Hello

Before I show you my code I would just like to put forward to whoever is willing to help me, and I have spent the last 2 days looking at hundreds of different login scripts and my head is hurting as the more I look at them the more I get confused.

I have a basic login script which checks the password against my database my database has a table called 'clergyid' and has the fields 'id' 'username' 'password' & 'userlevel'

What i am requesting help with is:
1) I need help encrypting the username and password, has anyone got any suggestings on the best way to do this?

2) I need two user levels 'admin' and 'normaluser' and I need them to be redirected to different pages on login depending on their user level.

Here is my code for Login.php:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Liberal Catholic Apostolic Church</title>
<LINK href="login.css" rel="stylesheet" type="text/css">

</head>
<body>
<div id="container">

	<div id="header">
	<table width="980px">
	<tr>
	<td align="left"><img src="images/logo.jpg" width="100px" height="100px"></td>
	<td><h1>LCAC Web Portal</h1></td>
	</tr>
	</table>
	</div>

	<div id="content">

	<center>
	<img src="images/lcaclogo.gif" with="150px" height="150px">
	<b><h2>Login</h2></p>
	<form action="logincheck.php" method="get">
	<label class="label" for="username">Username</label><br>
	<input class="input" name="username" type="text"><br>
	<label class="label" for="password">Password</label><br>
	<input class="input" name="password" type="password"><br>
	<input class="submit" name="submit" type="submit" value="LOGIN"><br>
	</form>

	</center>


	</div>
	<div id="footer">Copyright &copy LCAC, 2011</div>
</div>
</body>
</html>

Here is my logincheck.php:

<?php
	session_start();
	require "connect.php";
	$username = $_GET['username'];
	$password = $_GET['password'];
	$query = "select * from clergyid where Username ='".$username."' and Password ='".$password."'";
	$result = mysql_query($query, $connection)
	or die ("Unable to perform query<br>$query");
	$row = mysql_fetch_array($result);

	if ($row != null) {
	$_SESSION['username'] = $row['username'];
	$_SESSION['password']= $row['password'];
	header ("Location: index.php");
	exit();

	}

	else{
	$message = "Invalid username or password please try again!";
	header ("Location: login.php? message=$message");
	exit();
}
?>

Here is my connect.php:

<?php
	$db_host = "";
	$db_name = "";
	$db_username = "";
	$db_password = "";

	$connection = mysql_connect ($db_host, $db_username, $db_password)
	or die ("MySQL Error: ".mysql_error());
	mysql_select_db($db_name, $connection)
	or die ("MySQL Error: ".mysql_error());
?>

And Finally here is my first restricted page:

<?php
	session_start();
	if(isset($_SESSION['username']) ==  false){
	header("Location: login.php");
	exit();
	}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Liberal Catholic Apostolic Church</title>
<LINK href="style.css" rel="stylesheet" type="text/css">

</head>
<body>
<div id="container">
	<div id="header">
	<table width="980px">
	<tr>
	<td align="left"><img src="images/logo.gif" width="100px" height="100px"></td>
	<td><h1>Liberal Catholic Apostolic Church</h1></td>
	</tr>
	</table>
	</div>
	<div id="navigation"><ul><li>Home</li></ul></div>
	<div id="content-container">
	<div id="section-navigation">
	<ul>
		<li><a href="index.html">LCAC Restricted Section - Login </a></li>
	</ul>
	</div>
	<div id="content">
<h1>Clergy Only Restricted Access - Page 1</h1>


</div>
	<div id="footer">Copyright &copy LCAC, 2011</div>
</div>
</body>
</html>

I really hope someone can help me as I am pulling my hair out!
Any questions then please reply to this thread

Thanks from a man in desperate need

I know 2 function to do encryption

md5();
sha1();

They have one way algorithm meaning that once you encrypt the parameter u pass it to it , you can not decrypt it again

* For determining the user value

I suggest that you store the userlevel in your session so , you have access to it in the whole project

in the login page , you should have code like this

<?php
    session_start();
    require "connect.php";
    $username = $_GET['username'];
    $password = $_GET['password'];
    $query = "select * from clergyid where Username ='".$username."' and Password ='".$password."'";
    $result = mysql_query($query, $connection)
    or die ("Unable to perform query<br>$query");
    $row = mysql_fetch_array($result);
     
    if ($row != null) {
    $_SESSION['username'] = $row['username'];
    $_SESSION['password']= $row['password'];
    $_SESSION['level'] = $row ['userlevel']; // store the value of user level
if ($_SESSION['level'] == 'admin') {header ("Location: admin.php");} //redirect to admin.php if the user is admin
else {header ("Location: index.php");} // redirect to  main page if the user is registered user
    
    exit();
     
    }
     
    else{
    $message = "Invalid username or password please try again!";
    header ("Location: login.php? message=$message");
    exit();
    }
    ?>

For example you could create a 128 length password field for a sha512 hash, which is much more secure than a sha1 hash.

You would compare the form result with the database result, and if it matches, the user will be logged in. Something like:

$password = hash('sha512', $_POST['password']); // Encrypts the $_POST['password'] to a 128 character hash.
$query = 'SELECT ..... FROM .... WHERE password = "'.$password.'"';

The password in your database must be stored encrypted to make this work.

etc.

Then:

if(retrieved user rank == 1)
{
  header('location: admin.php'); // Redirect to admin.php
}
elseif(retrieved user rank == 2)
{
  header('location: user.php'); // Redirect to user.php
}

Hi

I have altered my logincheck.php to the following:

<?php
	session_start();
	require "connect.php";
	$username = $_GET['username'];
	$password = $_GET['password'];
	$query = "select * from clergyid where Username ='".$username."' and Password ='".$password."'";
	$result = mysql_query($query, $connection)
	or die ("Unable to perform query<br>$query");
	$row = mysql_fetch_array($result);

	if ($row != null) {
	$_SESSION['username'] = $row['Username'];
	$_SESSION['password']= $row['Password'];
	$_SESSION['userlevel'] = $row ['Userlevel']; // store the value of user level
	if ($_SESSION['userlevel'] == 'admin') {header ("Location: admin.php");}                     //redirect to admin.php if the user is admin
	else {header ("Location: index.php");} // redirect to  main page if the user is registered user
	exit();
	}

	else{
	$message = "Invalid username or password please try again!";
	header ("Location: login.php? message=$message");
	exit();
	}
?>

But when I login with an admin user it still takes me to index.php where it should take me to admin.php I am really frustrated! Is there something I am doing wrong?

All sorted now thanks for you help guys

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.