The example consists of three simple scripts.The first,authmain.php, provides a login form and authentication for members of our Web site.The second,members_only.php, displays informatio
Trang 1The example consists of three simple scripts.The first,authmain.php, provides a login form and authentication for members of our Web site.The second,members_only.php, displays information only to members who have logged in successfully.The third,
logout.php, logs out a member.
To understand how this works, look at Figure 20.4.This is the initial page displayed
by authmain.php.
Figure 20.4 Because the user has not yet logged in, show her a login page
This page gives the user a place to log in If she attempts to access the Members section without logging in first, she will get the message shown in Figure 20.5.
Figure 20.5 Users who haven’t logged in can’t see the site content; they will be shown this message instead
Trang 2However, if the user logs in first (with username: testuser and password: test123 as set up
in Chapter 14) and then attempts to see the Members page, she will get the output shown in Figure 20.6.
Figure 20.6 After the user has logged in, she can access the Members’ areas
Let’s look at the code for this application Most of the code is in authmain.php.This script can be seen in Listing 20.4.We will go through it bit by bit.
Listing 20.4 authmain.php—The Main Part of the Authentication Application
<?php session_start();
if (isset($HTTP_POST_VARS['userid']) && isset($HTTP_POST_VARS['password'])) {
// if the user has just tried to log in
$userid = $HTTP_POST_VARS['userid'];
$password = $HTTP_POST_VARS['password'];
$db_conn = mysql_connect('localhost', 'webauth', 'webauth');
mysql_select_db('auth', $db_conn);
$query = 'select * from auth '
."where name='$userid' "
." and pass=password('$password')";
$result = mysql_query($query, $db_conn);
if (mysql_num_rows($result) >0 ) {
// if they are in the database register the user id
Trang 3} }
?>
<html>
<body>
<h1>Home page</h1>
<?
if (isset($HTTP_SESSION_VARS['valid_user'])) {
echo 'You are logged in as: '.$HTTP_SESSION_VARS['valid_user'].' <br />'; echo '<a href="logout.php">Log out</a><br />';
} else {
if (isset($userid)) {
// if they've tried and failed to log in echo 'Could not log you in';
} else { // they have not tried to log in yet or have logged out echo 'You are not logged in.<br />';
}
// provide form to log in echo '<form method="post" action="authmain.php">';
echo '<table>';
echo '<tr><td>Userid:</td>';
echo '<td><input type="text" name="userid"></td></tr>';
echo '<tr><td>Password:</td>';
echo '<td><input type="password" name="password"></td></tr>';
echo '<tr><td colspan="2" align="center">';
echo '<input type="submit" value="Log in"></td></tr>';
echo '</table></form>';
}
?>
<br>
<a href="members_only.php">Members section</a>
</body>
</html>
Some reasonably complicated logic is in this script because it displays the login form, is also the action of the form and contains HTML for a successful and failed login attempt The script’s activities revolve around the valid_usersession variable.The basic idea is Listing 20.4 Continued
Trang 4that if someone logs in successfully, we will register a session variable called $HTTP_SES-SION_VARS['valid_user']that contains her userid.
The first thing we do in the script is call session_start().This will load in the ses-sion variable valid_userif it has been registered.
In the first pass through the script, none of the ifconditions will apply and the user will fall through to the end of the script, where we tell her that she is not logged in and provide her with a form to do so:
echo '<form method="post" action="authmain.php">';
echo '<table>';
echo '<tr><td>Userid:</td>';
echo '<td><input type="text" name="userid"></td></tr>';
echo '<tr><td>Password:</td>';
echo '<td><input type="password" name="password"></td></tr>';
echo '<tr><td colspan="2" align="center">';
echo '<input type="submit" value="Log in"></td></tr>';
echo '</table></form>';
When she presses the submit button on the form, this script is reinvoked and we start again from the top.This time, we will have a userid and password to authenticate, stored
as $HTTP_POST_VARS['userid']and $HTTP_POST_VARS['password'] If these variables are set, we go into the authentication block:
if (isset($HTTP_POST_VARS['userid']) && isset($HTTP_POST_VARS['password'])) {
// if the user has just tried to log in
$userid = $HTTP_POST_VARS['userid'];
$password = $HTTP_POST_VARS['password'];
$db_conn = mysql_connect('localhost', 'webauth', 'webauth');
mysql_select_db('auth', $db_conn);
$query = 'select * from auth '
."where name='$userid' "
." and pass=password('$password')";
$result = mysql_query($query, $db_conn);
We connect to a MySQL database and check the userid and password If these are a matching pair in the database, we create the variable
$HTTP_SESSION_VARS['valid_user']that contains the userid for this particular user, so
we know who is logged in further down the track.
if (mysql_num_rows($result) >0 ) {
// if they are in the database register the user id
$HTTP_SESSION_VARS['valid_user'] = $userid;
} }
Trang 5Because we now know who she is, we don’t need to show her the login form again Instead, we’ll tell her we know who she is, and give her the option to log out:
if (isset($HTTP_SESSION_VARS['valid_user'])) {
echo 'You are logged in as: '.$HTTP_SESSION_VARS['valid_user'].' <br />'; echo '<a href="logout.php">Log out</a><br />';
}
If we tried to log her in and failed for some reason, we’ll have a userid but not an
$HTTP_SESSION_VARS['valid_user']variable, so we can give her an error message:
if (isset($userid)) {
// if they've tried and failed to log in echo 'Could not log you in';
}
That’s it for the main script Now, let’s look at the Members page.The code for this script is shown in Listing 20.5.
Listing 20.5 members_only.php—The Code for the Members’ Section of Our Web Site
Checks for Valid Users
<?php session_start();
echo '<h1>Members only</h1>';
// check session variable
if (isset($HTTP_SESSION_VARS['valid_user'])) {
echo '<p>You are logged in as '.$HTTP_SESSION_VARS['valid_user'].'</p>'; echo '<p>Members only content goes here</p>';
} else { echo '<p>You are not logged in.</p>';
echo '<p>Only logged in members may see this page.</p>';
}
echo '<a href="authmain.php">Back to main page</a>';
?>
This code is very simple All it does is start a session, and check if the current session contains a registered user by checking if the value of $HTTP_SESSION_VARS