstmt=$dbconn->prepare($chksession)))
{
print "error in preparing sql statement".$dbconn->error;
exit();
}
$sessionstmt->bind_param('s',$_UName);
$sessionstmt->execute();
$sessionresult=$sessionstmt->get_result();
$sessionrow= $sessionresult->fetch_assoc();
$currdate = date('y-m-d H:i:s');
if($sessionrow['sessionid'] == 0)
{
$insertstmt = $dbconn->query("INSERT INTO USERSESSIONS(USERNAME,STARTDATE,ENDDATE) VALUES ('".$_UName."','".$currdate."',null)");
$insertstmt->close();
}
}
$sessionstmt->close();
$stmt->close();
$dbconn->close();
header("Location :MyDashboard.php");
exit;
?>
--- End of Edit -----
Amit

You should use session variables to store variables within a login session. Passing a password along to other pages is not recommended, nor necessary. Read up on Sessions, and take a look at already existing login scripts. Below is a very simple example, redirecting to the next page using the header() function.
<?php
// Validate user credentials and save to session
session_start();
$_SESSION['userId'] = $userId;
// Redirect to next page
header("Location: dashboard.php");
// Make sure that code below does not get executed when we redirect
exit;
?>

If user authenticated,
In PHP:
header('Location:MyDashboard.php');

Try include()
This function allows you to include code from other php scripts.

The header function is the correct way. As long as you don't have any output before calling the header function, it should work.
http://us3.php.net/manual/en/function.header.php
Post your code, and let's see what it is that isn't working!

Header should work in your condition.
Tou can use following code:
header("Location:filename");
exit();

Login php code, different content for admin/user:

Can you please help me to figure out how shall I use this if statement to show different content to different type of users.
this is the code that I have already found on another question:
if($_SESSION['usertype'] == 2){ //do stuff here} if ($_SESSION['usertype']) == 1) { //do stuff here }
I want to use this on a page where only members can view the page, and depending on the usertype, it should show different content.
But I'm not able to send the usertype in the login page when a user logs in, this is the code used there (login.php):
<?php
// First we execute our common code to connection to the database and start the session
require("common.php");
// This variable will be used to re-display the user's username to them in the
// login form if they fail to enter the correct password. It is initialized here
// to an empty value, which will be shown if the user has not submitted the form.
$submitted_username = '';
// This if statement checks to determine whether the login form has been submitted
// If it has, then the login code is run, otherwise the form is displayed
if(!empty($_POST))
{
// This query retreives the user's information from the database using
// their username.
$query = "
SELECT
id,
username,
password,
salt,
email
usertype
FROM users
WHERE
username = :username
";
// The parameter values
$query_params = array(
':username' => $_POST['username']
);
try
{
// Execute the query against the database
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// This variable tells us whether the user has successfully logged in or not.
// We initialize it to false, assuming they have not.
// If we determine that they have entered the right details, then we switch it to true.
$login_ok = false;
// Retrieve the user data from the database. If $row is false, then the username
// they entered is not registered.
$row = $stmt->fetch();
if($row)
{
// Using the password submitted by the user and the salt stored in the database,
// we now check to see whether the passwords match by hashing the submitted password
// and comparing it to the hashed version already stored in the database.
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['password'])
{
// If they do, then we flip this to true
$login_ok = true;
}
}
// If the user logged in successfully, then we send them to the private members-only page
// Otherwise, we display a login failed message and show the login form again
if($login_ok)
{
// Here I am preparing to store the $row array into the $_SESSION by
// removing the salt and password values from it. Although $_SESSION is
// stored on the server-side, there is no reason to store sensitive values
// in it unless you have to. Thus, it is best practice to remove these
// sensitive values first.
unset($row['salt']);
unset($row['password']);
// This stores the user's data into the session at the index 'user'.
// We will check this index on the private members-only page to determine whether
// or not the user is logged in. We can also use it to retrieve
// the user's details.
$_SESSION['user'] = $row;
$_SESSION['usertype'] = $row;
// Redirect the user to the private members-only page.
header("Location: dashboard.php");
die("Redirecting to: dashboard.php");
}
else
{
// Tell the user they failed
print("Login Failed.");
// Show them their username again so all they have to do is enter a new
// password. The use of htmlentities prevents XSS attacks. You should
// always use htmlentities on user submitted values before displaying them
// to any users (including the user that submitted them). For more information:
// http://en.wikipedia.org/wiki/XSS_attack
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
?>
What changes do I need to make in this code?
I am quite new to all this, any help is appreciated.

You need to edit the last bit of your if($login_ok) section to set the $_SESSION variables correctly:
if($login_ok)
{
...
$_SESSION['user'] = $row['username'];
$_SESSION['usertype'] = $row['usertype'];
...
}
From what I can see in your code, if the rest of it works correctly then the dashboard.php page should be able to access it like this:
<?php
require("common.php");
if($_SESSION['usertype'] == 2) {
//do stuff here
} elseif($_SESSION['usertype']) == 1) {
//do stuff here
}
?>

Categories