checking my code
Posted: Thu Feb 04, 2010 1:12 pm
i have built a custom cms using code that i learned/copy and pasted from "php and mysql for dynamic websites". i have been using this code for the past 2 years or so and wanted to make sure that everything is still up to par. it all functions fine still on my client's websites, but i just would feel more confident if others could look at it and make sure it looks allright.
Here is the first pageof the cms, which is a login screen:
Here is the first pageof the cms, which is a login screen:
Code: Select all
<?php # Script 9.15 - login.php (7th version after Scripts 9.1, 9.3, 9.6, 9.10. 9.13 & 9.14)
// Send NOTHING to the Web browser prior to the session_start() line!
// Check if the form has been submitted.
if (isset($_POST['submitted'])) {
require_once ('../../mysql_connect.php'); // Connect to the db.
$errors = array(); // Initialize error array.
// Check for a user name.
if (empty($_POST['username'])) {
$errors[] = 'You forgot to enter your username.';
} else {
$un = escape_data($_POST['username']);
}
// Check for a password.
if (empty($_POST['password'])) {
$errors[] = 'You forgot to enter your password.';
} else {
$p = escape_data($_POST['password']);
}
if (empty($errors)) { // If everything's OK.
/* Retrieve the user_id and first_name for
that email/password combination. */
$query = "SELECT user_id , username FROM users WHERE username='$un' AND password=SHA('$p')";
$result = @mysql_query ($query); // Run the query.
$row = mysql_fetch_array ($result, MYSQL_NUM); // Return a record, if applicable.
if ($row) { // A record was pulled from the database.
// Set the session data & redirect.
session_name ('YourVisitID');
session_start();
$_SESSION['user_id'] = $row[0];
$_SESSION['username'] = $row[1];
$_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']);
// Redirect the user to the loggedin.php page.
// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
$url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= '/loggedin.php';
header("Location: $url");
exit(); // Quit the script.
} else { // No record matched the query.
$errors[] = 'The username and password entered do not match those on file.'; // Public message.
}
} // End of if (empty($errors)) IF.
mysql_close(); // Close the database connection.
} else { // Form has not been submitted.
$errors = NULL;
} // End of the main Submit conditional.
// Begin the page now.
$page_title = 'Login';
echo '<style type="text/css" media="all">@import "./includes/layout.css";</style>' ;
if (!empty($errors)) { // Print any error messages.
echo '<h1 id="mainhead">Error!</h1>
<p class="error">The following error(s) occurred:<br />';
foreach ($errors as $msg) { // Print each error.
echo " - $msg<br />\n";
}
echo '</p><p>Please try again.</p>';
}
// Create the form.
?>
<div align="center">
<br>
<br>
<br>
<table width="400" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
<div align="center">
<img src="includes/salted_logo.gif" alt="" height="85" width="200" border="0"></div>
</td>
</tr>
<tr height="25">
<td height="25">
<div align="center">
</div>
</td>
</tr>
<tr>
<td>
<div align="center">
<p align="left"></p>
<h2>Login</h2>
<form action="login.php" method="post">
<p>Username: <input type="text" name="username" size="20" maxlength="40" /></p>
<p>Password: <input type="password" name="password" size="20" maxlength="20" /></p>
<p><input type="submit" name="submit" value="Login" /></p>
<input type="hidden" name="submitted" value="TRUE" />
</form>
<p>**Don't forget to logout when you are done!**</p>
<?php
?></td>
</tr>
<tr>
<td></td>
</tr>
</table>
<p align="left"></p>
</div>