Admin Login (Updated 05/19/2006)

Admin Login (Updated 07/20/2007)

Below are 6 pages that work together to demonstrate how a typical PHP/MySQL login can function. We are using the paradigm of the “administrators” first, since we need to be able to login and edit our data. First the admin must navigate to "adminLogin.php" which is a form. This form targets the page "adminVal.php" which queries the database and verifies the identity of the user by an email and password field. If the login is unsuccessful, the user is directed back to the original page for feedback via the querystring. If the login is successful, the user's identity data is stored in a Session variable and the user is forwarded to "admin.php" which is a sample "password protected" page.

admin.php references an include file, "adminOnlyINC.php" which will redirect any user that does not meet the Session criteria. admin.php also includes a link to page "adminLogout.php" which destroys the Session and redirects the user back to the login page with an appropriate message.

The last page is called “configINC1.php”, which is where you can store configuration info about your server and developers, such as an email to contact for support. We’ll use this file to store the address of the admin pages involved.

IF YOU ARE USING ZEPHIR: There are 3 pages that need the sessionINC.php page included, adminVal.php, adminOnlyINC.php and adminLogout.php. These are commented out in the code.

When you incorporate this code into your pages, remember to remove the duplicate ob_start() and ob_flush(), as these are built into the template for your site pages already.

NOTE: This demo assumes you have working copies of “connINC.php” and “utilINC1.php” found on other documents.

These file require the following example table to be in your MySQL database:

Below is the test table we are working with:

create table horsey01.Admin(

AdminID int unsigned not null auto_increment primary key,

LastName varchar(50),

FirstName varchar(50),

Email varchar(80),

AdminPW varChar(20)

);

insert into horsey01.Admin values

(NULL,"Smith","Bob","","mypass"),

(NULL,"Jones","Bill","","mypass"),

(NULL,"Doe","John","","mypass"),

(NULL,"Rules","Ann","","mypass");

Remember to replace any references to user "horsey" with your username. Below are the files:

****************************************************************************

<?

//adminLogin.php

//uses adminVal.php to verify auth of user

//forwards user to admin.php, upon successful login

include("include/configINC1.php"); //required for addresses of admin pages

if(isset($_GET['msg'])){$myMsg = (trim($_GET['msg']));}else{$myMsg = 0;}

switch($myMsg)

{

case 1:

$myMsg = "You have successfully logged out!";

break;

case 2:

$myMsg = "Your login or password are incorrect. Please try again or email support.";

break;

case 3:

$myMsg = "You failed to enter your email or password. Please try again.";

break;

case 4:

$myMsg = "An error has occurred during login. Please advise support you received error adlog" . __LINE__;

break;

case 5:

$myMsg = "Your login information has timed out. Please login again.";

break;

default:

$myMsg = "";

}

?>

<html>

<head<title>adminLogin.php</title</head>

<div align="center"<h1>Admin Login</h1</div>

<div align="center" font color="red"<h4<?print $myMsg;?</h4</div>

<table align="center">

<form action="<? print $aVal; ?>" method="post">

<tr>

<td>

Email:<input type="text" size="25" maxlength="60" name="em" /<br />

Password:<input type="password" size="25" maxlength="25" name="pw" /<br />

<div align=center<input type="submit" value="login"</div>

</td>

</tr>

</table>

</form>

</body>

</html>

***************************************************************************

<?

//adminVal.php

//receives form data from adminLogin.php to verify auth of user

//forwards user to admin.php, upon successful login

//If no data entered into email/pass redirect back to login form

//WARNING: This demo does NOT defend against SQL INJECTION (To be covered later in class!)

ob_start();

$myDebug = 1; //myDebug=1 shows developer/user errors!

$myTable = "horsey01.Admin"; //change to match your db/table

include("include/utilINC1.php"); //required for redirect/myerror

include("include/configINC1.php"); //required for addresses of admin pages

//include("include/sessionINC.php"); //ZEPHIR SPECIFIC SESSION PAGE

//------

if(isset($_POST['em'])){$Email = strip_tags((trim($_POST['em'])));}else{myRedirect($aLogin . "?msg=3");}

if(isset($_POST['pw'])){$MyPass = strip_tags((trim($_POST['pw'])));}else{myRedirect($aLogin . "?msg=3");}

include("include/connINC.php"); //creates connection variable: myConn

$passSQL = "select AdminID, FirstName from " . $myTable . " where Email='" . $Email . "' and AdminPW='" . $MyPass . "'";

$myData = @mysql_query($passSQL,$myConn) or die(myerror($myDebug,__FILE__,__LINE__,mysql_error()));

if(mysql_num_rows($myData) > 0) //had to be a match

{//valid user, create session vars, redirect!

$row = mysql_fetch_array($myData);

@session_start();

$_SESSION["sAdminID"] = trim($row["AdminID"]);

$_SESSION["sFirstName"] = trim($row["FirstName"]);

myRedirect($aSuccess);

}else{//failed login, redirect

myRedirect($aLogin . "?msg=2");

}

ob_flush();

?>

//************************************************************************

<?

//adminOnlyINC.php

//inc in any password protected page, will allow administrators only on this page!

include("include/utilINC.php");

include("include/configINC1.php"); //required for addresses of admin pages

//include("include/sessionINC.php"); //ZEPHIR SPECIFIC SESSION PAGE

@session_start();

if(!isset($_SESSION['sAdminID']))

{ //no session var

myRedirect($aLogin . "?msg=5");

}else{

if(!is_numeric($_SESSION['sAdminID'])){myRedirect($aLogin . "?msg=5");}

}

?>

**************************************************************

<? //admin.php

//a sample administrative page, locked down by including adminOnlyINC.php

ob_start();

include("include/adminOnlyINC.php");

?>

<html>

<head>

<title>admin.php</title>

</head>

<body>

<div align="center"<h1>Congratulations! You have successfully logged in!</h1</div>

<div align="center"<h2>Perhaps you will want to put a link to your edit table page here?</h2</div>

<div align="center"<h2>And maybe session protect that page, as this page is protected?</h2</div>

<div align="center">Or perhaps you just want to <a href="adminLogout.php">Logout</a>?</div>

</body>

</html>

<? ob_flush(); ?>

//*************************************************************

<?

//adminLogout.php

ob_start();

include("include/utilINC.php");

include("include/configINC1.php"); //required for addresses of admin pages

//include("include/sessionINC.php"); //ZEPHIR SPECIFIC SESSION PAGE

//Clears session data, forwards user to adminLogin.php upon successful logout

@session_start();

$sFirstName= "";

$sAdminID= "";

$_SESSION["sFirstName"] = $sFirstName;

$_SESSION["sAdminID"] = $sAdminID;

session_destroy();

myRedirect($aLogin . "?msg=1"); //redirect for successful logout

ob_flush();

?>

//*************************************************************************

<?

//configINC1.php

//stores variables and data relevant to site management

//below are vars storing admin pages:

$aLogin = "adminLogin.php";

$aVal = "adminVal.php";

$aSuccess = "admin.php";

?>