Foros del Web - Ver Mensaje Individual

andrewp · #1 (**permalink**) 23/05/2007, 08:20

Saludos!

El código que os muestro a continuación trata de loguear usuarios a través de una base de datos MySQL y PHP. De hecho logro loguearme y ver el usuario una vez entro a la página principal desde la que me envía el script. Pero he visto que si accedo directamente me permite ganar acceso como una especie de "anónimo". Es posible evitarlo y que si entro de una el script me envíe a la página de logueo?

Gracias por vuestra ayuda.

Código en el formulario "Login.php":

Cita:

<?php
// Connects to your Database
mysql_connect("localhost", "userDB", "passwordDB") or die(mysql_error());
mysql_select_db("DB_Name") or die(mysql_error());

//Checks if there is a login cookie
if(isset($_COOKIE['user_accessname']))
//if there is, it logs you in and directes you to the members page
{
$user_accessname = $_COOKIE['user_accessname'];
$user_password = $_COOKIE['user_password'];
$check = mysql_query("SELECT * FROM users WHERE user_accessname = '$user_accessname'") or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($user_password!= $info['user_password'])
{
}
else
{
header("Location: index.php");
}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted
// makes sure they filled it in
if(!$_POST['user_accessname'] | !$_POST['user_password']) {
die('You did not fill in a required field.');
}
// checks it against the database
if (!get_magic_quotes_gpc()) {
$_POST['user_email'] = addslashes($_POST['user_email']);
}
$check = mysql_query("SELECT * FROM users WHERE user_accessname= '".$_POST['user_accessname']."'") or die(mysql_error());
//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=http://www.domaine.com/register.html>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{

$_POST['user_password'] = stripslashes($_POST['user_password']);
$info['user_password'] = stripslashes($info['user_password']);
$_POST['user_password'] = ($_POST['user_password']);

//gives error if the password is wrong
if ($_POST['user_password'] != $info['user_password']) {
die('Incorrect password, please try again.');
}
else
{
// if login is ok then we add a cookie
$_POST['user_accessname'] = stripslashes($_POST['user_accessname']);
$hour = time() + 3600;
setcookie(user_accessname, $_POST['user_accessname'], $hour);
setcookie(user_password, $_POST['user_password'], $hour);
setcookie(user_name, $_POST['user_name'], $hour);
//then redirect them to the members area
header("Location: index.php");
}
}
} else {
// if they are not logged in
?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Username:</td><td>
<input type="text" name="user_accessname" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="user_password" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}
?>

Código en mi index.php:

Cita:

<?php
// Connects to your Database
mysql_connect("localhost", "userDB", "passwordDB") or die(mysql_error());
mysql_select_db("DB_Name") or die(mysql_error());

//checks cookies to make sure they are logged in
if(isset($_COOKIE['user_accessname']))
{
$user_accessname = $_COOKIE['user_accessname'];
$user_password = $_COOKIE['user_password'];
$check = mysql_query("SELECT * FROM users WHERE user_accessname = '$user_accessname'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{

//if the cookie has the wrong password, they are taken to the login page
if ($user_password != $info['user_password'])
{ header("Location: main.html");
}

//otherwise they are shown the admin area
else
{
echo 'Welcome, you are '.$user_name;
}
}
}
?>

Gracias por vuestra ayuda.