open php file and passing php variable

Question

I'm new to PHP I have html page that required username and password from user to enter the chat page

html page
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<link rel="stylesheet" type="text/css" href="Registerstyle.css">
<title>اسجل دخولك الى الشات</title>
</head>

<body>
    <div id = "page">
        <div id = "header">
        </div>
        <div id = "container" dir = rtl>
            <div id = "menu">
                <ul>
                    <li><a href="#">تسجيل الدخول</a></li>
                    <li><a href="#">استرجاع كلمة المرور</a></li>
                    <li><a href="#">######</a></li>
                    <li><a href="#">######</a></li>
                </ul>
            </div>
            <div id = "midofcontainer">     
            <div id = "text">
                اسم المستخدم <br><br>
                كلمة المرور
            </div>      
            <div id = "form">
                <form name="log" method="GET" action="login.php">
                <input type="text" name="usr" id="usr" style="width: 242px"></input><br><br>
                <input type="password" name="pwd" style="width: 242px"></input><br><br>
                <input type="submit" style="width: 78px" value="تسجيل الدخول">
                <input type="reset" style="width: 78px" value="مسح">
            </div>
            </div>
        </div>
        <div id = "footer">
        </div>
    </div>    
</body>
</html>

and this is my php file that will check the value taht coming from html

<?php
    require 'connect.inc.php';

    $usr = $_GET['usr'];
    $pwd = $_GET['pwd'];
    $table_name = 'user';
    $query = "SELECT * FROM $table_name" ;

    $query_run = mysql_query($query);
        while($rows = mysql_fetch_array($query_run))
        {

            if ($rows['username'] == $usr and  $rows['password'] == $pwd)
            {

                include ('chatArea.php');
                exit();
            }                
            else
                include_once ('log.html');            
        }       
?> 

now what I want is when the if ($rows['username'] == $usr and $rows['password'] == $pwd) return true it open a new php page and passing the username to the page I hope that make my problem clear, sorry for my bad english

Answer 1

you can verify username and password like this

<?php
require 'connect.inc.php';

$usr = $_GET['usr'];
$pwd = $_GET['pwd'];
$table_name = 'user';
$query = "SELECT * FROM $table_name where username = '$usr' and password = '#pwd'" ;

$query_run = mysql_query($query);
$rows = mysql_fetch_array($query_run))
if (!isempty($rows)) {
    include ('chatArea.php');
    exit();
} else {
    include_once ('log.html');            
}       
?> 

Answer 2

1. Use PDO instead of mysql_* functions.
2. Before put the variables in the sql query use mysql_real_escape_string() to prevent SQL-injection.
3. Use POST method instead of GET for login action.

4. Learn about SESSIONS. Google for a good tutorial or you can follow this link: Creating a simple login-logout session using PHP
   
   But in your case use mysql_num_rows and change the sql query like this:

   require 'connect.inc.php';
   $usr = mysql_real_escape_string($_GET['usr']);
   $pwd = mysql_real_escape_string($_GET['pwd']);
   $table_name = 'user';
   $query = "SELECT * FROM $table_name where username='$usr' and password='$pwd'" ;
   $query_run = mysql_query($query);
   if(mysql_num_rows($query_run) == 1){
   
      include ('chatArea.php');
      exit();
   }                
   else {
       include_once ('log.html'); 
   }          
   

Answer 3

To answer your question, you would need to use sessions so that you have to authenticate only once and can check in subsequent pages that a user is logged in and you have the username stored so that you can use it whenever you need it. Then you would user a header redirect instead of an include:

login.php

<?php
session_start();

...

if (user_found_condition)
{
  $_SESSION['username'] = $usr;
  header('Location: /url/to/chatArea.php');
  exit();
}

And then in every page that requires a login, you start with:

<?php
session_start();
if (!isset($_SESSION['username']))
{
  // redirect to login
}

// use $_SESSION['username'] wherever you want to display the username

Apart from that you should not get all rows from your database to match one user, just add a WHERE condition in your query.

You should also switch to PDO or mysqli and prepared statements as the mysql_* functions are deprecated.

Answer 4

You need to use post instead of get on form as user and password in url is a big security risk.

    $usr = $_GET['usr'];
    $pwd = $_GET['pwd'];
    $table_name = 'user';
    $query = "SELECT username,password FROM $table_name WHERE username = '".mysql_real_escape_string($usr)."' limit 1";

    $query_run = mysql_query($query);
        while($rows = mysql_fetch_array($query_run))
        {

            if ($rows['username'] == $usr and  $rows['password'] == $pwd)
            {

                include ('chatArea.php');
                exit();
            }                
            else
                include_once ('log.html');            
        }  

}