Skip to main content
Harm_Millaard
Harm_Millaard
Inspiring
November 19, 2011
Question

Building a registration/login system and errors

  • November 19, 2011
  • 1 reply
  • 901 views

I'm trying to build a registration and login system, so that I can password protect certain pages.

There will be different levels of users. If you are not registered, you can only access generic pages, if you are registered and logged in, you can see some pages, and if you have a subscription, you can access all pages. At least that is the intention.

I'm currently at step one and try to follow the tutorial of http://www.easykiss123.com/easy-setup-of-login-registration-and-password-protected-areas-on-your-website/

While the tutorial is quite nice, it contains a number of errors of things that just do not work as described. One is the use of 'mysqli_...' commands which need to be replaced by 'mysql_..' commands. Notice without the letter i.

Another problem in the tutorial is that one of the files contains a php function:

date_default_timezone_set ('Europe/London') call that can only be commented out.

Now with these adjustments things are getting underway, but using this code:

<?php # Script 16.8 - login.php

// This is the login page for the site.

require_once ('includes/config.inc.php');

$page_title = 'Login';

include ('includes/header.php');

if (isset($_POST['submitted'])) {

    require_once (MYSQL);

   

    // Validate the email address:

    if (!empty($_POST['email'])) {

       $e = mysql_real_escape_string ($dbc, $_POST['email']);

    } else {

        $e = FALSE;

        echo '<p class="error">You forgot to enter your email address!</p>';

    }

   

    // Validate the password:

    if (!empty($_POST['pass'])) {

       $p = mysql_real_escape_string ($dbc, $_POST['pass']);

    } else {

        $p = FALSE;

        echo '<p class="error">You forgot to enter your password!</p>';

    }

   

    if ($e && $p) { // If everything's OK.

   

        // Query the database:

        $q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass=SHA1('$p')) AND active IS NULL";       

        $r = mysql_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysql_error($dbc));

       

        if (@mysql_num_rows($r) == 1) { // A match was made.

            // Register the values & redirect:

            $_SESSION = mysql_fetch_array ($r, MYSQL_ASSOC);

            mysql_free_result($r);

            mysql_close($dbc);

                           

            $url = BASE_URL . 'index.php'; // Define the URL:

            ob_end_clean(); // Delete the buffer.

            header("Location: $url");

            exit(); // Quit the script.

               

        } else { // No match was made.

            echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>';

        }

       

    } else { // If everything wasn't OK.

        echo '<p class="error">Please try again.</p>';

    }

   

    mysql_close($dbc);

} // End of SUBMIT conditional.

?>

the two bold lines give the following error messages:

<p>An error occurred in script '/homepages/3/d173460647/

htdocs/ppbm6/Login/login.php' on line 13: mysql_real_escape_string() expects parameter 1 to be string, resource given
<br />Date/Time: 11-19-2011 05:40:32

<p>An error occurred in script '/homepages/3/d173460647/

htdocs/ppbm6/Login/login.php' on line 21: mysql_real_escape_string() expects parameter 1 to be string, resource given
<br />Date/Time: 11-19-2011 05:40:34

What did I do wrong here and how can I correct it?

This topic has been closed for replies.

1 reply

B
Community Expert
Ben MCommunity Expert
Community Expert
November 19, 2011

Harm, from what I can see the 2 - mysql_real_escape_string's and the mysql_query ($r=) are both backwards.  The $dbc is your link identifier and that should be the second part of the statement not the first.  So just reverse the order of $dbc and the other variables and it should correct the issue.

Harm_Millaard
Harm_MillaardAuthor
Inspiring
December 1, 2011

That helped me on the way, but I have a distinct feeling I still have some noob mistake in my code.

I have this code at the top of a protected page:

<?php

if (!isset($_SESSION)) {

  session_start();

}

$MM_authorizedUsers = "";

$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page

function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {

  // For security, start by assuming the visitor is NOT authorized.

  $isValid = False;

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.

  // Therefore, we know that a user is NOT logged in if that Session variable is blank.

  if (!empty($UserName)) {

    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.

    // Parse the strings into arrays.

    $arrUsers = Explode(",", $strUsers);

    $arrGroups = Explode(",", $strGroups);

    if (in_array($UserName, $arrUsers)) {

      $isValid = true;

    }

    // Or, you may restrict access to only certain users based on their username.

    if (in_array($UserGroup, $arrGroups)) {

      $isValid = true;

    }

    if (($strUsers == "") && true) {

      $isValid = true;

    }

  }

  return $isValid;

}

$MM_restrictGoTo = "Login/login.php";

if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {  

  $MM_qsChar = "?";

  $MM_referrer = $_SERVER['PHP_SELF'];

  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";

  if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)

  $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];

  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);

  header("Location: ". $MM_restrictGoTo);

  exit;

}

?>

OK, when I click on the menu choice on the originating page, http://ppbm6.com/index.html and click on the menu "Benchmark Results", I get to the login page as designed. So far, so good, I can fill in the email address and password, login and then it should open the protected page. However, all it accomplishes to do is empty the fields again, so there is no redirection at all. If I fill in a non-registered email address it correctly directs me to the registration page, but it does nothing with registered users.

The server behavior includes Restrict Access To Page ().

The code in the login script is:

<?php

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

  if (PHP_VERSION < 6) {

    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {

    case "text":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;   

    case "long":

    case "int":

      $theValue = ($theValue != "") ? intval($theValue) : "NULL";

      break;

    case "double":

      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";

      break;

    case "date":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;

    case "defined":

      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

      break;

  }

  return $theValue;

}

}

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

  if (PHP_VERSION < 6) {

    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  }

//  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {

    case "text":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;   

    case "long":

    case "int":

      $theValue = ($theValue != "") ? intval($theValue) : "NULL";

      break;

    case "double":

      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";

      break;

    case "date":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;

    case "defined":

      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

      break;

  }

  return $theValue;

}

}

mysql_select_db($database_MYSQL, $MYSQL);

$query_Recordset1 = "SELECT * FROM users";

$Recordset1 = mysql_query($query_Recordset1, $MYSQL) or die(mysql_error());

$row_Recordset1 = mysql_fetch_assoc($Recordset1);

$totalRows_Recordset1 = mysql_num_rows($Recordset1);

# Script 16.8 - login.php

// This is the login page for the site.

require_once ('includes/config.inc.php');

$page_title = 'Login';

//include ('includes/header.php');

// Start output buffering:

ob_start();

// Initialize a session:

session_start();

// Check for a $page_title value:

if (!isset($page_title)) {

    $page_title = 'User Registration';

}

if (isset($_POST['submitted'])) {

    require_once (MYSQL);

    // Validate the email address:

    if (!empty($_POST['email'])) {

        $e = mysql_real_escape_string ($_POST['email'], $dbc);

    } else {

        $e = FALSE;

        echo '<p class="error">You forgot to enter your email address!</p>';

    }

   

    // Validate the password:

    if (!empty($_POST['pass'])) {

        $p = mysql_real_escape_string ($_POST['pass'], $dbc);

    } else {

        $p = FALSE;

        echo '<p class="error">You forgot to enter your password!</p>';

    }

    if ($e && $p) { // If everything's OK.

   

        // Query the database:

        $q = "SELECT user_id, first_name, last_name, email, user_level, pass FROM users WHERE (email='$e' AND pass='$p')";       

        $r = mysql_query ($q, $dbc) or trigger_error("Query: $q\n<br />MySQL Error: " . mysql_error($dbc));

        if (@mysql_num_rows($r) == 1) { // A match was made.

            // Register the values & redirect:

            $_SESSION = mysql_fetch_array ($r);

            mysql_free_result($r);

            mysql_close($dbc);

            $url = 'http://ppbm6.com/PPBM6.php'; // Define the URL:

            ob_end_clean(); // Delete the buffer.

            header("Location: $url");

            exit(); // Quit the script.

               

        } else { // No match was made.

            echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>';

        }

       

    } else { // If everything wasn't OK.

        echo '<p class="error">Please try again.</p>';

    }

   

    mysql_close($dbc);

} // End of SUBMIT conditional.

?>

<?php

// *** Validate request to login to this site.

if (!isset($_SESSION)) {

  session_start();

}

$loginFormAction = $_SERVER['PHP_SELF'];

if (isset($_GET['accesscheck'])) {

  $_SESSION['PrevUrl'] = $_GET['accesscheck'];

}

if (isset($_POST['email'])) {

  $loginUsername=$_POST['email'];

  $password=$_POST['pass'];

  $MM_fldUserAuthorization = "";

  $MM_redirectLoginSuccess = "http://ppbm6.com/PPBM6.php";

  $MM_redirectLoginFailed = "http://ppbm6.com/Login/Registration.php";

  $MM_redirecttoReferrer = false;

  mysql_select_db($database_MYSQL, $MYSQL);

 

  $LoginRS__query=sprintf("SELECT email, pass FROM users WHERE email=%s AND pass=%s",

    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));

  

  $LoginRS = mysql_query($LoginRS__query, $MYSQL) or die(mysql_error());

  $loginFoundUser = mysql_num_rows($LoginRS);

  if ($loginFoundUser) {

     $loginStrGroup = "";

   

    if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}

    //declare two session variables and assign them

    $_SESSION['MM_Username'] = $loginUsername;

    $_SESSION['MM_UserGroup'] = $loginStrGroup;         

    if (isset($_SESSION['PrevUrl']) && false) {

      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];   

    }

    header("Location: " . $MM_redirectLoginSuccess );

  }

  else {

    header("Location: ". $MM_redirectLoginFailed );

  }

}

?>

and the form code is:

<form action="<?php echo $loginFormAction; ?>" method="POST" name="login_form">

<h3>Please login first. If you haven't registered and activated your account, click on the Register button above.</h3><fieldset>

<blockquote>

Your browser must allow cookies in order to login.

    <p><b>Email Address : </b> <input type="text" name="email" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" size="35" maxlength="40" /></p>

    <p><b>Password :         </b>

      <input type="password" name="pass" value="<?php if (isset($_POST['pass'])) echo $_POST['pass']; ?>" size="20" maxlength="20" /></p>

    <input type="hidden" name="submitted" />

    <input name="user_level" type="hidden" value="0" />

    <input name="active" type="hidden" />

    <input type="submit" name="Submit" value="Login" />

    </blockquote></fieldset>

</form></div>

The login script includes the Sever Behavior Log In User and shows like this:

I would expect it to revert to http://ppbm6.com/PPBM6.php after successful login but that does not happen.

I am pretty sure I have overlooked something very simple here, but if you have any suggestions, I would appreciate it.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices