Username (e.g. epiz_XXX) or Website URL
(please specify the website or account you are asking about)
If someone could help me with the correct PHP coding to prevent access to a page unless I’m logged in, it would be greatly appreciated.
I have a number of forms on my site that I want to restrict access to unless user (Admin) is logged in.
From articles/tutorials I’ve read, I believe this can be achieved by using “session_start(); but cannot get the example PHP codes from the articles/tutorials to produce the results I’m after.
Example - Cue Well Snooker (epizy.com) should only be accessible after login, but it’s not. Anyone knowing the URL can load the page, and then fill and submit the form and data gets inserted into my db. Not good. I want to control who can access my forms.
Currently I have a “login” table in my db with username/password for 1 user. Me : )
This is a list of files I’ve been working on and I’ve provided code for most below to help you understand.
- config/auth.php
- config/config.php
- config/login.php
- config/session.php
- login-failed.php
- record-friday-results.php
config.php – This file has my database details, creates connection, and checks if connection is working or not.
I have tested the config.php file and can see “Success” or “Fail” message, so all works fine using config.php
login.php – If login credentials match database, user is redirected to record-friday-results.php -
Cue Well Snooker (epizy.com)
If login credentials DO NOT match database, user is redirected to login-failed.php - Cue Well Snooker (epizy.com) so all works fine.
The login form can be seen here - Cue Well Snooker (epizy.com) or form code seen below.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Cue Well Snooker</title>
<link rel="icon" type="image/x-icon" href="/images/favicon.ico">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Link css file -->
<link href="../css/style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div class="header">
<!-- Logo -->
<a href="../index.php" class="logo"><img src="../images/cws.png" style="border: 0px"></a>
</div>
<?php require_once('../navbar.php'); ?>
<!-- Container -->
<div class="container">
<div class="formcontainer">
<h2>Login Required</h2>
<!-- <h3>to record Friday night results</h3> -->
<form name="f1" action = "auth.php" onsubmit = "return validation()" method = "POST">
<input type = "text" id ="user" required placeholder="User Id" name = "user" />
<input type = "password" id ="pass" required placeholder="*********" name = "pass" />
<input type="submit" value="LOGIN" name="insert">
</form>
</div>
</div>
<script>
function validation()
{
var id=document.f1.user.value;
var ps=document.f1.pass.value;
if(id.length=="" && ps.length=="") {
alert("User Name and Password fields are empty");
return false;
}
else
{
if(id.length=="") {
alert("User Name is empty");
return false;
}
if (ps.length=="") {
alert("Password field is empty");
return false;
}
}
}
</script>
</body>
</html>
auth.php – The PHP code appears to do what’s required here. I’m simply providing it in case you think it requires any changes.
<?php
require_once('config.php'); //database details, create connection and check if connection is working or not.
$username = $_POST['user'];
$password = $_POST['pass'];
//to prevent from mysqli injection
$username = stripcslashes($username);
$password = stripcslashes($password);
$username = mysqli_real_escape_string($con, $username);
$password = mysqli_real_escape_string($con, $password);
$sql = "select *from login where username = '$username' and password = '$password'";
$result = mysqli_query($con, $sql);
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
if($count == 1){
header('Location: ../record-friday-results.php');
}
else{
header('Location: ../login-failed.php');
}
?>
session.php – If I add require_once(‘…/config.php’); and require_once(‘…/session.php’); files to the top of record-friday-results.php, and I get HTTP ERROR 500
<?php
// Start the session
session_start();
// if the user is already logged in then redirect user to page
if (!isset($_SESSION['username']) ||(trim ($_SESSION['password']) == '')) {
header('Location: ../record-friday-results.php');
else{
header('Location: ../login.php');
exit();
}
?>
record-friday-results.php
. <?php
//require_once('../config.php'); *commented out so page content displays for you*
//require_once('../session.php'); *commented out so page content displays for you*
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Cue Well Snooker</title>
<link rel="icon" type="image/x-icon" href="/images/favicon.ico">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Link css file -->
<link href="css/style.css" rel="stylesheet" type="text/css">
</head>
<body>
<div class="header">
<!-- Logo -->
<a href="index.php" class="logo"><img src="images/cws.png" style="border: 0px"></a>
</div>
<?php require_once('navbar.php'); ?>
<!-- Container -->
<div class="container">
<div class="pageheading">
<h1>Record Friday Results</h1>
</div>
<div class="formcontainer">
<form method="post" form action="record-friday-results.php">
<input type="date" id="date" required placeholder="date" name="date"><br>
<input type="doubles" id="friwinner" required placeholder="Winners" name="friwinner">
<input type="doubles" id="frirunnerup" required placeholder="Runners Up" name="frirunnerup">
<input type="doubles" id="frifirstquarter" required placeholder="1st QTR Finalists" name="frifirstquarter">
<input type="doubles" id="frisecondquarter" required placeholder="2nd QTR Finalists" name="frisecondquarter">
<input type="submit" value="Submit" name="insert">
</form>
<h3><a href="comp-friday-results.php">View uploaded results</a></h3>
</div>
</div>
</body>
</html>