have used cookies to store the data, how to use cookies to prevent users entering to a webpage without logging in

Question

if the user has not logged in, but click to the order page, then it should be redirect to the login page. yet, it is not functioned as expected. it just hold in the login page, and cannot login or proceed to order page. wt is the problem??

order form::

// Connects to your Database 
$connect = mysql_connect("127.0.0.1","root","") or die("not connecting");
mysql_select_db("shop") or die("no db :'(");

// is the one accessing this page logged in or not?
if ( !isset($_SESSION['logged-in']) || $_SESSION['logged-in'] !== true) 
{

// not logged in, move to login page
header('Location: member_login.php');
exit();
}

else
{

//count the number of food
$food_num = mysql_query("select count(*) as sum from food");
$ttl_num= mysql_fetch_array($food_num);

//select the price of each food item
for($i=1; $i<=$ttl_num['sum']; $i++){
$price_query = mysql_query("SELECT price FROM food where foodid = '$i'");
$price_array= mysql_fetch_array($price_query);
$price_food[$i]=$price_array['price'];

//select the name of each food item
$name_query = mysql_query("SELECT name FROM food where foodid = '$i'");
$name_array= mysql_fetch_array($name_query);
$name_food[$i]=$name_array['name'];

 mysql_close($connect); 
 }
 }  


?>

login check:

<?php

$connect = mysql_connect("127.0.0.1","root","") or die("not connecting");
mysql_select_db("shop") or die("no db :'(");


$form = $_POST['submit'];
$email = $_POST['loginID_member'];
$password = $_POST['password_member'];

if( isset($form) ) 
{

if( isset($email) && isset($password) && $email !== '' && $password !== '' ) 
{ 


$sql = mysql_query("SELECT * FROM member WHERE memberemail='$email' and memberpw='$password';");

if( mysql_num_rows($sql) != 0 ) { //success

 $_SESSION['logged-in'] = true;

 header('Location: order_form.php');

 exit;

  } 

 else 

   { 

echo "<script>alert('Incorrect email or password!');window.location.href='member_login.php';</script>";

  }

  } 

  else

   { 

die('<script type="text/javascript">alert("Please enter a username and password!");location.replace("member_login.php")</script>');

 }

 }


  mysql_close($connect); 
?>

Oh dear, there's some SQL injection vulnerabilities here. Don't put this live until all user data entering a query is untainted. — halfer, May 23 '13 at 10:04
You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, May 23 '13 at 10:05
Ah, every time you use `header('Location: x')` you should follow it with `exit()`. The header function just sends a header to the client, but your PHP script will happily carry on executing the code after this, which is not what you want. — halfer, May 23 '13 at 10:07
so how can i change?? if it put the code before SQL, it is not worked as well — user2413017, May 23 '13 at 10:08
after i added the 'exit()' at the end of both of the codes, and test, it returns wrong combination.. wt is the problem? — user2413017, May 23 '13 at 10:12
Update your code in the question with what you have now, please? (When you address someone here, call their name e.g. @halfer, otherwise they may not see you've replied. See the help under the comment box!) — halfer, May 23 '13 at 10:33
@halfer i hv updated the codes above. the problem now is: when users go to the order page without logging in, it will redirect to the login page . yet, after entering the info to login, it cant, it will go to a blank page — user2413017, May 23 '13 at 10:54
You don't seem to be aware of the fact that cookies are client-side. It's trivial to create and send a `logged` cookie. You don't even need to install anything: all modern browsers bundle the required tools to do it. Use server-side sessions as everybody else. — Álvaro González, May 23 '13 at 10:56
i hv used cookies to store the id and pw, then if i use session to do this, do i need to re-do the cookies part? @ÁlvaroG.Vicario — user2413017, May 23 '13 at 10:59

score 1 · Answer 1 · answered May 23 '13 at 12:59

There's a few things I'd advise here:

Just use sessions on their own to start with, so you don't need $_COOKIE at all (you can add this later if you want your sessions to persist between browser sessions)
Before you access $_SESSION you need to call session_start(), to let PHP know you want session functionality

So, your first check should be:

if (isset($SESSION['logged'])) {
    header("order_form.php");
    exit();
}

You have two errors in your existing if clause: you've misspelled the file you're redirecting to, and you haven't used braces, so the exit will always be executed. For control blocks (loops and conditionals) you should always use braces (some style guides encourage one-line braceless if blocks, which I think is bad practice)

I'd suggest you fix those things, and sort out your SQL injection security problems, and go from there. The next step will be debugging i.e. setting something in a session, and making sure that it is available in the session array on the next request.

It will make things much easier if you can set up a version control system (such as Git) so you can periodically snapshot your work. Then, if something goes wrong, you can roll back to the last good known point.

Is your `header()` call being run when you expect it to? – halfer May 25 '13 at 16:00 — halfer, May 25 '13 at 16:00

have used cookies to store the data, how to use cookies to prevent users entering to a webpage without logging in

1 Answers1