styling php output - need to make it look pretty

Question

I am creating a login page for my website. I spent a day learning php and wrote something which works. However, I cannot style the output. How can I do this (probably a really noobish question)?

Basically here is my code for the login page:

<?php
    session_start();
    // dBase file
    include "dbConfig.php";

    if ($_GET["op"] == "login")
    {
       if (!$_POST["username"] || !$_POST["password"])
       {
         die("You need to provide a username and password.");
       }

       // Create query
       $q = "SELECT * FROM `dbusers` "
       ."WHERE `username`='".$_POST["username"]."' "
       ."AND `password`=PASSWORD('".$_POST["password"]."') "
       ."LIMIT 1";
       // Run query
       $r = mysql_query($q);

      if ( $obj = @mysql_fetch_object($r) )
      {
        // Login good, create session variables
        $_SESSION["valid_id"] = $obj->id;
        $_SESSION["valid_user"] = $_POST["username"];
        $_SESSION["valid_time"] = time();

        // Redirect to member page
        Header("Location: members.php");
      }
      else
      {
        // Login not successful
        die("Sorry, could not log you in. Wrong login information.");
      }
   }
   else
   {
    //If all went right the Web form appears and users can log in
    echo "<form action=\"?op=login\" method=\"POST\">";
    echo "Username: <input name=\"username\" size=\"15\"><br />";
    echo "Password: <input type=\"password\" name=\"password\" size=\"8\"><br />";
    echo "<input type=\"submit\" value=\"Login\">";
    echo "</form>";
   }
 ?>

Now, this all works fine. I just need to make it look a little nicer. I am wondering how to do it? I have a CSS file which is styling the header, menus, background, etc. This styling works fine. Thanks for the help

What in your PHP code do you want to style? The `die()` messages or the `form`? Not sure if you can even style `die`. But what have you done with the `form`? — putvande, Jan 10 '14 at 12:30
All you `echo` is like `HTML` in the end. So you can use `CSS`. — loveNoHate, Jan 10 '14 at 12:31
Ahhhhhhh SQL injection! See [here](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) — tomsullivan1989, Jan 10 '14 at 12:35
will get on it and fix that.. but why so many down votes guys? — Marriott81, Jan 10 '14 at 12:53
I regret that I have but one upvote to give for the SQL injection comment. That point *cannot* be stressed enough. — Etan Reisner, Jan 10 '14 at 12:55

score 1 · Answer 1 · answered Jan 10 '14 at 12:37

1

You've also to improve this script. I'm sorry but it is real rubbish. You aren't escaping strings so you're vulnerable to SQL injection, you are using the deprecated 'mysql_query' instead of 'PDO', you supress errors('@') and so on. I know that you've learned in 1 day, but it's better to learn it good from the start then messing around even if it 'works for you'.

answered Jan 10 '14 at 12:37

GuyT

4,316
2
16
30

and this is why its on a localhost on my enclosed server rather than live. – Marriott81 Jan 10 '14 at 12:50
1

It's not that I want to offend you. I'm just giving some advice. I understand it's on your localhost, but if you really want to learn PHP you better do it right from the start.. Good luck anyway. ps. To answer your question: use CSS and give your elements a class or id. – GuyT Jan 10 '14 at 12:55
hmm maybe a better choice of wording eh? sall good.. however having someone come in when you have just learnt something and tell you its rubbish does sting a bit.. maybe you could help me out and post how i would fix this? have read about SQL injection but still struggling with it.. – Marriott81 Jan 10 '14 at 12:58
@Marriott81 You've come on here to improve your understanding and you've received some great feedback. Try not to take it so personally. And remember that there is a difference between attacking an individual's personality and their behaviours. That script *is* rubbish. Doesn't mean you are :-) – 8bitjunkie Jan 10 '14 at 13:10
haha fair, as stated learnt it in a small space of time for my company.. if someone could help me correct it to stop the injection would be very handy.. still cant get my head around it.. – Marriott81 Jan 10 '14 at 13:56
Just get the rid of 'mysql_*'. You've to dive into PDO(http://nl1.php.net/pdo) and use prepared statements. Maybe it's better to learn you a bit about SQL injection(basic): at this moment you are inserting data directly into your databasefields. If you put malicious characters into an input field you can execute your own sql statements(take a look at: http://en.wikipedia.org/wiki/SQL_injection and you'll understand it). If you want to let your code intact you've to use `mysql_real_escape_string()` (http://nl3.php.net/mysql_real_escape_string) – GuyT Jan 10 '14 at 14:14

score 1 · Accepted Answer · edited May 23 '17 at 10:25

Use CSS and add classes/IDs to your code, e.g:

echo "<form class="red" action=\"?op=login\" method=\"POST\">";
echo "Username: <input name=\"username\" size=\"15\"><br />";
echo "Password: <input type=\"password\" name=\"password\" size=\"8\"><br />";
echo "<input type=\"submit\" value=\"Login\">";
echo "</form>";

and have in your CSS file, for example:

.red{
    background-color:red;
}

See here for some ideas. As mentioned by @GuyT, you need to change the way you are using your POST variables, your code is at risk of SQL injection which could allow a user to access/delete/alter your database pretty easily. See here for help.

+1 for answering OPs question explictly but well done to everyone for pointing out the SQL Injection. — 8bitjunkie, Jan 10 '14 at 13:13

styling php output - need to make it look pretty

2 Answers2