0

I am new to php, and I am trying to create a website with a login-function. I have searched around, and I found a video where i got this code (see below). I want to create a website where you are logged in at all time, at the moment when i change webpage, i can't call "echo "Logged in as $user
";". Why and how can I do this? Is there any other better way to do this?

I am going to make a website where you can create an user with username, password, first name, last name, address and so on. If I for example create an user in the database with the name user123, with the info first name = User, last name = Userson, address = Userstreet 2. Later, when you are logged in, you can book a hotel.

<?php
if(isset($_GET['logout']))
{
    $expire = time() - 60*60*24*10; //ti dager
    setcookie("idkunde","", $expire);

}

if(isset($_POST['user'])){
$user = $_POST['user'];
$pass = $_POST['pass'];
//connect to server
$con = mysql_connect("localhost", "root", "");
if(!$con){die('Could not connect: '. mysql_error());}
mysql_select_db("hotellformidling", $con);
if(mysql_num_rows(mysql_query("SELECT * FROM kunde WHERE brukernavn = '$user' AND passord = '$pass'")))
{ //riktig info
    $result = mysql_query("SELECT * FROM kunde WHERE brukernavn ='$user' AND passord = '$pass'");
    while($row = mysql_fetch_array($result))
    {
        $expire = time() + 60*60*24*10; //ti dager
        setcookie("idkunde", $row['idkunde'], $expire);
        echo "Logged in as <b>$user<b> <br>";
        //$userID = $row['idkunde']; 
    }
}
else//feil info
{
    echo "<b>Feil brukernavn eller passord</b><br><br>";
}

mysql_close($con);

}

if(isset($_COOKIE['idkunde'])){
    $userID = $_COOKIE['idkunde'];  
}
if(isset($userID))
{
    echo "Logged in as <b>$user<b> <br>";
    echo "(<a href='?logout'>Logg ut?</a>)";
}else{
echo "<form method='post'>
Brukernavn: <Input type='text' name='user'><br>
Passord: <Input type='password' name='pass'><br>
<input type='submit' value='Logg inn'>
</form>";
}
?>
schou
  • 87
  • 8
  • 2
    Sidenote: Please, [don't use `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php), They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://us1.php.net/pdo) or [MySQLi](http://us1.php.net/mysqli). [This article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide. – Michael Doye Mar 18 '15 at 09:56
  • what is the error? do you get "Feil brukernavn eller passord

    "?     – carmel Mar 18 '15 at 10:01
  • Because `$user` only exists in this script. If you want to use it in another script, you will have to use the cookie `idhunde` to get it again from the database. A better solution would be to learn about SESSIONS. [The Manual](http://php.net/manual/en/book.session.php) – RiggsFolly Mar 18 '15 at 10:01
  • 2
    `I am new to php, and I am trying to create a website with a login-function.` ... probably better to get a decent handle on PHP, web security and all the associated pitfalls before jumping into a hotel booking system with logins and real user data ... of course, if you're just doing this on a dev box with no intention of running live in the near future - carry on ;) – CD001 Mar 18 '15 at 10:02
  • There must be literally hundreds of thousands of tutorials detailing how to add user authentication in PHP. – Martin Bean Mar 18 '15 at 10:09
  • Sad thing is @MartinBean out of those 99% suck at best and have vulnerabilities at worst – PeeHaa Mar 18 '15 at 10:20
  • @schou .. I appreciate you involving in php . after successful login you use store credential in SESSION .. session is token to access entire application – Pankaj katiyar Mar 18 '15 at 10:24
  • Thanks, guys! I will check out sessions :) – schou Mar 18 '15 at 13:26

1 Answers1

0

1st: You code is vulnerable to sql injection.

2nd: " echo "Logged in as <b>$user<b> <br>";" <--- the $user variable is the $_POST['user'];

Fix: $getrealuser = $row['username']; <-- 'username' is in the database column name

echo "Logged in as <b>".$getrealuser."<b> <br>";

3rd: Use SESSION : You need session_start(); on top of the page, after the php start tag.

$_SESSION["user"] = $getrealuser;

if(isset($_SESSION["user"])){
 echo "Logged in as".$_SESSION["user"]."<br>";
}
Joci93
  • 803
  • 3
  • 10
  • 24
  • Even after multiple edits, you are still not actually answering the question, OP wants to know why in other pages he cannot access the `$user` variable. – RiggsFolly Mar 18 '15 at 10:05