Page 1 of 1

Seperating Pages

Posted: Mon Aug 02, 2004 9:38 am
by dwfait
Hi, in my code i want to seperate my code, so if one variable equals null, display the login part, or if it equals 'login', do the login script. However, when it goes to index.php?action=login, the variable action equals login, but it still just displays the login script. Here is the code:

Code: Select all

<?php
echo "$action";
if ("$action"==0) &#123;
?>
<form action="index.php?action=login" method="POST">
 Your Username: <input type="text" name="user" />
 Your Password: <input type="text" name="pass" />
 <input type="submit">
</form>

<?php
&#125; else if ($action="login") &#123;
$ssppluser = $_POST&#1111;"user"];
$sspplpass = $_POST&#1111;"pass"];
    $link = mysql_connect("localhost", "root", "")
        or die("Could not connect");


mysql_select_db("stormst_sspp")
        or exit("Could not select database");

$result = mysql_query("SELECT user AND pass FROM sspp WHERE user='$ssppluser' AND pass='$ssppluser'")

    or die ("Invalid query");
$num_rows = mysql_num_rows($result);
If ("$num_rows"==1) &#123;
echo "Login Complete.";
&#125; else &#123;
echo "Bad username / password.";
&#125;
    mysql_close($link);
&#125;
?>

Posted: Mon Aug 02, 2004 9:55 am
by hawleyjr
I made a few changes to your code. Although it doesn't hurt, you shouldin't wrap your variables in a string. Also on your second if you only had one = not two.

Hope this helps.


Code: Select all

<?php
<?php 
echo $action; 
if ($action==0) { 
?> 
<form action="index.php?action=login" method="POST"> 
Your Username: <input type="text" name="user" /> 
Your Password: <input type="text" name="pass" /> 
<input type="submit"> 
</form> 

<?php 
} else if ($action=='login') { 
$ssppluser = $_POST["user"]; 
$sspplpass = $_POST["pass"]; 
    $link = mysql_connect("localhost", "root", "") 
        or die("Could not connect"); 


mysql_select_db("stormst_sspp") 
        or exit("Could not select database"); 

$result = mysql_query("SELECT user AND pass FROM sspp WHERE user='$ssppluser' AND pass='$ssppluser'") 

    or die ("Invalid query"); 
$num_rows = mysql_num_rows($result); 
If ($num_rows==1) { 
echo "Login Complete."; 
} else { 
echo "Bad username / password."; 
} 
    mysql_close($link); 
} 
?>
?>

Posted: Mon Aug 02, 2004 10:11 am
by dwfait
Im afraid it still happens, when i click submit query, it just comes up with the password box again :(

Posted: Mon Aug 02, 2004 10:13 am
by hawleyjr
Sorry didn't read your post. I just fixed errors in your code. Thy this:

Code: Select all

<?php
if (is_null($action)) { 
?>

Posted: Mon Aug 02, 2004 10:30 am
by dwfait
Thank you, it works :)

Posted: Mon Aug 02, 2004 10:42 am
by dwfait
Also, how would i carry on variables to the next page?

I have this code:

Code: Select all

<?php 
if (is_null($action)) &#123;
?> 
<form action="index.php?action=login" method="POST"> 
Your Username: <input type="text" name="user" /> 
Your Password: <input type="text" name="pass" /> 
<input type="submit"> 
</form> 

<?php 
&#125; else if ($action=='login') &#123; 
$ssppluser = $_POST&#1111;"user"]; 
$sspplpass = $_POST&#1111;"pass"]; 
    $link = mysql_connect("localhost", "root", "") 
        or die("Could not connect"); 


mysql_select_db("stormst_sspp") 
        or exit("Could not select database"); 

$result = mysql_query("SELECT user AND pass FROM sspp WHERE user='$ssppluser' AND pass='$ssppluser'") 

    or die ("Invalid query"); 
$num_rows = mysql_num_rows($result); 
If ($num_rows==1) &#123; 
echo "Login Complete.";
?>
<br>
 <a href="index.php?action=loginc&user=$ssppluser">Click here to continue</a>
<?php
&#125; else &#123; 
echo "Bad username / password."; 
&#125; 
    mysql_close($link); 
 
?> 

<?php
&#125; else if ($action=='loginc') &#123;
echo "Welcome $user";
&#125;
?>
but at echo "Welcome $user";, the output is "Welcome $ssppluser". How would i carry on the variable ssppluser to the loginc page?

Posted: Mon Aug 02, 2004 11:36 am
by d3ad1ysp0rk
Please post code in

Code: Select all

[/php ] tags.

[syntax=php]<?php
$action = $_GET['action']; //make it non-register globals friendly
if(empty($action)) {
?>
<form action="index.php?action=login" method="POST">
Your Username: <input type="text" name="user" />
Your Password: <input type="text" name="pass" />
<input type="submit">
</form>

<?php
} 
else if ($action=='login') {
  $ssppluser = $_POST["user"];
  $sspplpass = $_POST["pass"];
  $link = mysql_connect("localhost", "root", "") or die("Could not connect");
  
  mysql_select_db("stormst_sspp") or exit("Could not select database");

  $result = mysql_query("SELECT user AND pass FROM sspp WHERE user='$ssppluser' AND pass='$ssppluser'") or die ("Invalid query");
  $num_rows = mysql_num_rows($result);
  if($num_rows==1) {
    echo "Login Complete.<br />";
    echo "<a href="index.php?action=loginc&user=$ssppluser">Click here to continue</a>";
  } 
  else {
    echo "Bad username / password.";
  }
  mysql_close($link);
} 
else if ($action=='loginc') {
  echo "Welcome $user";
}
?>[/syntax]

However, this script is incredibly insecure.
- Are magic_quotes_gpc on or off? If they are off, I can login as whoever I want.
- If I wanted to, I could navigate to index.php?action=loginc&user=admin
etc

Posted: Mon Aug 02, 2004 11:41 am
by dwfait
no, im not using this to login. I am going to use cookies for that, i will put a cookie on the users comp containing their entered user/pass, and on every page load, it will load these up and check the database if their right.

Posted: Mon Aug 02, 2004 11:43 am
by d3ad1ysp0rk
just so you know.. i changed your script too.. it should work now.