0

I have a login form that does the following:

  • It accepts users that are registered with a redirecting logon message.
  • It tells you if you need to register for your username/password is not in the system.

When nothing is entered into the username/password form, it redirects to a page that has sensitive mysql data... how do I add a php message that yells at the user to put in information?

  if ($numrows != 0)
  {

    $user = mysql_fetch_assoc($query);
echo "Welcome,".$username. "you are being directed to the <a href=\"page.php\">.</a>";
    $_SESSION['username']= $user['username']; 
  }


  else
  {
    echo ("please reenter your username and password. If you don't have those, please <a href=\".php\">register.</a>");
  }
Lightness Races in Orbit
  • 378,754
  • 76
  • 643
  • 1,055
Matthew24
  • 1
  • 4
    I think the problem is in the query that is above the code you have listed here. – Sabeen Malik Aug 05 '11 at 01:23
  • I'd put a check on the destination page if I were you. Have a check in PHP that says something like `if( $user == null ){ header("location: notallowed.php"); }`. Also, it sounds like MySQL is throwing an error message. See if you can fix your query. Afterwards have a look at this topic: http://stackoverflow.com/questions/2471471/how-to-hide-an-error-message – James P. Aug 05 '11 at 01:28
  • The _real_ fault here is that you make your "sensitive mysql data" available to anyone who just happens to casually browse to "page.php". What's that about? – Lightness Races in Orbit Aug 05 '11 at 01:28

5 Answers5

2

how do I add a php message that yells at the user to put in information?

Something like this:

if( !isset( $_POST['username'] ) && !isset( $_POST['password'] ) ){
    // This won't show if you use a header redirect
    echo "YOU MUST ENTER A LOGIN";

    exit; // Halt execution if necessary
}

Add some checks for empty() if needed.

Alternatively, do this if you're using a session/cookies and some sort of User object:

if( $user == null || !$user->isConnected() ){
    // This won't show if you use a header redirect
    echo "YOU MUST ENTER A LOGIN";

    exit; // Halt execution if necessary
}

P.S: echo and exit can be combined as:

die("YOU MUST ENTER A LOGIN");
James P.
  • 19,313
  • 27
  • 97
  • 155
  • 1
    considering hes already using sessions he could utilize that to hold the error and redirect, using exit in this way would ruin continuity. – Lawrence Cherone Aug 05 '11 at 01:46
  • @Lawrence Cherone: You're right. I tend to have this reflex of putting an exit anywhere that's sensitive. Obviously, this isn't always the good solution. – James P. Aug 05 '11 at 01:51
  • I tried this as a test and no luck: if( $username == null ) { header('location: http://www.ask.com/'); exit; } – Matthew24 Aug 05 '11 at 01:51
  • @Matthew24: The $_POST checks need to be placed in the destination page. Check the action attribute on your form. The action can be pointing on the login page so the check simply reloads it. Do make sure the page with protected content has a check on it to prevent unauthorized access though. – James P. Aug 05 '11 at 01:52
  • the method is POST on the html form and I have what I think are called "globals" set with my POSTs. Is this right? It does work. – Matthew24 Aug 05 '11 at 01:56
  • I do like the setup of the code using the code I posted a few comments up... is it possible to do it like that? It's very neat – Matthew24 Aug 05 '11 at 01:58
  • i meant the comment in this answer block – Matthew24 Aug 05 '11 at 02:10
  • To check if the form variables are being passed properly to your destination page you can add this: `var_dump( $_POST );`. This will show you the contents of $_POST and should help you to better understand what's happening. As for adapting the code above that depends on how $username is set. I need to get some sleep so if you're really stuck go to my profile and send me an email :) . – James P. Aug 05 '11 at 02:14
  • okay, I'll be sure to do so if I can't figure it out. Thanks so much! I can offer you linux help in exhange for your help with this! – Matthew24 Aug 05 '11 at 02:23
1

Use the php header function to redirect the user to whatever page you want. You could send them back to the login page or on to a new page.

http://www.w3schools.com/php/func_http_header.asp

http://php.net/manual/en/function.header.php

header('Location: http://www.example.com/');

You need to check that the entered form values are acceptable. So check whether they are present in your code and then send them to wherever is appropriate based on that.

Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
mrtsherman
  • 39,342
  • 23
  • 87
  • 111
  • 1
    @Tomalak =) I think w3schools is a decent starting place for really new people. Especially with their Try It Now pages. Although you may just be talking tongue and cheek. – mrtsherman Aug 05 '11 at 01:37
  • 2
    don't forget to add exit; after header line. otherwise the next lines will be executed anyway. – Dreaded semicolon Aug 05 '11 at 01:38
  • thanks for the header advice, that is great!!! I sent it to google for now. W3 is a wonderful reference site. I also added the exit; - now onto the actual form problem... – Matthew24 Aug 05 '11 at 01:45
  • @mrtsherman: [w3schools is an utterly _horrendous_ resource](http://w3fools.com), _especially_ for "really new people" who won't recognise the mistakes, errors and poor advice. This has been covered hundreds of times on SO. – Lightness Races in Orbit Aug 05 '11 at 02:49
  • I learned CSS on w3 and tizag, that is why I spoke good on w3. I guess it's better for somethings. – Matthew24 Aug 05 '11 at 03:41
1

Make use of the existing session to hold your errors in.

<?php 
session_start();
$continue=true;
if(isset($_POST)){
    if(empty($_POST['username']) || strlen($_POST['username']) < 3){
        $_SESSION['error']['username']='You must fill in your username';
        $continue=false;
    }
    /*or if you use email as username
    if(empty($_POST['username']) || filter_var($_POST['username'], FILTER_VALIDATE_URL)==false){
        $_SESSION['error']['username']='You must fill in your username';
        $continue=false;
    }*/

    if(empty($_POST['password'])){
        $_SESSION['error']['password']='You must fill in your password';
        $continue=false;
    }
}else{
    $_SESSION['error']['nopost']='You must fill out the form';
    $continue=false;
}

if($continue===false){
    header('location: ./login.php');
    die();
}
  //do all the connect stuff...
  $username = mysql_real_escape_string($_POST['username']);
  $password = mysql_real_escape_string($_POST['password']);
  $sql = "SELECT * FROM members WHERE username='$username' && password='$password' LIMIT 1";

  if (mysql_num_rows(mysql_query($sql)==1)) {
    //log them in
    $_SESSION['loggedin']=true;
    header('location: ./members.php'); 
    //or whatever
    /*
    members.php would have a check for `$_SESSION['loggedin']==true` at the top
    else redirect them to login.php with another header()
    */
}else{
    $_SESSION['error']['username']='Wrong username or password';
    $_SESSION['loggedin']=false;
    header('location: ./index.php');
}
die();

?>
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
0

You could do something like this:

if(isset($_POST['button_name'])) {
    if(isset($_POST['username']) && $_POST['username'] != "") {
        if(isset($_POST['password']) && $_POST['password'] != "") {
            //Your code here
        } else {
            echo "You need to enter your password.";
        }
    } else {
        echo "You need to enter your username.";
    }
}

You need to add the name of the button that submits the form and the name of the username and password fields. The echo is just a suggestion, you can always do something else aswell.

Manuel
  • 10,153
  • 5
  • 41
  • 60
0

Check if the visitor has pressed the submit botton prior to any database query:

login.php

<?php 

if (!isset($_POST['Submit'])) {
  // No input, redirect to login.php with error code 1
  header("Location: index.php?error=1");
}      
else{
  // There is inout
  $username = $_POST['username'];
  $password = $_POST['password'];
  // Account for typecase here if necessary
  $sql = "SELECT * FROM members WHERE username = '$username' AND password = '$password'";

  if (mysql_num_rows(mysql_query($sql))) {
    // User is authenticated, redirect to private page
    header("Location: private.php");
  }
  else {
    // Wrong input, redirect to login.php with error code 2
    header("Location: index.php?error=2");
  }
}
?>

index.php

<?php
$errors[1] = 'Please type your usename and password';
$errors[2] = 'please verify your username and password';
?>

<form method="post" action="login.php">
  <p>
  <?php 
    if(isset($_GET['error']) && isset($errors[$_GET['error']])) 
      echo $errors[$_GET['error']], '</br>';
  ?>
  Username: <input type="text" name="username" /><br />
  Password: <input type="password" name="username" /><br />
  <input type="submit" name="submit" value="Let me in"/>
  </p>
</form>
James P.
  • 19,313
  • 27
  • 97
  • 155
Nabil Kadimi
  • 10,078
  • 2
  • 51
  • 58