Login & Sessions

[meesh2175]

Hello, I am new at creating sessions and I have come to a road block with my website. I have created a login page which checks the username and password to see if the user exists. If they do, it stores their userrecord.

Once the user has logged in, they can navigate through the website. Each page within the website starts with:

Code: Select all

<?php
require_once("logincheck.php");
session_start();
?>


The logincheck.php checks to make sure a user is logged with a valid username and password:

Logincheck.php

Code: Select all

<?php
session_start();
require_once('config.php');

mysql_connect(DB_HOST, DB_USER, DB_PASSWORD) or die("Can't connect to database");
mysql_select_db(DB_DATABASE) or die(mysql_error());

$myusername = $_SESSION['username'];
$mypassword = $_SESSION['password'];

$sql = "SELECT * FROM users WHERE username ='$myusername' AND password ='$mypassword'";

$result = mysql_query($sql);
$count = mysql_num_rows($result);

if($count == 0) {header("location:index.php");}
else{$_SESSION["userrecord"] = mysql_fetch_assoc($result);}

?>


The part I am having problems with is the "Update Password" page. Once the user updates their password, it makes them log back in again. Is there a way to avoid the user from having to log back in? Below is my code for updating my database with the new password.

Code: Select all

<?php
session_start();
require_once('config.php');

$errmsg_arr = array(); //Array to store validation errors
$errflag = false; //Validation error flag

$myusername = $_SESSION['username'];
   
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {die('Failed to connect to server: ' . mysql_error());}
   
$db = mysql_select_db(DB_DATABASE); if(!$db) {die("Unable to select database");}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
   $str = stripslashes($str);   }
   return mysql_real_escape_string($str);   }
   
//Sanitize the POST values
$password1 = clean($_POST['password1']);
$password2 = clean($_POST['password2']);
$secret_password = md5($password2);

//Create INSERT query
if($password1 == $password2){
$qry = "UPDATE users
      SET password = '$secret_password'
      WHERE username = '$myusername'";
   
$result = @mysql_query($qry);
}
   
//Check whether the query was successful or not
if($result)
{header("location: password_updated.php");
exit();   }
else {header("location: password_wrong.php");}
?>


Any suggestions? Thanks!!

[egami]

show me password_updated.php

[meesh2175]

Here is password_updated.php:

Code: Select all

<?php session_start(); ?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>My Login Website</title>
</head>

<body>
<table width="750" border="0" align="center" cellpadding="8" cellspacing="0" class="table">
<tr>
<td width="209" height="30" bgcolor="#000000" style="font-weight: bold; color: #999;"><span style="font-weight: bold; font-size: 20px; color: #FFF;">UPDATE PASSWORD</span></td>
<td width="359" height="30" align="right" bgcolor="#000000" style="font-weight: bold">&nbsp;</td>
</tr>
<tr>
<td colspan="2" bgcolor="#CCCCCC" style="font-weight: bold"><span style="color: #000; text-align: left;">Password Updated</span>
</td></tr>
<tr>
<td height="75" colspan="2" align="left"><p>Your password was successfully updated. </p></td></tr>
</table>
</body>
</html>


[egami]

each page should begin with

<?php
session_start();
....


and then, include logincheck.php


I do it a bit differently..


<?php
session_start();
if (!isset($_SESSION['loggedin']))
{
header("Location: login.php");
}

//db..
include ('/path/to/sql/include/file');

...stuff here....