PHP Log-In indirection new page with the ID

Question

Just want to make sure that my PHP login page submitted with a new page that comes with my Login ID, for example "Welcome, XX", XX for your login username. So what should I do for my codes below (I use reCapture here):

 <!DOCTYPE html>
 <head>
 <title>reCaptcha Log-in</title>
 <script src='https://www.google.com/recaptcha/api.js'></script>
 </head>
    <body> <!-- the body tag is required or the CAPTCHA may not show on some browsers -->
      <!-- your HTML content -->


<body>



<fieldset style="border:2px groove; border-color:blue; padding:15px 30px 15px;margin-right:5px;width:350px;height:400px">
      <form method="post" action="recaptcha.php">

      <p><b>User Name </b>  <input type="text" name="username1" size="20px" maxlength="15"></p>
<p><b>Password  </b> <input type="password" name="password1" size="20px" maxlength="15"></p>


        <?php
          require_once('recaptchalib.php');
          $publickey = "6LfxlgcTAAAAALNywpDCYeKbH8ACc9dw6xaCZT-0"; // you got this from the signup page
          echo recaptcha_get_html($publickey);
        ?>
        <br/>
        <div align="left"> <input type="submit" name="submit1" value=login></div>


      </form>

      <!-- more of your HTML content -->
    </body>
  </html>

    <?php

  session_start();

require_once("require_pro.php");

if($_SERVER["REQUEST_METHOD"]=="POST")
{
      if(isset($_POST['submit1'])){
require_once('recaptchalib.php');
  $privatekey = "6LfxlgcTAAAAACugkAYxfmc__38DtbI5MzDUHKx-";
  $resp = recaptcha_check_answer ($privatekey,
                                $_SERVER["REMOTE_ADDR"],
                                $_POST["recaptcha_challenge_field"],
                                $_POST["recaptcha_response_field"]);


  if ((!$resp->is_valid)&&(isset($_POST['username1']))) {
    // What happens when the CAPTCHA was entered incorrectly
    echo "<p>Sorry, Please enter the right reCaptcha code</p>";
    $error = $resp->error;
  } else {
    $myusername=addslashes($_POST['username1']);
    $mypassword=addslashes($_POST['password1']);

  $sql=" SELECT * FROM user 
            WHERE username='$myusername' and password='$mypassword'";

    $result=mysql_query($sql);
    $count=mysql_num_rows($result);



    if($count == 1) 
    {   $user1=$_POST['username1'];
        echo "Login Successfully";
        header("location:welcome.php?=$user1");

    } else if(!empty($_POST['username1'])){
        echo "<p><font color='black'>Login Information wrong, please try again</font></p>";
    }


}
  }




  }


  ?>

<welcome.php> :

 <!DOCTYPE html>
 <html>
 <head>


 </head>
    <body> <!-- the body tag is required or the CAPTCHA may not show on some browsers -->
      <!-- your HTML content -->


<body>



<fieldset style="border:2px groove; border-color:blue; padding:15px 30px 15px;margin-right:5px;width:350px;height:400px">
    <?php 

    echo" Welcome !".??????

    </body>
  </html>

score 1 · Accepted Answer · edited May 23 '17 at 12:21

1

First, addslashes isn't the right function for preventing SQL injection. See Examples of SQL Injections through addslashes()?.

Second, mysql_* functions are deprecated and should not be used in new code. See the big red box at http://php.net/mysql_query. Use something like PDO with parameterized queries (which will also help you with SQL injection).

Third, you need to store something in the session so you know that they're logged in and which user they're logged in as. When the user successfully logs in, something like:

$_SESSION['username'] = $_POST['username1'];

Which will allow you to use it in subsequent pages.

edited May 23 '17 at 12:21

Community

1
1

answered May 31 '15 at 14:26

ceejayoz

176,543
40
303
368

Thanks for your comments. I supposed "$_SESSION['username'] = $_POST['username1'];" is put in the first page, but what should I do for the second page? It did not work if the second welcome php with "echo "welcome".$_GET['username']." – Derrick Ruan Jun 01 '15 at 01:23
Oh, It is solved if i use @adelowo method; 0 – Derrick Ruan Jun 01 '15 at 01:27
@DerrickRuan You'd `echo $_SESSION['username']` (and make sure to have `session_start()` at the beginning of the page. adelowo's method lets the user change it in the URL which isn't ideal (especially if you plan to use this for other stuff on the page). Please do not ignore my first and second points, by the way - your code currently is **dangerous** to your site and the server it runs on. – ceejayoz Jun 01 '15 at 02:06
Thanks for that. Yes, It is quite risky because I am now using these just practicing, But I will definitely use your 1st and 2nd methods to make it safe if I really need to build a site. – Derrick Ruan Jun 01 '15 at 09:22
@DerrickRuan Practicing bad code is dangerous too. You learn from practice, and learning bad code means you *write* bad code. – ceejayoz Jun 01 '15 at 12:48
Yeah, I sometimes learnt some from a random Youtube PHPer, but mostly I follow some good channels so I will make some good choices ;) – Derrick Ruan Jun 02 '15 at 12:54

score 0 · Answer 2 · answered May 31 '15 at 14:32

0

since you are passing the username via the url,you use the $_GET[''] array but you code needs a little clean up ..you do this instead

  if($count == 1) 
{   $user1=$_POST['username1'];
    echo "Login Successfully";
    header("location:welcome.php?username=$user1");
 }

to get the username,you do this

echo "Welcome $_GET['username']"; //make sure you clean up the variable

answered May 31 '15 at 14:32

Thanks for that~~It works now ;)) – Derrick Ruan Jun 01 '15 at 01:27
BTW, the welcome page side should be "echo "Welcome!". $_GET['username'];", the double quotation marks changed a bit ;) – Derrick Ruan Jun 01 '15 at 01:28
@DerrickRuan nice to hear,do upvote my answer – Jun 02 '15 at 00:18
Yes,I wanted to, but It requires 15 reputation ;( – Derrick Ruan Jun 02 '15 at 12:52
@DerrickRuan sorry,i meant to say,best answer http://stackoverflow.com/help/someone-answers – Jun 02 '15 at 12:55

PHP Log-In indirection new page with the ID

2 Answers2