Copy variable across URLs 1

[Sitehelp]

If anyone can help with this I would be SOOO appreciative!

I am creating an online Help System using Dreamweaver MX, and I am creating it using PHP. Up until now all was going fine. The user can log in and it verifies their password in the database and then copies the clientID into the URL so it can be retrieved on the next page, however, once you have logged in I want it to be able to recognise the user on all the pages thus needing the ClientID to pass through all the URLs, or at least I presume this is the best and easiest way. I can get it through to one, when copying from the log in to the next page, as its done through a submit button, but cannot copy it to the other pages at all. I have imported buttons from Fireworks and created a navigation bar with them, which is in JavaScript I believe. Any ideas how I could get these buttons to copy the ClientID from the URL into the next URL when I click a link. I am using Dreamweaver MX by the way, if that makes any difference. Any help will be MUCH appreciated, hope this all made sense!!!!

 

[Chacalinc]

I guess all links are related to the same web server, correct? if so, you can use "sessions".

Start here:

http://cl2.php.net/manual/en/function.session-start.php

Read it and take a look to the example, very easy and good.

If you have more questions, just let us know!

Cheers.

 

[DRJ478]

Sessions is the way to go.
Your method would allow easy tinkering with passing random client IDs just per GET variable. You don't want people to be able to easily break into your system.
Sessions hide vars much better. Only the session ID is usually transferred in a cookie.

 

[Sitehelp]

Actually just one more question, I have looked into sessions and cheers that will hopefully sort it! however my code to validate a user log in is:

session_start();
$sql = "SELECT ClientID, cpassword FROM clientinfo
WHERE ClientID='$ClientID'
AND cpassword='$fpassword'";
$result = mysql_query($sql)
or die("Couldn't execute query."
$num = mysql_num_rows($result);
if ($num == 1)
header("location:

http://localhost/project/User

Logged In/WelcomeUserPage.php?ClientID=".$HTTP_POST_VARS['ClientID'].""

This selects the relevent data out the database and cross matches it with the data the user enters. If I was to do sessions what would be the best way to include it into this code, I am using MySQL as the DB. Thanks again!

 

[DRJ478]

First a note:
Your code looks like it's expecting register_globals to be on. Si9nce PHP 4.2.0 its' default setting is OFF. That means you have to refer to vars differently, either $_POST['ClientID'], $_GET[...] etc. These superglobal arrays are better than a) expecting register_globals to be on and b) have to deal with the security risks of register_globals ON.
Read:

http://ca2.php.net/register_globals

Now for the solution:
Write a function checkUser() that looks if $_SESSION['ClientID'] exists. If that is so, return true.
If the session var is not there the user hasn't logged in yet. Redirect to the login script.

The login.php is basically a form that takes ClientID and password. When the form posts check it against the table information. If it passes initialize the session variable with the clientID.

This is the basic setup.

 

[Sitehelp]

Cheers DRJ478, I am a newby on all this so just getting my head around it all! ok I think I am getting there, so I create a Session like:

<?php
session_start();
$_SESSION ['$ClientID']

but according to

http://cl2.php.net/manual/en/function.session-start.php

it says that you create the next bit as (for their example):

echo '<br /><a href=&quot;page2.php?' . SID . '&quot;>page 2</a>';

I know this is passing the word SID through the URL, do I create it like this replacing the SID with the $ClientID (the name of the client ID box) and it matches it to ClientID in the DB in MySQL?
If not how do I layout $_SESSION['ClientID']. Sorry to ask so many questions but I am new at php and so just learning as I go along. Cheers!

 

[DRJ478]

When you use session_start() you make PHP aware of the session context. If it is the first time an internal session ID is created. In sucessive calls if the ID is send with the request the session information is loaded.

If your sessions are cookie based - print the phpinfo() - you need not do anything else but call session_start() at the top of each of the PHP scripts being accessed.

To assign a variable into the session data use:

$_SESSION['ClientID'] = $_POST['ClientID'];

That's how you would set the clientID after successful check against the table.

To make it clearer:
The login script should initialize the session after the visitor provides the credentials and they check out ok.

I'd stay away from passing any session related info through the URL because that's just what you wanted to get away from. Cookie based is best.

 

[Sitehelp]

ok nearly there! right so I have put:

session_start();
$sql = &quot;SELECT ClientID, cpassword FROM clientinfo
WHERE ClientID='$ClientID'
AND cpassword='$fpassword'&quot;;
$result = mysql_query($sql)
or die(&quot;Couldn't execute query.&quot;
$num = mysql_num_rows($result);
header(&quot;location:

http://localhost/project/User

Logged In/WelcomeUserPage.php?&quot;
$_SESSION['ClientID'] = $_POST['ClientID'];

which I presume is correct. I am now only unsure about phpinfo() and using cookies. I have checked on phpinfo and it says that my sessions are enabled as well as session use cookies is enabled so I presume that is what you mean. I presume that the above checks the users details they just entered, their username and password, and then submits the clientID using the POST section. I have tested the above and its not working, obviously due to something I have done but I am unsure, cheers again!

 

[sleipnir214]

One problem.

This line:
$_SESSION['ClientID'] = $_POST['ClientID'];

Will never run. A &quot;Location&quot; header redirects the browser immediately. Which means script execution stops at that point. Move the line above to before your heaer() invocation.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[Sitehelp]

Yeah thats what was happening it was logging me in straight away. you say stick it above heaer() you mean the header.... section???, I tried this but it still does the same i.e.

<?php require_once('../Connections/MARTIN.php'); ?>
<?php
if ((isset($HTTP_POST_VARS[&quot;MM_insert&quot;])) && ($HTTP_POST_VARS[&quot;MM_insert&quot;] == &quot;form3&quot) {
$insertSQL = sprintf(&quot;INSERT INTO loggedindetails (ClientID) VALUES (%s)&quot;,
GetSQLValueString($HTTP_POST_VARS['ClientID'], &quot;text&quot);

mysql_select_db($database_MARTIN, $MARTIN);
$Result1 = mysql_query($insertSQL, $MARTIN) or die(mysql_error());


if (isset($HTTP_SERVER_VARS['QUERY_STRING'])) {
$insertGoTo .= (strpos($insertGoTo, '?')) ? &quot;&&quot; : &quot;?&quot;;
$insertGoTo .= $HTTP_SERVER_VARS['QUERY_STRING'];
}
header(sprintf(&quot;Location: %s&quot;, $insertGoTo));
}

$colname_Recordset1 = &quot;1&quot;;
if (isset($HTTP_GET_VARS['ClientID'])) {
$colname_Recordset1 = (get_magic_quotes_gpc()) ? $HTTP_GET_VARS['ClientID'] : addslashes($HTTP_GET_VARS['ClientID']);
}
mysql_select_db($database_MARTIN, $MARTIN);
$query_Recordset1 = sprintf(&quot;SELECT ClientID FROM clientinfo WHERE ClientID = '%s'&quot;, $colname_Recordset1);
$Recordset1 = mysql_query($query_Recordset1, $MARTIN) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);


I decided to include all previous code as well as it may make things easier! cheers guys!

 

[DRJ478]

1. Be careful with the header. It redirects immediately, that means the code after it will never run.

2. You still use $ClientID without referring to $_POST['ClientID'].

3. I'd make it conditional:

<?php
session_start();

# check if not logged in
if (!isset($_SESSION['ClientID'])){
  ... database code here ...
  # if user ok 
  $_SESSION['CLientId'] = $_POST['ClientId'];

  # now redirect
  header(&quot;Location: ....&quot;);
}

Ok?

 

[Sitehelp]

sorry then it says:

session_start();
$sql = &quot;SELECT ClientID, cpassword FROM clientinfo
WHERE ClientID='$ClientID'
AND cpassword='$fpassword'&quot;;
$result = mysql_query($sql)
or die(&quot;Couldn't execute query.&quot;
$num = mysql_num_rows($result);
$_SESSION['ClientID'] = $_POST['ClientID'];
header(&quot;location:

http://localhost/project/User

Logged In/WelcomeUserPage.php?&quot;

I missed that bit! cheers

 

[Sitehelp]

excellent nearly there I think! ok I have:

session_start();
# check if not logged in
if (!isset($_SESSION['ClientID'])){

$sql = &quot;SELECT ClientID, cpassword FROM clientinfo
WHERE ClientID='$ClientID'
AND cpassword='$fpassword'&quot;;
$result = mysql_query($sql)
or die(&quot;Couldn't execute query.&quot;
$num = mysql_num_rows($result);
// $_SESSION['ClientID'] = $_POST['ClientID'];

// ... database code here ...
# if user ok
$_SESSION['ClientID'] = $_POST['ClientID'];

# now redirect
header(&quot;location:

http://localhost/project/User

Logged In/WelcomeUserPage.php?&quot;
}

This is close, isnt it, still not working though but it is doing more than b4 thats for sure! any ideas on the last bit to get this going! thanks!

 

[DRJ478]

Plese explain still not working [/b].
What do you want or expect it to do?

 

[Sitehelp]

sorry about that! its still skipping to the next page without looking at the code! it goes like this:

<?php require_once('../Connections/MARTIN.php'); ?>
<?php
if ((isset($HTTP_POST_VARS[&quot;MM_insert&quot;])) && ($HTTP_POST_VARS[&quot;MM_insert&quot;] == &quot;form3&quot) {
$insertSQL = sprintf(&quot;INSERT INTO loggedindetails (ClientID) VALUES (%s)&quot;,
GetSQLValueString($HTTP_POST_VARS['ClientID'], &quot;text&quot);

mysql_select_db($database_MARTIN, $MARTIN);
$Result1 = mysql_query($insertSQL, $MARTIN) or die(mysql_error());


if (isset($HTTP_SERVER_VARS['QUERY_STRING'])) {
$insertGoTo .= (strpos($insertGoTo, '?')) ? &quot;&&quot; : &quot;?&quot;;
$insertGoTo .= $HTTP_SERVER_VARS['QUERY_STRING'];
}
header(sprintf(&quot;Location: %s&quot;, $insertGoTo));
}

$colname_Recordset1 = &quot;1&quot;;
if (isset($HTTP_GET_VARS['ClientID'])) {
$colname_Recordset1 = (get_magic_quotes_gpc()) ? $HTTP_GET_VARS['ClientID'] : addslashes($HTTP_GET_VARS['ClientID']);
}
mysql_select_db($database_MARTIN, $MARTIN);
$query_Recordset1 = sprintf(&quot;SELECT ClientID FROM clientinfo WHERE ClientID = '%s'&quot;, $colname_Recordset1);
$Recordset1 = mysql_query($query_Recordset1, $MARTIN) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
session_start();
# check if not logged in
if (!isset($_SESSION['ClientID'])){

$sql = &quot;SELECT ClientID, cpassword FROM clientinfo
WHERE ClientID='$ClientID'
AND cpassword='$fpassword'&quot;;
$result = mysql_query($sql)
or die(&quot;Couldn't execute query.&quot;
$num = mysql_num_rows($result);
// $_SESSION['ClientID'] = $_POST['ClientID'];

// ... database code here ...
# if user ok
$_SESSION['ClientID'] = $_POST['ClientID'];

# now redirect
header(&quot;location:

http://localhost/project/User

Logged In/WelcomeUserPage.php&quot;
}


Thanks!

 

[DRJ478]

Don't call the script directly. You should have a login form that POSTs to it. Here's some rudimentary code:

# check if not logged in
if (!isset($_SESSION['ClientID'])&& isset($_POST['ClientId'])){

$sql = "SELECT ClientID, cpassword FROM clientinfo                   
             WHERE ClientID='".$_POST['ClientID']."'
             AND cpassword='".$_POST['fpassword']."'";
     $result = mysql_query($sql)
               or die("Couldn't execute query.");
     $num = mysql_num_rows($result); 
      // $_SESSION['ClientID'] = $_POST['ClientID'];

     // ... database code here ...
  # if user ok 
  $_SESSION['ClientID'] = $_POST['ClientID'];

  # now redirect
       header("location: [URL unfurl="true"]http://localhost/project/User[/URL] Logged In/WelcomeUserPage.php");
}
# form was not posted -> draw it
print &quot;<html><body>\n&quot;;
print '<form name=&quot;login&quot; action=&quot;'.$_SERVER[PHP_SELF].'&quot; method=&quot;post&quot;>';
print 'Username : <input type=&quot;text&quot; name=&quot;ClientID&quot;><br>';
print 'Password : <input type=&quot;password&quot; name=&quot;fpassword&quot;><br>';
print '<input type=&quot;submit&quot; value=&quot;Submit&quot;></form></body></html>';

Alternatively redirect to an HTML page login.html that has a form like the above.

It will work, however, the most important thing is to learn to get the basic concepts and layout the application.

Cheers.

 

[Sitehelp]

ok excellent I think its nearly there! it is coming up with the correct page now, however, I enter the username and password I have stored in the DB and it comes up with:

Couldn't execute query.

It is the correct details I am entering! I have entered the code as follows:

# check if not logged in
if (!isset($_SESSION['ClientID'])&& isset($_POST['ClientID'])){

$sql = &quot;SELECT ClientID, cpassword FROM clientinfo
WHERE ClientID='&quot;.$_POST['$ClientID'].&quot;'
AND fpassword='&quot;.$_POST['$Cpassword'].&quot;'&quot;;
$result = mysql_query($sql)
or die(&quot;Couldn't execute query.&quot;
$num = mysql_num_rows($result);
// $_SESSION['ClientID'] = $_POST['ClientID'];

// ... database code here ...
# if user ok
$_SESSION['ClientID'] = $_POST['ClientID'];

# now redirect
header(&quot;location:

http://localhost/project/User

Logged In/WelcomeUserPage.php&quot;
}

I havent a start_session() in it! I removed the forms you mentioned as this is being put inside an editable region as I created borders in Frameworks and imported them into Dreamweaver MX and I have created a form already with the username and password text fields in (called ClientID and fpassword). The only thing now is matching the password and username to the DB and bringing the correct page up! thanks for this!

 

[DRJ478]

A slightly optimized SQL statement:

$SQL = "SELECT count(ClientId) AS num FROM clientinfo
        WHERE ClientID ='".$_POST['ClientID']."'
        AND fpassword = '".$_POST['fPassword']."'";

$result = mysql_query($SQL) OR die("Error: MySQL said ".mysql_error());
$row = mysql_fetch_assoc($result);

# if num is 1 -> go ahead, 0 -> wrong pw/user
if ($row['num'] == 1){
  ... redirect to destination ...
} else {
  ... error message, try again ...
}

This is just a chunk of code. You will need to initialize the session.

 

[Sitehelp]

ok its loading up the correct page and letting me log in, However its letting any username and password log in regardless of whether its in the DB or not! any ideas, the code is:

# check if not logged in
if (!isset($_SESSION['ClientID'])&& isset($_POST['ClientID'])){

$SQL = &quot;SELECT count(ClientID) AS num FROM clientinfo
WHERE ClientID ='&quot;.$_POST['$ClientID'].&quot;'
AND Cpassword = '&quot;.$_POST['$fPassword'].&quot;'&quot;;

$result = mysql_query($SQL) OR die(&quot;Error: MySQL said &quot;.mysql_error());
$row = mysql_fetch_assoc($result);

# if num is 1 -> go ahead, 0 -> wrong pw/user
if ($row['num'] == 1){
// ... redirect to destination ...
} else {
// ... error message, try again ...
} // $_SESSION['ClientID'] = $_POST['ClientID'];

// ... database code here ...
# if user ok
$_SESSION['ClientID'] = $_POST['ClientID'];

# now redirect
header(&quot;location:

http://localhost/project/User

Logged In/WelcomeUserPage.php&quot;
}



Cheers again!

 

[DRJ478]

You need to get away from cut-n-paste and put your mind to it. This forum will help you with general issues but not write your code. You are intelligent enough not to be spoonfed.
Replace the commented statements with your code that a) redirects when 1 result is found or b) gives an error message.

if ($row['num'] == 1){

// ... redirect to destination ...

} else {

 // ... error message, try again ...

}