Hi, I am having some trouble with my login PHP script.

My Code is below ( Please let me know if you see any errors with it ) Thanks!

<?php
session_start();
require("db.php");

  if(isset($_SESSION['SESS_LOGGEDIN']) == TRUE) 
  {
   header("Location: " . $config_basedir);
  }
  if(isset($_POST['submit']))
  {
  	//Check to see if they are already logged in on other computer or broswer ( This part is for me to know who is online
	$logincheck = mysql_query("SELECT * FROM database.table NATURAL JOIN table2 WHERE username = '". $_POST['username'] . "' AND column = column.id");
	$loginfetch = mysql_fetch_assoc($logincheck);
	$loginnumrows = mysql_num_rows($logincheck);
	
	if($loginnumrows == 1)
	{
		$idnum = $loginfetch['id'];
		//Delete the last login and renew a new login  online 
		mysql_query("DELETE FROM table WHERE column = " . $idnum);
	}
	
    $loginsql = "SELECT * FROM database.table WHERE username = '" . $_POST['username'] . "' AND password = '" . $_POST['password'] . "'";
    $loginres = mysql_query($loginsql) or die (mysql_error());
    $numrows = mysql_num_rows($loginres);
    
			if($numrows == 1)
			{
			  $loginrow = mysql_fetch_assoc($loginres);
			  
			   	  session_register("SESS_LOGGEDIN");
			  session_register("SESS_USERNAME");
			  session_register("SESS_USERID");
			  session_register("SESS_FNAME");
			  session_register("SESS_LNAME");
			  
			  $_SESSION['SESS_LOGGEDIN'] = 1;
			  $_SESSION['SESS_USERNAME'] = $loginrow['username'];
			  $_SESSION['SESS_USERID'] = $loginrow['id'];
			  $_SESSION['SESS_FNAME'] = $loginrow['fname'];
			  $_SESSION['SESS_LNAME'] = $loginrow['lname'];
			  
			  mysql_query("INSERT INTO table (column_1, column_2) VALUES ('1', '".$loginrow['id']."')");
			  
			  header("Location:http://www.website.org/home.php"); 
			 }
		else
			{
			  header("Location:http://www.website.org/login.php?error=1");
			}
	}
?>

They keep receiving a partial sign in... On the home.php (the place where the user goes once logged) it is showing them an message like "Warning: Mysql_num_rows....." - Then when they refresh or relogin they are taken to their site just fine...

Can someone help me with this matter please?

Also, Im receiving an Error message on my browser saying "Out of Memory on line 12" not sure which script is making it read that. =/

ok i read up on the memory out on line 12.. It has sumthing to do with the person comp.. i believe?..... Do you think if i give you the website link it would be better help for yall to help me out???

Member Avatar for diafol

You don't really need a session_register every time. You can just use $_SESSION.

$loginfetch = mysql_fetch_assoc($logincheck);
$loginnumrows = mysql_num_rows($logincheck);

It's usually best to have these the other way around.

things like this will give you a nosebleed:

mysql_query("INSERT INTO table (column_1, column_2) VALUES ('1', '".$loginrow['id']."')");

You should name you DB, table and fields appropriately. If you don't and make slight changes to your DB, you could find that you nudge the 'house of cards'.

You also use $_POST as a direct input into your SQL. You should clean this with something like mysql_real_escape_string().

All in all, don't take offence, but I'm surprised that this works at all.

Perhaps if you rework it slightly:

1. get post var
2. clean post var
3. check for user exists with SQL user/pass
a) NO - punch back to login screen with message
b) YES Go to 4
4. get data into session and check for logged in username (SQL)
a) NO - add new log data with INSERT
b) YES - overwrite log data with UPDATE*

*I assume you don't want loads of old logins.

Plenty of ways to skin a cat though. Unfortunately, this model could give you false data if you're trying to assess whether an user is still logged in as they may just close the browser as opposed to log out properly. Old story.

Oh, NATURAL JOIN - haven't seen that old chestnut for a while :)

okay thx for the help.. I will try to revise the script to make it work properly.

Okay so the only place i need to call for session is just on the Login page? b.c of now i have session_start at the beginning of every page.. was that wrong ?!?

Thanks for the help! ^_^

Member Avatar for diafol

No have a session_start() on every page - that's how the $_SESSION variable is 'kept alive'.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.