MySQL Member system

Posted by Firebird on Jan. 23, 2006, 10:22 p.m.

Hey guys… haven been here in a while but yeah.

Can anyone give me a few tips on how to use MySQL for a members system, I was thinking of giving members of my site (When I get better webhosting) extra privilages, like maybe, like 64D a blog or a personal page or something I dunno but I would like there to be something. So… should I use md5 or something on the passwords… gee idk can someone who is experienced with PHP/MySQL give me a few (lots lol) tips to making one of these?

And check out my new banner!

Comments

firestormx 18 years, 10 months ago

Do you know how to use mysql in general? If so, it's pretty simple. (The 64digits member system is anyway…I don't know about all that new-fangled high-security member system stuff =P)

Basicaly, all you really need is the id, username, password, and if you want, the user type. (0 would be member, 1 would be admin, 2 would be mod, or something)

Your query to make the table, would look something like

CREATE TABLE users (id INT NOT NULL AUTO_INCREMENT,

PRIMARY KEY(id),

username VARCHAR(20),

password VARCHAR(32), #32, because md5 hashes are 32 chars long)

type TINYINT(1)); #1, because you're probably not going to have more than 9 types

Then, if you want to have preferences and stuff, you'd probably want to make them in a seperate table, like user_prefs or something. (You know about <a href="http://dev.mysql.com/tech-resources/articles/intro-to-normalization.html" target="_blank">datbase normalizing</a>, right?)

Then, you'd have your form

[<]form method="post" action="login.php"[>]

[<]input type="text" name="username" /[>]

[<]input type="password" name="password" /[>]

[<]/form[>]

I assume that if you already know how to work with mysql, the big thing you don't understand about user systems is how does it know which row to keep reading off of? (That's what I didn't understand anyway…But aparently I'm stupid)

<pre>[<]?php

session_start();

if ($_POST['username'] && $_POST['password'] && !session_exists('logged_in'))

{

$query = mysql_query("SELECT * FROM users WHERE username='".mysql_real_escape_string($_POST['username'])."'");

if (mysql_num_rows($query))

{

$user = mysql_fetch_array($query);

if (md5($_POST['password']) == $user['password'])

{

session_register('logged_in');

$_SESSION['session_user'] = $user['id'];

if ($user['type'] == 1)

{session_register('admin');}

if ($user['type'] == 2)

{session_register('mod');}

session_regenerate_id();

print "You are now logged on";

}

else

{print "Your password is incorrect";}

}

else

{print "There is no user with the name {$_POST['username']}";}

}

?[>]</pre>

The way to do it is with sessions.

You have to have session_start() at the begining of every page you want sessions to apply to. (Which for most sites, it's every page. Usualy it's simply put in the header file)

session_start() is like header(), in that it has to go at the very begining of the file.

When you register a session, using session_register(), it's like making a boolean variable, and setting it to 1. Then, when you use session_exists('session_variable') in an if statement, it's like going if (session_variable == 1). You don't actualy need to put session_register('logged_in'), as $_SESSION['session_user'] (I'll get to that in a sec) is usualy good enough. However, I've gotten into the habbit of simply using

if (session_exists('logged_in')), rather than if ($_SESSION['session_user'])…It just feels more complete, ya' know?

Now, the $_SESSION[] array is a global array, containing your session variables. In this example, I set session_user to the id of the row of the logged in user.

Then, in the next line down, I checked if the type column is equal to 1 (admin), and if it is, I registered the 'admin' session. Below that, I did the same for if the type is 2 (mod).

Then, I regenerated the session id, just to be safe.

Now, when you go around the site, you'll be able to tell the server which row to read from if you need to, as well as know if a user is logged in.

So, for example, if you need to be logged in to leave a comment, you would go

if (session_is_registered('logged_in'))

{print "leave a comment";}

And if you want admins to be able to delete comments, you could go

display_comment();

if (session_is_registered('admin'))

{print "delete this comment";}

If you want to show who you're currently logged in as, you could go

$cur_user = mysql_fetch_array(mysql_query("SELECT username FROM users WHERE id='{$_SESSION['session_user']}'"));

print "Hello {$cur_user['username']}!";

It's all pretty simple stuff, and once you get comfertable with it, you'll begin to develop your own functions to return the value of a column, and stuff.

So for example, you could have something like

function col ($table, $cond, $cond_value, $column)

{

$query = mysql_fetch_array(mysql_query("SELECT ".mysql_real_escape_string($column)." FROM ".mysql_real_escape_string($table)." WHERE ".mysql_real_escape_string($cond)."='".mysql_real_escape_string($cond_value)."');

return $query[$column];

}

print "Welcome ".col('users', 'id', $_SESSION['session_user'], 'username');

Writing mysql_real_escape_string is long and annoying, so what I did was just make a function called mres($value) and had it go through all my security functions (including mysql_real_escape_string).

Not only is it faster to type, but if you need to add an extra security thing, like say you want to encrypt everything you put into your databse, then decrypt it when you pull it again (for example, replacing all F's with 123456789) then you could easily add that to mres() easily.

mres ($value)

{

$value = string_replace('F', '123456789', $value);

return mysql_real_escape_string($value);

}

Then, I sugest making a parse() function for displaying anything from the database.

parse ($text)

{

$text = string_replaec('123456789', 'F', $text);

$text = nl2br($text);

$text = stripslashes($text); //when you user mysql_real_escape_string, it adds slashes

return $text;

}

Umm, I think that pretty much covers it.

If you know mysql, all you really need to learn is sessions.

Oh, and maybe cookies too if you want. I don't really feel like going into those at the moment…

Alpha Man 18 years, 10 months ago

LOL You have a avatar about fish!

… Mr.Storm, your hands must really hurt now…

Firebird 18 years, 10 months ago

Hey thanks FirestormX

Yeah its not worth putting it in now because im moving to a new host.

I might intergrate it into some kind a MySQL powered news CMS.

Wow fish.

firestormx 18 years, 10 months ago

=)