> Sorry for the simple question but I'm trying to learn a little more
> about PHP and just need a little help. I'm currently running PHP3 if
> that helps. I just need to reload the "main" frame on my site with a
> new page once the user has logged in. All the navigation and login are
> handled from a nav frame with PHP script that checks if the user is
> authenticated. I know I need to put the code in my if...else loop but
> I'm not sure what the code is.
The FRAMEs are probably making your life harder, rather than easier... Oh
well.
So, you have a FORM in one FRAME with a NAME=user and NAME=pass field, and
you want to let them log in with that?...
You'll need to have, in that navigation FRAME:
<FORM ACTION=login.php TARGET=main METHOD=POST>
(Assuming you've used NAME=main in your FRAMESET page to name your man
frame...)
Then, in login.php, you'll have, well, something to see if their
username/password are valid...
Probably the easiest, or at least the most common solution, would be a MySQL
database:
create table user (
user_id auto_increment unique not null,
user text,
pass text
);
insert into user(user, pass) values('MarcJ', password('secret'));
NOTE the use of MySQL's "password" function. This basically scrambles the
word "secret" into something that nobody on the planet can unscramble back
to secret. More on that later...
Then, in your login page, something not unlike:
<?php
$query = "select user_id, password('$pass') = pass from user where user
= '$user'";
/*
Okay, now what's going on here?
We're asking MySQL to look in the "user" table (... from user...)
for people whose username matches the input (...where user =
'$user'...)
and we are getting two things.
The first is relatively straight-forward: their user_id (select
user_id...)
The second (...password('$pass') = pass...) is a little tricky:
MySQL's password function is going to scramble their input, just
like before,
and check if the two scrambled things are equal.
Because while nobody can unscramble an egg, and nobody can
unscramble a password()
encrypted value, you *CAN* compare two scrambled password()
encrypted values and see
if the original inputs matched! Even more on this, still later.
So, MySQL will compare what they put in (scrambled) with the correct
(scrambled) value
and if they are equal, will return 1, but, if not, will return 0.
*/
$userinfo = mysql_query($query);
# That line just sent the query to MySQL, and got a "ticket" back
# You can use that ticket (below) to get your actual data:
list($user_id, $valid) = mysql_fetch_row($userinfo);
/*
mysql_fetch_row will return an array with something like (1, 1) in
it
The first number is your user_id, and the second is 1/0 for a
valid/bad password
The list() function "deconstructs" that array into two variables.
*/
if (isset($user_id) && $user_id && $valid){
// Do whatever you want here for a valid user.
}
elseif (isset($user_id) && $user_id){
// This is a correct username, but they got the wrong password.
}
else{
// This guy doesn't even have his username correct...
}
/*
This design actually allows for three possiblities:
The user is valid, or they got their password wrong, but are a real
user, or
they don't even know a valid username to log in with.
*/
?>
The whole point of the password() function and scrambling the passwords is
that if somebody manages to break into your MySQL database, they do *NOT*
suddenly gain access to everybody's passwords, which, knowing users, are
probably the same damn passwords they use on their home computers, their
other web-sites, and maybe even their ATM card! It's a question of limiting
the damage/risk in the event that your MySQL data is compromised.
So the "secret" password isn't left laying around for people to steal -- It
only "lives" for a few seconds between their browser and your web-server,
and then you store the scrambled version, and you can later compare the
scrambled version of what they type (again, the "secret" password only
"lives" for a few seconds between their browser and your web-server) with
your long-ago scrambled version of the correct password.
The down-side: You can't go emailing them their passwords when they forget
because even *YOU* can't look up their password. All you've got is a
scrambled egg. What you'll do instead, is reset their password to some
randomly-generated string, and email that new password to them.
This is not, of course, totally secure (nothing is). But it takes a *real*
pro to sniff out their password in transit from their browser to your server
instead of just breaking into your MySQL database. Not that you don't want
to make that hard also, but every bit counts.
--
WARNING [EMAIL PROTECTED] address is an endangered species -- Use
[EMAIL PROTECTED]
Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
