login redirect code

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nite4000
Forum Contributor
Posts: 209
Joined: Sun Apr 12, 2009 11:31 am

login redirect code

Post by nite4000 »

I am trying to make a login form not work when the boxes are empty. right now if i just go and press login it goes to the emmbers area but the session is empy of course but I cant allow that I tried this here

if (strlen($_POST['button'])) {

if(strlen($_POST['user'])==0) {
header("Location: ../index.php");
}

if(strlen($_POST['pwd'])==0) {
header("Location: ../index.php");
}

}


but with no luck does anyone know anything else or another way to solve this issue.

Thanks
kcormier
Forum Newbie
Posts: 11
Joined: Sun May 31, 2009 1:36 am

Re: login redirect code

Post by kcormier »

There are a few things to notice there. The first, when you perform a header redirect in php, it's just like adding any other header. It doesn't automatically exit your php script afterwards. If those header redirects are deny access to a protected part of your site, you need to call exit() to prevent the rest of the script from running. That should solve the redirect problem.

That being said, why must you check for empty usernames/passwords. Clearly they shouldn't authenticate against your list of valid accounts. If you're forced to check for empty usernames/passwords separately that makes me think there's a bug somewhere in your authentication procedure. You may want to post that code as well.
-Kevin

/edit - sorry i didn't see the date. I just clicked unanswered posts and this was the first one. I never thought to look at the date considering it was at the top of the list! I guess you guys really do stay on top of the new posts! Sorry to be a grave digger.

/edit2 - Wow i'm dumb. I looked at the users registration date and not the post date. Glad i'm not a grave digger. Sorry I'm so dumb sometimes. That being said, hope the information helps!
nite4000
Forum Contributor
Posts: 209
Joined: Sun Apr 12, 2009 11:31 am

Re: login redirect code

Post by nite4000 »

here is all the code

$lcheck = mysql_query("SELECT * FROM `Users` WHERE Username ='".$_POST['user']."' && Pass = '".$_POST['pwd']."'");
$lrow = mysql_num_rows($lcheck);
if ($lrow == 1){
$_SESSION['user'] = $_POST['user'];
$_SESSION['pwd'] = $_POST['pwd'];
header("Location: index.php");
}else{
}
$uinfo = mysql_query("SELECT * FROM Users, Accounts, Users AS u_Users, Accounts as a_Accounts WHERE u_Users.Username='".$_SESSION['user']."' and a_Accounts.userId = u_Users.id");
$einfo = mysql_fetch_assoc($uinfo);
$id = $einfo['id'];
$_SESSION['id'] = $id ;
$ref1 = mysql_query("SELECT * FROM referals WHERE refid = $id ");
$refnum = mysql_num_rows($ref1);
$date =date(j);


if (strlen($_POST['button'])) {

if(strlen($_POST['user'])==0) {
header("Location: ../index.php");
}
exit();
if(strlen($_POST['pwd'])==0) {
header("Location: ../index.php");
}
exit();
}

this is code from the script. I am updating a script for someone so I am trying to fix bugs in the script. and letting someone just hit login was one of them I write better code this this but it would be difficult to get the code to work if i was to rewrite it. if you have any suggestions of a different way to do the code let me know


Thanks
kcormier
Forum Newbie
Posts: 11
Joined: Sun May 31, 2009 1:36 am

Re: login redirect code

Post by kcormier »

How secure do you want this script to be? If this is going on a live web server it's got a LOT of security holes in it. Don't let that discourage you as I've written many scripts that look similar. Just wondering how in depth you want me to get with security.

And can you explain what you're trying to do in that else block? Cus you lost me there. I admin I'm not a mysql or php expert by any means but I do have some experience and I'm just not following!

May I take this time to stress the importance of commenting your code? ;) Any time you write code that isn't completely obvious what it's doing you should document it's purpose. I should be able to follow your code either through really simple code (like you don't have to comment an echo) or through comments, without having to stop, struggle, and reread things.

Trust me when you go back to old code you'll thank yourself for the comments!

-Kevin
nite4000
Forum Contributor
Posts: 209
Joined: Sun Apr 12, 2009 11:31 am

Re: login redirect code

Post by nite4000 »

well here is the thing. the code that does the login is on the members index page i tried to write it over so its on the other page with the login form but could not get it to work.

if you can write all that where its works the same but fixes the problems then please do so.

if you want we can chat on a msgr if you want up to you.


thanks
Don
User avatar
mikemike
Forum Contributor
Posts: 355
Joined: Sun May 24, 2009 5:37 pm
Location: Chester, UK

Re: login redirect code

Post by mikemike »

Hi,

Like Kevin said, there are some security holes in this, one MAJOR one. Escaping data input is VERY inportant - anyone who has been programming on the web using databases for any length of time will have heard of SQL injections. An SQL injection is when a malicious user inserts some SQL into a field on a form that isn't secured properly, this SQL is then immediately put into a query and this query ran, obviously dangerous.

PHP has in-built functions to prevent this such as mysql_real_escape_string. You should alway protect your user inputs, even if you trust the user (if it's a admin panel only you would use for example).

In order to stop your users from entering a blank message you should have your error checking above the login processing. I notice that in your revised code you have added 'exit()' a couple of times, these are also breaking the script as you have put them in the wrong place.

Kevin was also right in saying you should comment your code. It may seem an unneeded annoyance but it really does help for many reasons. You'd have probably had help a lot sooner if you'd have commented and formatted your code correctly.

See the revised code below and note my comments:

Code: Select all

 
if (strlen($_POST['button'])) {
  
  if(strlen($_POST['user'])==0) {
    header("Location: ../index.php");
    exit(); // Exit the script, note we do this inside the conditiona statement so that users who do enter a value aren't stopped too
  }
  
 
  if(strlen($_POST['pwd'])==0) {
    header("Location: ../index.php");
    exit(); // Exit the script, note we do this inside the conditiona statement so that users who do enter a value aren't stopped too
  }
 
}
 
// Ensure we escape inputs
$lcheck = mysql_query("SELECT * FROM `Users` WHERE Username ='".mysql_real_escape_string($_POST['user'])."' AND Pass = '".mysql_real_escape_string$_POST['pwd'])."'");
$lrow = mysql_num_rows($lcheck);
if ($lrow == 1){
  // These two vlaues below aren't escaped so if you use them in any queries at a later date they may be dangerous
  $_SESSION['user'] = $_POST['user']; 
  $_SESSION['pwd'] = $_POST['pwd'];
  header("Location: index.php");
  exit();
}else{
} // <-- I'm unsure where this brace is from, code you have pasted I assume
 
$uinfo = mysql_query("SELECT * FROM Users, Accounts, Users AS u_Users, Accounts as a_Accounts WHERE u_Users.Username='".mysql_real_escape_string($_SESSION['user'])."' and a_Accounts.userId = u_Users.id"); // Prime example of where your unescaped values may be dangerous
$einfo = mysql_fetch_assoc($uinfo);
$id = $einfo['id'];
$_SESSION['id'] = $id ;
$ref1 = mysql_query("SELECT * FROM referals WHERE refid = $id "); // You don't need to escape this
$refnum = mysql_num_rows($ref1);
$date =date(j);
 
schwarzwolf
Forum Newbie
Posts: 7
Joined: Sat May 30, 2009 10:17 am

Re: login redirect code

Post by schwarzwolf »

Code: Select all

if(empty($_POST['username']) || empty($_POST['password'])) {
        echo "<font color=\"white\">Sorry, you have to fill in all forms</font>";
That may give you and idea.
Post Reply