-2

I'm new to web developement. trying to create a login page which processes user information and throws errors on the same page instead of redirecting to error.php. Page refreshes but doesn't show any messages on submit. Here is the code.

<?php
//check if form has been submitted
if(isset($_POST['submit'])) {

//check if the variables are null
if (empty($user) || empty($password) || empty($domain)) {
    $msg = "<p>Username, Password and Domain cannot be blank</p>";
} else {
    //sanitize the data
    $user = htmlspecialchars (stripslashes (trim ($_POST['user'])));
    $password = htmlspecialchars (stripslashes (trim ($_POST['password'])));
    $domain = htmlspecialchars (stripslashes (trim ($_POST['domain'])));

    //access group variables
    $sausers = "user accounts not member of below groups which need admin access";
    $sagroup = "user group which needs admin access";
    $agroup = "user group which needs user access";
    //$accesslevel = 0;

    //assign LDAP variables based on user domain
    if ($domain == "domain"){
        $ldap_host = "childdomain.domain.com";
        $ldap_user = $user."@childdomain.domain.com";
        $ldap_dn = "DC=childdomain,DC=domain,DC=com";
    }

    //Connect to LDAP Directory
    $ldap = ldap_connect($ldap_host);
    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION,3);
    ldap_set_option($ldap, LDAP_OPT_REFERRALS,0);
    If ($bind = @ldap_bind($ldap,$ldap_user,$password)) {

        //authentication against AD successful
        $filter = "(sAMAccountName=".$user.")";
        $attr = array("memberof");
        if ($result = ldap_search($ldap, $ldap_dn, $filter, $attr)) {
            $groups = ldap_get_entries($ldap, $result);
            ldap_unbind($ldap);

            //check if user is listed in $sausers
            If(strops($sausers, $user) != false) {
                //access granted - ideally redirect to admin page
                $msg = "<p>Welcome Super Admin</p>";
            }
            //check if user is member of admin team
            foreach($groups[0]['memberof'] as $group) {

                // check if user is a member of admin team
                if(strpos($group, $sagroup) != false) {
                    //access granted - ideally redirect to admin page
                    $msg = "<p>Welcome Super Admin</p>";
                } elseif (strpos($group, $agroup) != false) {
                   //access granted - ideally redirect to admin page
                    $msg = "<p>Welcome user</p>";
                }
            }
        } else {
            //Unable to search LDAP server
            ldap_unbind($ldap);
            $msg = "<p>We are facing issues with LDAP search at this time. Please report this issue to us by emailing emailaddress</p>";
        }
    } else {
        //AD authentication failed
        $msg = "<p>Domain Authentication Failed!!! Please try again.</p>";
    }
}
   }
?>
<!DOCTYPE html>
<html lang="en"> 
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  <title>Admin Login</title>
  <link rel="stylesheet" href="css/login.css">
</head>
<body>
 <div class="logincontainer">
<div class="login">
    <h1>RCP Ops Admin Console Login</h1>
        <form action="<?php htmlentities(urldecode($_SERVER['PHP_SELF']));?>" method="post">
        <p><b></b><input type="text" name="user" value="" placeholder="user" required autocomplete="off"></p>
        <p><b> </b><input type="password" name="password" value="" placeholder="Password" required autocomplete="off"></p>
        <p><select name="domain" placeholder="Domain">
            <option value="Select DOMAIN">DOMAIN</option>
            <option value="NANET">childdomain1</option>
            <option value="EUNET">childdomain2</option>
            <option value="APNET">childdomain3</option>
            <option value="JPNET">childdomain4</option>
        </select>
        </p>
        <p class="submit"><input type="submit" name="submit" value="Login"></p>
    </form>
</div>
</div>
<div class="error">
    <?print "<p>.$msg.</p>";?>
</div>

The page will refresh and reset the form, but will not show any message.

Lelio Faieta
  • 6,457
  • 7
  • 40
  • 74
Ravi
  • 15
  • 5

1 Answers1

0

You forgot to reopen the php tag here:

<div class="error">
    <?print "<p>.$msg.</p>";?>
</div>

It should be: 

<div class="error">
    <?php print "<p>.$msg.</p>";?>
</div>
Mohammed Bakr Sikal
  • 357
  • 2
  • 7
  • I assumed that is the same as – Ravi Apr 05 '17 at 15:55
  • I'm trying to deliberatly enter wrong credentials and it still doesnt show any messages. Same with correct credentials as well. I'm wondering if the php code is being processed at all at this point. – Ravi Apr 05 '17 at 16:02
  • @Ravi Have you tried `print_r($_POST)` or `var_dump()`? Are your pages running on an actual web server or are you just opening them locally? – j08691 Apr 05 '17 at 16:13
  • pages are on an actual webserver (webserver IIS 8.5 on 2012R2) and I'm accessing them from a different machine. print_r() or var_dump() doesn't change the result either. – Ravi Apr 05 '17 at 16:42
  • Can you give us the link to the hosted page? – Mohammed Bakr Sikal Apr 05 '17 at 16:43
  • it is not a public web server. it is hosted for user by internals (intranet site) – Ravi Apr 05 '17 at 16:52
  • `print_r($_POST)` and `var_dump()` won't change the results but they should be showing you the data being passed from the form to your script. Are you seeing that? – j08691 Apr 05 '17 at 17:06
  • I added Array ( [user] => asdf [password] => asdf [domain] => NANET [submit] => Login ) array(4) { ["user"]=> string(4) "asdf" ["password"]=> string(4) "asdf" ["domain"]=> string(5) "NANET" ["submit"]=> string(5) "Login" } Username, Password and Domain cannot be blank – Ravi Apr 05 '17 at 17:27
  • I added and this is what I got. Out of the blue $msg is now displayed in the page. I swear I didnt make any changes whatsoever!!! - Array ( [user] => asdf [password] => asdf [domain] => NANET [submit] => Login ) - array(4) { ["user"]=> string(4) "asdf" ["password"]=> string(4) "asdf" ["domain"]=> string(5) "NANET" ["submit"]=> string(5) "Login" } - Username, Password and Domain cannot be blank Now the issue is that the same $msg is displayed always. looks like script wont process the rest of the php code. – Ravi Apr 05 '17 at 17:34
  • I dont know why the script wouldn't go past checking null variables. But I went around it and just removed that part of the script since I have added "required" in the forms and user cannot submit a null input. Now I'm getting the desired output behaviour. Still confused though as to how it started working out of no where!!! Thanks for the help j08691 and Mohammed!!! – Ravi Apr 05 '17 at 17:52