form for logged user

anoopd · 06-24-2008, 09:04 AM

Hi Friends,

Im a newbie here . Just wanted to clear some of my doubts ... i am working with a site where the logged user can
edit something ... ie; a form should be shown only for logged users.. should i use iframes or just show the php file checking session ...Expecting valuable advice and thanks in advance

Anoop

Jim · 06-24-2008, 12:25 PM

Just create a function (like isLoggedIn()) returning true or false. In that function check the session and maybe some more proof to be 100% sertain the user is logged in.

Something like this will be the result:

PHP Code:


			
<?php



if(isLoggedIn()) {



   // Parse form



} else {



   echo 'Not logged in';



}



?>

How this helps a bit :)

Wildhoney · 06-24-2008, 03:30 PM

Perhaps having a peruse over this script that I did may be of some use to you?

maZtah · 06-25-2008, 09:50 AM

Yesterday I've written this function to check whether a user is logged in or not:

Users have options to save their login in a cookie, so that they don't have to fill the login form back in again.

A cookie is stored like: 'username;sha1hashedpasswordwithoutsalt'.

PHP Code:


			
// You have to define a SALT first
define('SALT', 'foo');

function is_logged_in()
{
    if (isset($_COOKIE['user']))
    {
        list($szName, $szPassword) = explode(';', $_COOKIE['user']);
        
        $szQuery = sprintf(
            "SELECT id
                FROM users
                WHERE name = '%s' AND password = SHA1(CONCAT('%s', '%s'))
                LIMIT 1", $szName, SALT, $szPassword);
        
        $pUser = mysql_query($szQuery) or die(mysql_error());
        
        if (mysql_numrows($pUser) > 0)
        {
            return TRUE;
        }
    }
    elseif ($_SESSION['loggedin'] === 1)
    {
        return TRUE;
    }
    else
    {
        return FALSE;
    }
}

Then, you can check (just like Jim did) if a user is logged in like so:

PHP Code:


			
if (is_logged_in() === TRUE)
{
    echo 'Logged in.';
}

// Or

if (is_logged_in() !== TRUE)
{
    echo 'Not logged in.';
}

Good luck!

Jim · 06-25-2008, 09:53 AM

Even if it's hashed with a salt, never save a password in a Cookie.

maZtah · 06-25-2008, 09:58 AM

I think you are true on that. What's a better way to store a cookie (and to check if it's from a real logged in user)?

Jim · 06-25-2008, 10:05 AM

What i always do is make an SQL table:

id - ipadres - userid - uniquestring
1 - 127.0.0.1 - 1 - bvt54345bw45herw45vw45wgef

And save a cookie named "login" or something containing the uniquestring. Then check the table for a record containing the uniquestring and ipadres. And then if its found login the user since you have it's userid.

Although i use this for autologin, you can also check it for login validation.

maZtah · 06-25-2008, 10:10 AM

Yep that's definitely a better route to go. Well, I think anoopd should be able modify my script to make it work like that. If not, I will post an update later.

Thanks for keeping me sharp, Jim!