Hello, I have a login form, which is supposed to be recording the time when someone logs in (it’s not) and also it is supposed to authenticate against MySQL DB and send a denial not ice if username and password is incorrectly entered. If login is successful s/b printing a message welcome ‘$name’. Not of this is working at the moment. I have a field in the MySQL table called login_timestamp.
<?php
ini_set("display_errors","1");
ERROR_REPORTING(E_ALL);
session_start();
$con = mysql_connect("localhost","username","password") or die('Could not connect: ' . mysql_error());
mysql_select_db("DBName") or die(mysql_error());
//Escape user input
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
//Update record with current time IF the account has never logged in before
$query = "UPDATE `Editor_Candidates`
SET `login_timestamp` = NOW()
WHERE `username` = '$username'
AND `password` = '$password'
AND login_timestamp = ''";
$result = mysql_query($query);
//Check if query ran succesfully
if(!$result)
{
//Query failed, add error handling
$response = "Query failed";
}
else
{
//Set flag
$error = false;
if(mysql_affected_rows()!=1)
{
//Record doesn't exist OR credentials have been previously used
//Run query to see when the initial login was
$query = "SELECT `login_timestamp`
FROM `Editor_Candidates`
WHERE `username` = '$username'
AND `password` = '$password'";
$result = mysql_query($query);
if (mysql_num_rows($result)!=1)
{
//username/password doesn't exist
$error = "That username/password is not valid.";
}
else
{
//Get record and check first login time
$record = mysql_fetch_assoc($result);
if ($record['login_timestamp']<strtotime("-60 minutes"))
{
//username/password was used more than 60 minutes ago
$error = "That username/password has expired";
}
}
}
//Check if error occured
if ($error == false)
{
// Same checking stuff all over again.
if(isset($_POST['submit'])) {
if(empty($_POST['username']) || empty($_POST['pwid']) ) {
echo "<h2 style='color:#039;font-size:14px;font-family:arial, helvetica,sans-serif'>Please fill in both your username and password to access the editor exam. You will be redirected back to the login screen in 5 seconds</h2>";
echo "<meta http-equiv='refresh' content='5; url=EditorLogin.php'>";
exit;
}
// Create the variables again.
$username = mysql_real_escape_string($_POST['username']);
$pwid = $_POST['pwid'];
// Encrypt the password again with the md5 hash.
// This way the password is now the same as the password inside the database.
//$pwid = md5($pwid);
// Store the SQL query inside a variable.
// ONLY the username you have filled in is retrieved from the database.
$query = "SELECT username,pwid,name
FROM Editor_Candidates
WHERE
pwid = '$pwid'
AND
username='$username'";
$result = mysql_query($query) or die(mysql_error());
if(mysql_num_rows($result) == 0) {
// Gives an error if the username/pw given does not exist.
// or if something else is wrong.
echo "<h2 style='color:#039;font-size:14px;font-family:arial, helvetica,sans-serif'>You have entered a username or password that does not match our database records. please try again. You will be directed back to the login screen in 5 seconds. </h2> " . mysql_error();
echo "<meta http-equiv='refresh' content='5; url=EditorLogin.php'>";
exit();
/*
this would benefit from a redirect to a page giving better information to
the user and maybe logging some errors.
*/
} else {
// Now create an object from the data you've retrieved.
$row = mysql_fetch_object($result);
// You've now created an object containing the data.
// You can call data by using -> after $row.
// For example now the password is checked if they're equal.
// By storing data inside the $_SESSION superglobal,
// you stay logged in until you close your browser.
$_SESSION['name'] = $row->name;
$_SESSION['username'] = $username;
$_SESSION['sid'] = session_id();
// Make it more secure by storing the user's IP address.
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
// Now give the success message.
// $_SESSION['username'] should print out your username.
//move this to after your redirect further below..
}
}
// Start a session. If not logged in will be redirected back to login screen.
if(!isset($_SESSION['username'])){
exit;
}
echo "<div id='welcome'><h3>Welcome! You are now logged in " . $_SESSION['name'] . "</h3>";
echo "<a class='logout' href='logout.php'>Logout</a></div>";
}
}
?>
