Wrox Programmer Forums
Go Back   Wrox Programmer Forums > PHP/MySQL > PHP How-To
| Search | Today's Posts | Mark Forums Read
PHP How-To Post your "How do I do this with PHP?" questions here.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the PHP How-To section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old January 18th, 2004, 03:20 AM
Authorized User
 
Join Date: Oct 2003
Location: KL, wilayah persekutuan, Malaysia.
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default login script problem

i have a login.php that will check the authentication of the user.
however, when i type a wrong userid and password or a real userid and password,
it just refresh the page.
Please tell me what's wrong with it.i follow the example from the wrox beginning php book.

<?php
session_start();
include "common_db.inc";


function auth_user($userid, $userpassword)
{
    $query = "SELECT emp_id FROM user WHERE userid = '$userid' AND userpassword = password('$userpassword')";
    $result = mysql_query($query);
    if(!mysql_num_rows($result))
        return 0;
    else
    {
        $query_data = mysql_fetch_row($result);
        return $query_data[0];
    }
}

function login_form()
{
    global $PHP_SELF;
?>
<HTML>
    <HEAD>
        <TITLE>Login</TITLE>
    </HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<? echo $PHP_SELF ?>">
    <DIV ALIGN="CENTER"><CENTER>
        <H3>Please log in to access the page you requested.</H3>
    <TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
          <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>ID</TH>
        <TD WIDTH="82%" NOWRAP>
        <INPUT TYPE="TEXT" NAME="userid" SIZE="8">
         </TD>
         </TR>
         <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
                  <TD WIDTH="82%" NOWRAP>

                    <INPUT TYPE="PASSWORD" NAME="userpassword" SIZE="8">
         </TD>
          </TR>
          <TR>
          <TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
                   <INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
                    </TD>
          </TR>
      </TABLE>
       </CENTER></DIV>
</FORM>
</BODY>
</HTML>
<?
}

if(!isset($userid))
{
    login_form();
    exit;
}
else
{
    session_register("userid", "userpassword");
    $username = auth_user($userid, $userpassword);
    if(!$username)
    {
        session_unregister("userid");

         session_unregister("userpassword");
         echo "Authorization failed. " .
                "You must enter a valid userid and password combo. " .
                "Click on the following link to try again.<BR>\n";
                 echo "<A HREF=\"$PHP_SELF\">Login</A><BR>";
                 echo "If you're not a member yet, click " .
               "on the following link to register.<BR>\n";
                 echo "<A HREF=\"$register_script\">Membership</A>";
        exit;
      }
     else echo "Welcome, $username!";
}
?>

 
Old January 19th, 2004, 03:15 PM
Friend of Wrox
Points: 2,570, Level: 21
Points: 2,570, Level: 21 Points: 2,570, Level: 21 Points: 2,570, Level: 21
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: San Diego, CA, USA
Posts: 836
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Don't don't don't don't (please please please please) use session_register() or global variables! Especially if your session variables and form variables have the same names.

What is your register_globals set to in php.ini?


Here's a functionally equivalent replacement for your script that does NOT rely on register_globals = on:


<?php
session_start();
include "common_db.inc";


function auth_user($userid, $userpassword)
{
    $query = "SELECT emp_id FROM user WHERE userid = '$userid' AND userpassword = password('$userpassword')";
    $result = mysql_query($query);
    if ((FALSE === $result) || !mysql_num_rows($result))
    {
        return FALSE;
    }
    else
    {
        $query_data = mysql_fetch_row($result);
        return $query_data[0];
    }
}

function login_form()
{
?>
<HTML>
    <HEAD>
        <TITLE>Login</TITLE>
    </HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<? echo $_SERVER['PHP_SELF']; ?>">
    <DIV ALIGN="CENTER"><CENTER>
        <H3>Please log in to access the page you requested.</H3>
    <TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
          <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>ID</TH>
        <TD WIDTH="82%" NOWRAP>
        <INPUT TYPE="TEXT" NAME="userid" SIZE="8">
         </TD>
         </TR>
         <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
                  <TD WIDTH="82%" NOWRAP>

                    <INPUT TYPE="PASSWORD" NAME="userpassword" SIZE="8">
         </TD>
          </TR>
          <TR>
          <TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
                   <INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
                    </TD>
          </TR>
      </TABLE>
       </CENTER></DIV>
</FORM>
</BODY>
</HTML>
<?
}

if(!isset($_POST['userid']))
{
    login_form();
    exit;
}
else
{
    $_SESSION['userid'] = $_POST['userid'];
    $_SESSION['userpassword'] = $_POST['userpassword'];

    $username = auth_user($userid, $userpassword);

    if(FALSE === $username)
    {
        unset($_SESSION['userid']);
        unset($_SESSION['userpassword']);

        echo "Authorization failed. " .
             "You must enter a valid userid and password combo. " .
             "Click on the following link to try again.<BR>\n";
        echo "<A HREF=\"$PHP_SELF\">Login</A><BR>";
        echo "If you're not a member yet, click " .
             "on the following link to register.<BR>\n";
        echo "<A HREF=\"$register_script\">Membership</A>";
        exit;
    }
    else
    {
        echo "Welcome, $username!";
    }
}
?>


Try that, let me know if it works.


Take care,

Nik
http://www.bigaction.org/
 
Old January 20th, 2004, 06:58 AM
Authorized User
 
Join Date: Oct 2003
Location: KL, wilayah persekutuan, Malaysia.
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks nikolai!
i will try it. but i can only reply you on the 26 jan because i'm now in hometown celebrating chinese new year.

 
Old January 26th, 2004, 10:13 AM
Authorized User
 
Join Date: Oct 2003
Location: KL, wilayah persekutuan, Malaysia.
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

thanks nikolai! The login form works now. However, i encounter two more problems.
1. when i entered a wrong userid and password. the following is displayed.
    Authorization failed. You must enter a valid userid and password combo. Click on the following link to try again.Login

but when i clicked the Login hyperlink, the following is displayed instead of displaying the login form. Please tell me why and how to solve it.
    Forbidden
    You don't have permission to access / on this server.
    Apache/1.3.28 Server at localhost Port 80

2. the login form will keep displayed authorization failed even though i entered a existing userid and password. i try to query it from mysql and it works fine. Below are my table and values entered.
CREATE TABLE USER
(
    USERID VARCHAR(8) NOT NULL,
    USERPASSWORD VARCHAR(30) NOT NULL,
    EMP_ID VARCHAR(6) NOT NULL,
    PRIMARY KEY(USERID),
    FOREIGN KEY (EMP_ID) REFERENCES EMPLOYEE,
);

INSERT INTO USER VALUES ('HUAN', password('100388'), 'EMP001');
INSERT INTO USER VALUES ('JOE', password('101055'), 'EMP002');

//these queries works fine in the mysql
SELECT emp_id FROM user WHERE userid = 'joe' AND userpassword = password('101055');
SELECT emp_id FROM user WHERE userid = 'huan' AND userpassword = password('100388');

when i entered joe in the userid textbox and 101055 in the password textbox and
huan in the userid textbox and 100388 in the password textbox, it displayed authorization failed instead of displaying Welcome, $username!


 
Old January 29th, 2004, 08:46 PM
Authorized User
 
Join Date: Oct 2003
Location: KL, wilayah persekutuan, Malaysia.
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

i think that my problem is with the code $_SERVER['PHP_SELF']. is there any configuration that i need to do to use it?
Please help!

 
Old January 29th, 2004, 09:37 PM
Friend of Wrox
Points: 2,570, Level: 21
Points: 2,570, Level: 21 Points: 2,570, Level: 21 Points: 2,570, Level: 21
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: San Diego, CA, USA
Posts: 836
Thanks: 0
Thanked 0 Times in 0 Posts
Default

No. $_SERVER['PHP_SELF'] should exist always, that's why you should use it. $PHP_SELF only exists when the contents of the $_SERVER array are extracted into global scope. Typically, this means that register_globals is on. We've talked about this before.

I just went through the code I posted and realized that I forgot to convert one of the $PHP_SELFs into $_SERVER['PHP_SELF']. It's in the if block where the username/password combo was bad.


I also noticed that your original code (and, due to bad judgement on my part, mine) use the shorthand <? tags to open a PHP block. This is also something that can be disabled in the PHP configuration, so you should ALWAYS use "<?php" to open a PHP block.

It's a bad idea to use <? or the ASP-style <% delimiters.


Here's a version of the script that works for me:


<?php
session_start();

require_once("common_db.inc");

function auth_user($userid, $userpassword)
{
    $query = "SELECT emp_id FROM user WHERE userid = '$userid' AND userpassword = password('$userpassword')";
    $result = mysql_query($query);
    if ((FALSE === $result) || !mysql_num_rows($result))
    {
        return FALSE;
    }
    else
    {
        return mysql_result($result, 0);
    }
}

function login_form()
{
?>
<HTML>
    <HEAD>
        <TITLE>Login</TITLE>
    </HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<?php echo $_SERVER['PHP_SELF']; ?>">
    <DIV ALIGN="CENTER"><CENTER>
        <H3>Please log in to access the page you requested.</H3>
    <TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
          <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>ID</TH>
        <TD WIDTH="82%" NOWRAP>
        <INPUT TYPE="TEXT" NAME="userid" SIZE="8">
         </TD>
         </TR>
         <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
                  <TD WIDTH="82%" NOWRAP>

                    <INPUT TYPE="PASSWORD" NAME="userpassword" SIZE="8">
         </TD>
          </TR>
          <TR>
          <TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
                   <INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
                    </TD>
          </TR>
      </TABLE>
       </CENTER></DIV>
</FORM>
</BODY>
</HTML>
<?php
}

if(!isset($_POST['userid']))
{
    login_form();
    exit;
}
else
{
    $_SESSION['userid'] = $_POST['userid'];
    $_SESSION['userpassword'] = $_POST['userpassword'];

    $username = auth_user($_SESSION['userid'], $_SESSION['userpassword']);

    if(FALSE === $username)
    {
        unset($_SESSION['userid']);
        unset($_SESSION['userpassword']);

        echo "Authorization failed. " .
             "You must enter a valid userid and password combo. " .
             "Click on the following link to try again.<BR>\n";
        echo "<A HREF=\"{$_SERVER['PHP_SELF']}\">Login</A><BR>";
        echo "If you're not a member yet, click " .
             "on the following link to register.<BR>\n";
        echo "<A HREF=\"$register_script\">Membership</A>";
        exit;
    }
    else
    {
        echo "Welcome, $username!";
    }
}
?>


Take care,

Nik
http://www.bigaction.org/
 
Old January 31st, 2004, 04:10 AM
Authorized User
 
Join Date: Oct 2003
Location: KL, wilayah persekutuan, Malaysia.
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default

i made a few changes and now it works well. Thanks for your help but i still have some questions.
1. I would like to know how to make the $EMP_ID into session variables?
     I try by typing $_SESSION['empid'] = $_POST['$EMP_ID']; and then display it but it only display 0;
2. As you can see in my last few lines, i include the employeemenu.php and employermenu.php. For example, in employeemenu.php
     i have a link to sales.php.when i clicked the back button in sales.php hoping to get back to employeemenu.php, it displays the warning below.So how can i make the solved it?
Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.
To resubmit your information and view this Web page, click the Refresh button.

<?php
session_start();
require_once("common_db.inc");

$link_id = db_connect();
if(!$link_id) die (sql_error());
mysql_select_db("project", $link_id) or die (sql_error());

function auth_user($userid, $userpassword)
{
   $query = "select emp_id from user where userid='$userid' and userpassword=password('$userpassword')";
   $result = mysql_query($query);
   if(!$result) error_message (sql_error());
   if(!mysql_num_rows($result))
    return 0;
   else
   {
    $data= mysql_fetch_row($result);
    return $data[0];
   }
}

function login_form()
{
?>
<HTML>
    <HEAD>
        <TITLE>Login</TITLE>
    </HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<?php echo $_SERVER['PHP_SELF']; ?>">
    <DIV ALIGN="CENTER"><CENTER>
        <H3>Please log in to access the page you requested.</H3>
    <TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
          <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>ID</TH>
        <TD WIDTH="82%" NOWRAP>
        <INPUT TYPE="TEXT" NAME="userid" SIZE="8">
         </TD>
         </TR>
         <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
                  <TD WIDTH="82%" NOWRAP>

                    <INPUT TYPE="PASSWORD" NAME="userpassword" SIZE="8">
         </TD>
          </TR>
          <TR>
          <TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
                   <INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
                    </TD>
          </TR>
      </TABLE>
       </CENTER></DIV>
</FORM>
</BODY>
</HTML>
<?php
}

if(!isset($_POST['userid']))
{
    login_form();
    exit;
}
else
{
    $_SESSION['userid'] = $_POST['userid'];
    $_SESSION['userpassword'] = $_POST['userpassword'];

    $EMP_ID = auth_user($_SESSION['userid'], $_SESSION['userpassword']);

      if(! $EMP_ID)
    {
        unset($_SESSION['userid']);
        unset($_SESSION['userpassword']);

        echo "Authorization failed. " .
             "You must enter a valid userid and password combo. " .
             "Click on the following link to try again.<BR>\n";
        echo "<A HREF=\"{$_SERVER['PHP_SELF']}\">Login</A><BR>";
        echo "If you're not a member yet, click " .
             "on the following link to register.<BR>\n";
        echo "<A HREF=\"$register_script\">Membership</A>";
        exit;
    }
    else
    {
    if($EMP_ID=='manager')
        include "employermenu.php";
    else
        include "employeemenu.php";
    }
}
?>


 
Old February 2nd, 2004, 04:19 PM
Friend of Wrox
Points: 2,570, Level: 21
Points: 2,570, Level: 21 Points: 2,570, Level: 21 Points: 2,570, Level: 21
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: San Diego, CA, USA
Posts: 836
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
quote:Originally posted by hosefo81
 i made a few changes and now it works well. Thanks for your help but i still have some questions.
1. I would like to know how to make the $EMP_ID into session variables?
     I try by typing $_SESSION['empid'] = $_POST['$EMP_ID']; and then display it but it only display 0;
Okay, think about what you're doing. $EMP_ID is a variable returned by auth_user. It's a numeric value. You're taking this numeric value and using it as an index in to the $_POST array.

The $_POST array contains values submitted by the user in a POST form, so it doesn't really make sense to look for that index there. I mean, do you really have an input in the form who's name is "1" (or whatever EMP_ID you get back from auth_user()?

What you really want to do is this:

$EMP_ID = auth_user(...);

$_SESSION['empid'] = $emp_id;

get it?


Quote:
quote:Originally posted by hosefo81
2. As you can see in my last few lines, i include the employeemenu.php and employermenu.php. For example, in employeemenu.php
     i have a link to sales.php.when i clicked the back button in sales.php hoping to get back to employeemenu.php, it displays the warning below.So how can i make the solved it?
Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.
To resubmit your information and view this Web page, click the Refresh button.
You can't make that error go away unless you use GET to submit form data instead of POST.

Doing this is a bad idea for things like usernames and passwords, since these values will travel as plain text as part of the URL.


Take care,

Nik
http://www.bigaction.org/
 
Old August 20th, 2004, 10:54 AM
Registered User
 
Join Date: Aug 2004
Location: Southampton, , United Kingdom.
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

[quote]Originally posted by nikolai
 Don't don't don't don't (please please please please) use session_register() or global variables! Especially if your session variables and form variables have the same names.

Just wondered why you say NOT to use session_register -


 
Old August 20th, 2004, 11:28 AM
Friend of Wrox
 
Join Date: Nov 2003
Location: , , .
Posts: 1,285
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Why session_register() is bad.

;)

Snib

<><




Similar Threads
Thread Thread Starter Forum Replies Last Post
having a problem with login script dbwieler PHP Databases 1 November 14th, 2007 02:12 AM
login script: user can't hit "return" for login dmerrill Java Basics 13 July 14th, 2006 07:25 PM
PHP Login script problem columbo1977 Beginning PHP 1 May 21st, 2006 10:47 PM
login script Apocolypse2005 Javascript 3 June 24th, 2005 04:07 PM
problem with auto login script to MSDE cmedley007 Access VBA 1 July 8th, 2004 11:01 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.