A Member System in PHP with some extras

Do you want to share WYSIWYG Web Builder tips, tricks, tutorials or useful HTML code? You can post it here...
(no questions or problems please, this section is not monitored by support).
Forum rules
This section is to share tips, tricks and tutorials related to WYSIWYG Web Builder.
Please do not post questions or problems here. They will not be answered.

PLEASE READ THE FORUM RULES BEFORE YOU POST:
viewtopic.php?f=12&t=1901
User avatar
kees
 
Posts: 49
Joined: Mon May 23, 2005 7:36 pm
Location: Soest - NL

A Member System in PHP with some extras

Post by kees » Sun Nov 04, 2007 3:18 pm

This article describes a login/member system using PHP. Some characteristics are:
- No database needed;
- Each member can be redirected to a specified page;
- Members can be assigned to hierarchical levels;
- Editable guiding messages.
At least two pages are needed: the login page and a protected page. Usually there will be more protected pages, depending on your website structure.

I - The login page
The page name should be: login (using the Site Manager)
The file extension should be: php (using the Page Properties dialog)

First we make a login form.
1. Draw a Form Area and change the Form Properties to:
- Action: empty (remove all text)
- Method: POST
- Encoding type: empty (remove all text)
2. Put an Editbox onto the Form Area. Bring up its Editbox Properties dialog and change it to:
- Name: username
3. Put another Editbox into the Form Area. Bring up its Editbox Properties dialog and change it to:
- Name: password
- Password Field: Yes
4. Put a Push Button onto the Form Area. Bring up the Button Properties dialog and change it to:
- Button type: Submit

Second we create a Text object for the messages, preferably just above the form.
5. Draw a Text Object and insert:

Code: Select all

'.$message[$status].'
6. Bring up the Text Object HTML dialog.
- Select Before Tag and insert:

Code: Select all

<?php echo '
- Select After Tag and insert:

Code: Select all

'; ?>
Third we insert the main php script.
7. Bring up the Page HTML dialog, select Start of Page and insert:

Code: Select all

<?php
$member['John'] = array('pw'=>'1234' , 'level'=>2 , 'pp'=>'./red_page.php');
$member['Tim']  = array('pw'=>'pw33' , 'level'=>2 , 'pp'=>'./blue_page.php');
$member['Lisa'] = array('pw'=>'OhNo' , 'level'=>1 , 'pp'=>'./green_page.php');
$message[0] = 'Please log in.';
$message[1] = 'Bad login. Please try again.';
$message[2] = 'You have been logged out.';

# No edits beyond this line
session_start();
$status = 0;
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  $username = isset($_POST['username']) ? $_POST['username'] : '';
  $password = isset($_POST['password']) ? $_POST['password'] : '';
  if (isset($member[$username]) && $member[$username]['pw'] == $password) {
    $_SESSION['logged_in'] = true;
    $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
    $_SESSION['level'] = $member[$username]['level'];
    header('Location: ' . $member[$username]['pp']);
    exit;
  }
  $status = 1;
}
elseif (isset($_SESSION['logged_in'])) {
  unset($_SESSION['logged_in']);
  unset($_SESSION['ip']);
  unset($_SESSION['level']);
  $status = 2;
}
?>
Notes:
- Please study the first lines of the script and discover its structure.
- Each member has one line of data. If you create more member lines, be sure that each member has a unique name (case sensitive!).
- After 'pw'=> the members password comes.
- After 'level'=> the members level comes.
- After 'pp'=> the members protected page comes.
- What is the use of the 'level' option? Imagine you have two pages: staff and management. Then give all staff members level 1, and give all management members level 2. This way staff members can only visit their pages. But management members can visit both pages, because they have a higher level.
- If you don't want to use levels, set the level to 1.
- The lines holding $message[x] can be edited.

II - A protected page
Now we create one protected page. Before a page is sent, some checkes are done to be sure that the visitor is allowed to see the page.
- The page names must correspond with the protected pages (as defined in the main script).
- The file extension should be: php

1. Bring up the Page HTML dialog, select Start of Page and insert:

Code: Select all

<?php
$required_level = 1;

# No edits beyond this line
session_start();
if (!isset($_SESSION['logged_in'],$_SESSION['ip'],$_SESSION['level'])
  || $_SESSION['ip'] != $_SERVER['REMOTE_ADDR']
  || $_SESSION['level'] < $required_level ) {
  header('Refresh: 5; url=./login.php');
  echo '<b>You are not allowed for this page.</b><br>';
  echo '<a href="javascript:history.back()">Go Back</a> or <a href="./login.php">Login</a>';
  exit;
}
?>
2. If you want to add a logout option, just redirect your visitors to the login page. You can use a menu, a hyperlink, an image, etc.

Notes:
- For each page that you want to protect, these steps should be followed.
- The variable $required_level holds the required level for this page.
- The sentences can be edited or translated, but take care of the right syntaxis!

Download the example here

Updated
14-04-08 Simplified code for protected page (step II-1).
23-05-08 Added example download.
Last edited by kees on Fri May 23, 2008 8:34 pm, edited 5 times in total.

User avatar
star57
 
 
Posts: 137
Joined: Fri Mar 02, 2007 10:45 am

Single Login

Post by star57 » Mon Jan 14, 2008 3:40 am

Kees
I tried out using the steps and they work wonderful Thanks for the post.

Question? I am building a "Coupon Discount " page for Distributors. Each Distributor will have a special discount price list page for a range of sales, the more sales the better discount. I have 5 pages of discounts. So here is the question, can this be modified to only have one login for a coupon code. I tried no password then no username, no luck.

Thanks

Update
Found a work around, Use "password" for every password. set the initial value to password. Make the font color the same as the back ground. Use a custom boarder and select the value to 0, Set the edit box to tranparency. then move the submit button over the password field to hide it even more. and your done, works perfect.
Last edited by star57 on Sun Jan 20, 2008 1:11 am, edited 1 time in total.

User avatar
kees
 
Posts: 49
Joined: Mon May 23, 2005 7:36 pm
Location: Soest - NL

Post by kees » Tue Jan 15, 2008 8:15 pm

The member system in this topic was based on http://www.wysiwygwebbuilder.com/password_protect.html

Several times on this forum there was this question: how can I redirect each member to his own page?
That's what my script does.

I know that there are very many login sytems available around the internet. Each has its pros and cons. Maybe my script is useful for someone.

User avatar
kees
 
Posts: 49
Joined: Mon May 23, 2005 7:36 pm
Location: Soest - NL

Post by kees » Thu Feb 07, 2008 9:19 pm

There are a lot of possibilities if you want to password protect (parts of) your site. If your are confident about your method, please be happy :D

If you want to try one of the other ways, just try it and decide what's the best for you.

madjamonline
 
 
Posts: 55
Joined: Tue Jun 19, 2007 4:27 pm
Location: United Kingdom
Contact:

Post by madjamonline » Sun Apr 06, 2008 12:40 pm

support wrote:No, they can't see the data, becuase it's PHP all ascript will be exected on the server, it will not be sent to the browser.
I agree, however nothing is safe in this world anymore... there will always be a way.

I always make sure that my pwds in php are MD5'd.
To MD5 a password in php, do this function:

Code: Select all

<?php
// MD5 example:
// echo md5('mypwd'); will md5 the password "mypwd"

echo md5('mypwd');

// It will output: 318BCB4BE908D0DA6448A0DB76908D78
?>
I hope this helps:D

User avatar
kees
 
Posts: 49
Joined: Mon May 23, 2005 7:36 pm
Location: Soest - NL

Post by kees » Mon Apr 07, 2008 6:12 pm

madjamonline wrote:...nothing is safe in this world anymore... there will always be a way.

I always make sure that my pwds in php are MD5'd.
madjamonline,

I agree that hashing passwords (md5, sha1) is more secure. I didn't use this technics in order to keep it clear for WebBuilder users.

Of course I and you will understand that NASA will not use my script :wink:

bjlolmaugh
 
 
Posts: 58
Joined: Thu Nov 15, 2007 2:36 pm
Contact:

Post by bjlolmaugh » Tue Apr 29, 2008 8:09 pm

Hi Kees,

When setting up the 2 different pages (login.php) and the password protected page (.php), do I have to name the login page "login.php", or can I give it a different name, like "video1login.php"?

Then next question, based on this first question, if I gave it a different name, then I would obvious need to make some alterations to the PHP code to change all reference to "video1login.php". Yet your PHP script says to not make any edits after a certain point. I would need to change the script, wouldn't I ?

P.S. I plan on having more then 1 password protected page on a particular website.
Sincerely,

Barbara Lolmaugh
http://www.websitesbybarbara.com

User avatar
kees
 
Posts: 49
Joined: Mon May 23, 2005 7:36 pm
Location: Soest - NL

Post by kees » Tue Apr 29, 2008 8:44 pm

You can name the login page as you like.

Note that 'login.php' also exists (twice) in the protected page script. So if you name your login page 'video1login.php', this name should also entered in the protected page script.

Nanno

Post by Nanno » Mon Jun 09, 2008 9:29 pm

So far I know, You can only protect a pdf file with a .htaccess security in the root of the folder.

Greetings,


Nanno

Nanno

Post by Nanno » Wed Jun 11, 2008 8:43 pm

If you put a php security script in the start of the page, then is every link on that page secure to find. Also for search engines.
But a file like pdf on the server will be find with Google. There is no link for needed.

It's up to you.

Maybe you have search the internet for a better solution.

Greetings,

Nanno

User avatar
me.prosenjeet
 
 
Posts: 1273
Joined: Mon Dec 24, 2007 1:50 pm
Location: Lucknow
Contact:

Post by me.prosenjeet » Mon Oct 20, 2008 12:37 am

If a member of level 2 logs in, how does he or she gets access to pages of Level 1? I mean, after loggin in he will be redirected to his level 2 page only. Do we put links to the Level 1 pages on his page so he may have direct access to them?

User avatar
kees
 
Posts: 49
Joined: Mon May 23, 2005 7:36 pm
Location: Soest - NL

Post by kees » Mon Oct 27, 2008 7:11 am

Wait!

There is a way. You can add a 'target' attibute to the login form.

How?
1. Bring up the Form's Object HTML dialog.
2. Select 'Inside Tag' and insert:

Code: Select all

target="InlineFrame1"

User avatar
kevinp
 
 
Posts: 96
Joined: Wed Feb 21, 2007 2:51 pm
Location: Preston, Lancashire, England
Contact:

MD5 security

Post by kevinp » Fri Dec 26, 2008 1:05 pm

Once the password has been stored in the text file as a general string of characters for security can it be converted back to the original password, say for instance if the user forgot the password and submited a reminder request. Hope this makes sense. :)

User avatar
Navaldesign
 
 
Posts: 1051
Joined: Sat Mar 01, 2008 8:08 pm
Location: Italy
Contact:

Re: MD5 security

Post by Navaldesign » Fri Dec 26, 2008 8:02 pm

kevinp wrote:Once the password has been stored in the text file as a general string of characters for security can it be converted back to the original password, say for instance if the user forgot the password and submited a reminder request. Hope this makes sense. :)
Password encryption is made for security reasons, so if someone, in some way, hacks your database (or database file) the password he finds is NOT the one that will allow him to enter a user's area.

With this said, since the most common encryption algorithms use the sha1 or the md5 algorithms, there is no (practical) way to convert the encrypted passwords back to the non encrypted format.

For this reason, usually, in authentication scripts, there is a automatic RESET PASSWORD feature: the user requests his password, and the script automatically creates a new one. It stores it in the same or some different table (in it's encrypted form) and sends the user an email to his registered email address, with the new password. If the user clicks on the verification link, the script automatically replaces the old password with the new one (always ENCRYPTED). The user can then login in his personal area to change the automatically generated password with one he likes.
www.dbtechnosystems.com

User avatar
kevinp
 
 
Posts: 96
Joined: Wed Feb 21, 2007 2:51 pm
Location: Preston, Lancashire, England
Contact:

MD5

Post by kevinp » Sat Dec 27, 2008 9:40 am

Of course, that would make sense. Thanks for the insight.

Locked

Who is online

Users browsing this forum: No registered users and 3 guests