Re: Multiple field login and a related question

dylanhughes@xxxxxxxxx wrote:
I'm looking for an example of a login system that has multiple fields
(2 to be exact) + password. e.g username, company name and password,
the user, company and password are checked against a mysql database. I
have it working with just the username field but I'm confused on how
to go about adding another field. I'm pretty new to PHP so don't beat
me up too much for this example code, I borrowed and hacked it
together in a very short period of time.

Code:

<?php
include 'db.php';
//Checks if there is a login cookie

if(isset($_COOKIE['ID_user']))


//if there is, it logs you in and directs you to the members page
//shopname is used to select the correct database
{
$shopname = $_COOKIE['ID_fitsheetshop'];
$username = $_COOKIE['ID_fitsheetuser'];
$pass = $_COOKIE['Key_fit***'];

$checkuser = mysql_query("SELECT * FROM users WHERE username =
'$username'")or die(mysql_error());
$checkshop = mysql_query("SELECT * FROM users WHERE shopname =
'$shopname'")or die(mysql_error());
while($info = mysql_fetch_array($checkuser))
{

if ($pass != $info['password'])
{
die('something is wrong');
}

else
{
header("Location: members.php");
}

}

while($info = mysql_fetch_array($checkshop))
{

if ($pass != $info['password'])
{
die('something is wrong');
}

else
{
header("Location: members.php");

}

}

}


//if the login form is submitted

if (isset($_POST['submit'])) { // if form has been submitted


// makes sure they filled it in

if(!$_POST['shopname'] | !$_POST['username'] | !$_POST['pass']) {
die('You did not fill in a required field.');
}

// checks it against the database

if (!get_magic_quotes_gpc()) {
$_POST['username'] = addslashes($_POST['username']);
$_POST['shopname'] = addslashes($_POST['shopname']);
}

$checkuser = mysql_query("SELECT * FROM users WHERE username = '".
$_POST['username']."'")or die(mysql_error());
$checkshop = mysql_query("SELECT * FROM users WHERE shopname = '".
$_POST['shopname']."'")or die(mysql_error());

//Gives error if user dosen't exist

$check2 = mysql_num_rows($checkuser);
if ($check2 == 0) {
die('Something is wrong');
}

$check3 = mysql_num_rows($checkshop);
if ($check3 == 0) {
die('Something is wrong');
}

while($info = mysql_fetch_array($checkuser))
while($info = mysql_fetch_array($checkshop))
{

$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong

if ($_POST['pass'] != $info['password']) {
die('Something is wrong');
}

else
{
// if login is ok then we add a cookie
$_POST['shopname'] = stripslashes($_POST['shopname']);
$_POST['username'] = stripslashes($_POST['username']);

$hour = time() + 3600;
setcookie(ID_shop, $_POST['shopname'], $hour);
setcookie(ID_user, $_POST['username'], $hour);
setcookie(Key_shop, $_POST['pass'], $hour);

//then redirect them to the members area
header("Location: members.php");

}

}

}

else {

// if they are not logged in
//code removed for privacy
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Shop Name:</td><td>
<input type="text" name="shopname" size="60" maxlength="60">
<tr><td>Username:</td><td>
<input type="text" name="username" size="2" maxlength="60">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
//code removed
<?php
}


?>




Each company will have its own database, once the user logs in I was
going to check their cookie for the company name and use that to
select the correct database. Does anyone have any better ideas?


Thanks for your time.


I don't know of any examples, but it's not too hard. But you need to put everything in one SQL query, i.e. (Not checked for syntax)

$result = mysql_query("SELECT * FROM users WHERE username = " .
"'$username' AND shopname='$shopname' AND `password` = '$pass'");

if (mysql_rows($result) !< 1)
echo "User not found";
elseif (mysql_rows($result) > 1)
echo "This should not occur!");
else
// valid login here

The way you have it, you could have user 'abc' at shop 'acme shop' and still be able to access shop 'widgets, inc.'.

Also, I wouldn't have a different table for every shop. It gets too hard to manage. Rather, in your table have a column for the shop id and filter on that.

For instance:

User table:
userid
pwd
shopid

Shop table:
shopid
shop Name

Data table:
shopid
(other information)

Of course, if you did it this way you'd have to adjust your SQL code slightly - but it's much better than separate tables for each shop.

For more info on the DB design, try comp.database.mysql (or whatever database you're using if not MySQL).


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.