i have a login.php that will check the authentication of the user.
however, when i type a wrong userid and password or a real userid and password,
it just refresh the page.
Please tell me what's wrong with it.i follow the example from the wrox beginning php book.

<?php
session_start();
include "common_db.inc";


function auth_user($userid, $userpassword)
{
    $query = "SELECT emp_id FROM user WHERE userid = '$userid' AND userpassword = password('$userpassword')";
    $result = mysql_query($query);
    if(!mysql_num_rows($result))
        return 0;
    else
    {
        $query_data = mysql_fetch_row($result);
        return $query_data[0];
    }
}

function login_form()
{
    global $PHP_SELF;
?>
<HTML>
    <HEAD>
        <TITLE>Login</TITLE>
    </HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<? echo $PHP_SELF ?>">
    <DIV ALIGN="CENTER"><CENTER>
        <H3>Please log in to access the page you requested.</H3>
    <TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
          <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>ID</TH>
        <TD WIDTH="82%" NOWRAP>
        <INPUT TYPE="TEXT" NAME="userid" SIZE="8">
         </TD>
         </TR>
         <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
                  <TD WIDTH="82%" NOWRAP>

                    <INPUT TYPE="PASSWORD" NAME="userpassword" SIZE="8">
         </TD>
          </TR>
          <TR>
          <TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
                   <INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
                    </TD>
          </TR>
      </TABLE>
       </CENTER></DIV>
</FORM>
</BODY>
</HTML>
<?
}

if(!isset($userid))
{
    login_form();
    exit;
}
else
{
    session_register("userid", "userpassword");
    $username = auth_user($userid, $userpassword);
    if(!$username)
    {
        session_unregister("userid");

         session_unregister("userpassword");
         echo "Authorization failed. " .
                "You must enter a valid userid and password combo. " .
                "Click on the following link to try again.<BR>\n";
                 echo "<A HREF=\"$PHP_SELF\">Login</A><BR>";
                 echo "If you're not a member yet, click " .
               "on the following link to register.<BR>\n";
                 echo "<A HREF=\"$register_script\">Membership</A>";
        exit;
      }
     else echo "Welcome, $username!";
}
?>

Don't don't don't don't (please please please please) use session_register() or global variables! Especially if your session variables and form variables have the same names.

What is your register_globals set to in php.ini?


Here's a functionally equivalent replacement for your script that does NOT rely on register_globals = on:


<?php
session_start();
include "common_db.inc";


function auth_user($userid, $userpassword)
{
    $query = "SELECT emp_id FROM user WHERE userid = '$userid' AND userpassword = password('$userpassword')";
    $result = mysql_query($query);
    if ((FALSE === $result) || !mysql_num_rows($result))
    {
        return FALSE;
    }
    else
    {
        $query_data = mysql_fetch_row($result);
        return $query_data[0];
    }
}

function login_form()
{
?>
<HTML>
    <HEAD>
        <TITLE>Login</TITLE>
    </HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<? echo $_SERVER['PHP_SELF']; ?>">
    <DIV ALIGN="CENTER"><CENTER>
        <H3>Please log in to access the page you requested.</H3>
    <TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
          <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>ID</TH>
        <TD WIDTH="82%" NOWRAP>
        <INPUT TYPE="TEXT" NAME="userid" SIZE="8">
         </TD>
         </TR>
         <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
                  <TD WIDTH="82%" NOWRAP>

                    <INPUT TYPE="PASSWORD" NAME="userpassword" SIZE="8">
         </TD>
          </TR>
          <TR>
          <TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
                   <INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
                    </TD>
          </TR>
      </TABLE>
       </CENTER></DIV>
</FORM>
</BODY>
</HTML>
<?
}

if(!isset($_POST['userid']))
{
    login_form();
    exit;
}
else
{
    $_SESSION['userid'] = $_POST['userid'];
    $_SESSION['userpassword'] = $_POST['userpassword'];

    $username = auth_user($userid, $userpassword);

    if(FALSE === $username)
    {
        unset($_SESSION['userid']);
        unset($_SESSION['userpassword']);

        echo "Authorization failed. " .
             "You must enter a valid userid and password combo. " .
             "Click on the following link to try again.<BR>\n";
        echo "<A HREF=\"$PHP_SELF\">Login</A><BR>";
        echo "If you're not a member yet, click " .
             "on the following link to register.<BR>\n";
        echo "<A HREF=\"$register_script\">Membership</A>";
        exit;
    }
    else
    {
        echo "Welcome, $username!";
    }
}
?>


Try that, let me know if it works.


Take care,

Nik
http://www.bigaction.org/

Thanks nikolai!
i will try it. but i can only reply you on the 26 jan because i'm now in hometown celebrating chinese new year.

thanks nikolai! The login form works now. However, i encounter two more problems.
1. when i entered a wrong userid and password. the following is displayed.
    Authorization failed. You must enter a valid userid and password combo. Click on the following link to try again.Login

but when i clicked the Login hyperlink, the following is displayed instead of displaying the login form. Please tell me why and how to solve it.
    Forbidden
    You don't have permission to access / on this server.
    Apache/1.3.28 Server at localhost Port 80

2. the login form will keep displayed authorization failed even though i entered a existing userid and password. i try to query it from mysql and it works fine. Below are my table and values entered.
CREATE TABLE USER
(
    USERID VARCHAR(8) NOT NULL,
    USERPASSWORD VARCHAR(30) NOT NULL,
    EMP_ID VARCHAR(6) NOT NULL,
    PRIMARY KEY(USERID),
    FOREIGN KEY (EMP_ID) REFERENCES EMPLOYEE,
);

INSERT INTO USER VALUES ('HUAN', password('100388'), 'EMP001');
INSERT INTO USER VALUES ('JOE', password('101055'), 'EMP002');

//these queries works fine in the mysql
SELECT emp_id FROM user WHERE userid = 'joe' AND userpassword = password('101055');
SELECT emp_id FROM user WHERE userid = 'huan' AND userpassword = password('100388');

when i entered joe in the userid textbox and 101055 in the password textbox and
huan in the userid textbox and 100388 in the password textbox, it displayed authorization failed instead of displaying Welcome, $username!

i think that my problem is with the code $_SERVER['PHP_SELF']. is there any configuration that i need to do to use it?
Please help!

No. $_SERVER['PHP_SELF'] should exist always, that's why you should use it. $PHP_SELF only exists when the contents of the $_SERVER array are extracted into global scope. Typically, this means that register_globals is on. We've talked about this before.

I just went through the code I posted and realized that I forgot to convert one of the $PHP_SELFs into $_SERVER['PHP_SELF']. It's in the if block where the username/password combo was bad.


I also noticed that your original code (and, due to bad judgement on my part, mine) use the shorthand <? tags to open a PHP block. This is also something that can be disabled in the PHP configuration, so you should ALWAYS use "<?php" to open a PHP block.

It's a bad idea to use <? or the ASP-style <% delimiters.


Here's a version of the script that works for me:


<?php
session_start();

require_once("common_db.inc");

function auth_user($userid, $userpassword)
{
    $query = "SELECT emp_id FROM user WHERE userid = '$userid' AND userpassword = password('$userpassword')";
    $result = mysql_query($query);
    if ((FALSE === $result) || !mysql_num_rows($result))
    {
        return FALSE;
    }
    else
    {
        return mysql_result($result, 0);
    }
}

function login_form()
{
?>
<HTML>
    <HEAD>
        <TITLE>Login</TITLE>
    </HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<?php echo $_SERVER['PHP_SELF']; ?>">
    <DIV ALIGN="CENTER"><CENTER>
        <H3>Please log in to access the page you requested.</H3>
    <TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
          <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>ID</TH>
        <TD WIDTH="82%" NOWRAP>
        <INPUT TYPE="TEXT" NAME="userid" SIZE="8">
         </TD>
         </TR>
         <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
                  <TD WIDTH="82%" NOWRAP>

                    <INPUT TYPE="PASSWORD" NAME="userpassword" SIZE="8">
         </TD>
          </TR>
          <TR>
          <TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
                   <INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
                    </TD>
          </TR>
      </TABLE>
       </CENTER></DIV>
</FORM>
</BODY>
</HTML>
<?php
}

if(!isset($_POST['userid']))
{
    login_form();
    exit;
}
else
{
    $_SESSION['userid'] = $_POST['userid'];
    $_SESSION['userpassword'] = $_POST['userpassword'];

    $username = auth_user($_SESSION['userid'], $_SESSION['userpassword']);

    if(FALSE === $username)
    {
        unset($_SESSION['userid']);
        unset($_SESSION['userpassword']);

        echo "Authorization failed. " .
             "You must enter a valid userid and password combo. " .
             "Click on the following link to try again.<BR>\n";
        echo "<A HREF=\"{$_SERVER['PHP_SELF']}\">Login</A><BR>";
        echo "If you're not a member yet, click " .
             "on the following link to register.<BR>\n";
        echo "<A HREF=\"$register_script\">Membership</A>";
        exit;
    }
    else
    {
        echo "Welcome, $username!";
    }
}
?>


Take care,

Nik
http://www.bigaction.org/

i made a few changes and now it works well. Thanks for your help but i still have some questions.
1. I would like to know how to make the $EMP_ID into session variables?
     I try by typing $_SESSION['empid'] = $_POST['$EMP_ID']; and then display it but it only display 0;
2. As you can see in my last few lines, i include the employeemenu.php and employermenu.php. For example, in employeemenu.php
     i have a link to sales.php.when i clicked the back button in sales.php hoping to get back to employeemenu.php, it displays the warning below.So how can i make the solved it?
Warning: Page has Expired The page you requested was created using information you submitted in a form. This page is no longer available. As a security precaution, Internet Explorer does not automatically resubmit your information for you.
To resubmit your information and view this Web page, click the Refresh button.

<?php
session_start();
require_once("common_db.inc");

$link_id = db_connect();
if(!$link_id) die (sql_error());
mysql_select_db("project", $link_id) or die (sql_error());

function auth_user($userid, $userpassword)
{
   $query = "select emp_id from user where userid='$userid' and userpassword=password('$userpassword')";
   $result = mysql_query($query);
   if(!$result) error_message (sql_error());
   if(!mysql_num_rows($result))
    return 0;
   else
   {
    $data= mysql_fetch_row($result);
    return $data[0];
   }
}

function login_form()
{
?>
<HTML>
    <HEAD>
        <TITLE>Login</TITLE>
    </HEAD>
<BODY>
<FORM METHOD="POST" ACTION="<?php echo $_SERVER['PHP_SELF']; ?>">
    <DIV ALIGN="CENTER"><CENTER>
        <H3>Please log in to access the page you requested.</H3>
    <TABLE BORDER="1" WIDTH="200" CELLPADDING="2">
          <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>ID</TH>
        <TD WIDTH="82%" NOWRAP>
        <INPUT TYPE="TEXT" NAME="userid" SIZE="8">
         </TD>
         </TR>
         <TR>
        <TH WIDTH="18%" ALIGN="RIGHT" NOWRAP>Password</TH>
                  <TD WIDTH="82%" NOWRAP>

                    <INPUT TYPE="PASSWORD" NAME="userpassword" SIZE="8">
         </TD>
          </TR>
          <TR>
          <TD WIDTH="100%" COLSPAN="2" ALIGN="CENTER" NOWRAP>
                   <INPUT TYPE="SUBMIT" VALUE="LOGIN" NAME="Submit">
                    </TD>
          </TR>
      </TABLE>
       </CENTER></DIV>
</FORM>
</BODY>
</HTML>
<?php
}

if(!isset($_POST['userid']))
{
    login_form();
    exit;
}
else
{
    $_SESSION['userid'] = $_POST['userid'];
    $_SESSION['userpassword'] = $_POST['userpassword'];

    $EMP_ID = auth_user($_SESSION['userid'], $_SESSION['userpassword']);

      if(! $EMP_ID)
    {
        unset($_SESSION['userid']);
        unset($_SESSION['userpassword']);

        echo "Authorization failed. " .
             "You must enter a valid userid and password combo. " .
             "Click on the following link to try again.<BR>\n";
        echo "<A HREF=\"{$_SERVER['PHP_SELF']}\">Login</A><BR>";
        echo "If you're not a member yet, click " .
             "on the following link to register.<BR>\n";
        echo "<A HREF=\"$register_script\">Membership</A>";
        exit;
    }
    else
    {
    if($EMP_ID=='manager')
        include "employermenu.php";
    else
        include "employeemenu.php";
    }
}
?>

Okay, think about what you're doing. $EMP_ID is a variable returned by auth_user. It's a numeric value. You're taking this numeric value and using it as an index in to the $_POST array.

The $_POST array contains values submitted by the user in a POST form, so it doesn't really make sense to look for that index there. I mean, do you really have an input in the form who's name is "1" (or whatever EMP_ID you get back from auth_user()?

What you really want to do is this:

$EMP_ID = auth_user(...);

$_SESSION['empid'] = $emp_id;

get it?


You can't make that error go away unless you use GET to submit form data instead of POST.

Doing this is a bad idea for things like usernames and passwords, since these values will travel as plain text as part of the URL.


Take care,

Nik
http://www.bigaction.org/

[quote]Originally posted by nikolai
 Don't don't don't don't (please please please please) use session_register() or global variables! Especially if your session variables and form variables have the same names.

Just wondered why you say NOT to use session_register -

Why session_register() is bad.

;)

Snib

<><