0

Question about for validation message. My form validation message (via php) is appearing in the header after user submits the form.

How do I get message to appear in body (beneath form). Code below. Screen shot attached for clarification

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Conver to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
echo "Please enter ALL of the information! <br />";
include 'login_form.html';
exit();
}

// Convert password to md5 hash
$password = md5($password);

// check if the user info validates the db
$sql = mysql_query("SELECT
* 
FROM users u
WHERE 
username='$username' 
AND password='$password' 
AND activated='1'
AND u.email_address IN (SELECT email from authorized_doctors)
  ");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
    $$key = stripslashes( $val );
}
    // Register some session variables!
    session_start('first_name');
    $_SESSION['first_name'] = $first_name;
    session_start('last_name');
    $_SESSION['last_name'] = $last_name;
    session_start('email_address');
    $_SESSION['email_address'] = $email_address;
    session_start('special_user');
    $_SESSION['user_level'] = $user_level;

    mysql_query("UPDATE users SET last_login=now() WHERE
    userid='$userid'");

    header("Location: login_success.php");
    }
  } else {
echo "<br>You could not be logged in! Either the username and
password do not match or you have not validated your membership!
Please try again!<br />";
include 'login_form.html';
}
?>
J Castle
  • 3
  • 2
  • 1
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jan 25 '17 at 16:40
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jan 25 '17 at 16:40
  • ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 25 '17 at 16:40
  • Store the message in a variable and then echo the variable in the location you wish it to appear. – Jay Blanchard Jan 25 '17 at 16:41
  • @JayBlanchard do you use some bot or something to parse the post data and output these comments? – Felippe Duarte Jan 25 '17 at 16:43
  • I have some...let's call them macros @FelippeDuarte ¯\\_(ツ)_/¯ – Jay Blanchard Jan 25 '17 at 16:44

2 Answers2

1

Just output the data you want AFTER your include:

...
} else {
    include 'login_form.html';
    echo "<br>You could not be logged in! Either the 
              username and password do not match or you have not validated your membership!
             Please try again!<br />";
}
?>
Felippe Duarte
  • 14,901
  • 2
  • 25
  • 29
1

You could assign the message to a variable and output this variable in the position you want. For example:

$message = '<br>You could not be logged in! Either the username and
password do not match or you have not validated your membership!
Please try again!<br />';

include 'login_form.php';

And in the login_form.php something like:

...
<a href="">Forgot password?</a>
<?php echo $message; ?>
...
antesoles
  • 683
  • 6
  • 21