Protecting pages, need to be logged in to view.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

empty() has room for a false positive, because it is checking for multiple criteria, where as isset() checks if the variable exists, and nothing else.

I agree it works in this situation, but it is poor practice to use empty when all you are checking for is if the variable exists, which is exactly what isset() is there for.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

Jenk wrote:empty() has room for a false positive, because it is checking for multiple criteria, where as isset() checks if the variable exists, and nothing else.

I agree it works in this situation, but it is poor practice to use empty when all you are checking for is if the variable exists, which is exactly what isset() is there for.
I know empty() gives notice other than that I think it perfectly solves the problem eventhough it is not advisable to use it alone and I agree with you. But using isset() avoids notices but it can lead up to serious errors when you use the variable for building SQL statements. If anyone is not lazy at coding then they should nest empty() within isset().
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

ok, i am starting to see this a little bit better.

correct me if i am wrong please.

On the pages that I want to be protected (have to be logged in to view). I have to add this to the script:

Code: Select all

<?php 
session_start(); 
if(empty($_SESSION['loggedin'])){ 
include("http://www.muot.net/pages/login.php"); 
die(); 
}
?>
And if they are not logged in, it will include login.php which will ask for a user name and password.

My login.php script is

Code: Select all

if (isset($_POST['user']) && isset($_POST['pass'])){ 
if (($_POST['user']=='nick' && $_POST['pass']=='nickpass') || ($_POST['user']=='bob' && $_POST['pass']=='bobpass')){ 
//This code would go in the if block checking whether the login was successful 
$_SESSION['loggedin'] = TRUE; 
header("Location:/pages/admin.php"); echo "<html><font color=green size=4>SUCCESS!</font></html>";
} else { 
$error = "<div align=center><font size=-1 color=red>WRONG USERNAME OR PASSWORD</FONT></div>"; 
echo "$error";
} 
}
$form = " 
<html> 
<body><div align=center><form action=login.php method=post><font size=2><b>Username: 
<input type=text size=10 maxlength=10 name=user><br> 
<font size=2><b>Password: 
<input type=password size=10 maxlength=10 name=pass><br><input type=submit value=Login.> 
</form> 
</div></body></html>";
I dont think it works though, but it might because when I try to go to admin.php, it does include the login script, and I login, then it will redirect me back to admin.php, viewing the protected page.

If i close the browser and go to admin.php, it asks for password (which is good).

I just need to know how to make a logout button, I cant figure it out because it kills the sessions for I do anything.

I also need to know how to protect other pages. Because when Im not logged in and I go to a page I wanted protected, It views the page, and doesnt include the login.php.

Thank You Guys So Much For Helping Me!
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

to maintain a session you must have session_start() at the top of every page, before any output is sent to the user agent.

And again, I'd like to point out using empty() instead of isset() when checking for the existance of a variable is bad practice.
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

Where is the asset that you want me to replace?

This ?

Code: Select all

if (isset($_POST['user']) && isset($_POST['pass'])){

Also what do you mean by "before any output is sent to the user agent"? would that mean, the very first line of my pageS?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Jenk wrote:And again, I'd like to point out using empty() instead of isset() when checking for the existance of a variable is bad practice.
I agree. It really should be the isset() check and then the specific check for condition you are looking for. That makes the code more self-documenting. Something like:

Code: Select all

if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true){
(#10850)
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

Haha, I love the war I started. I would personally use isset as well in this situation, it was a mistype.

Anyways, why are you including the login.php page? Why not just send them to it?
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

i am including login.php , because i cant send them to it, because the header doesnt work, because it says it is already sent out.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

here. do this

here is login.php

Code: Select all

<form action="dolog.php" method="post">
user: <input type="text" name="user"><br>
pass: <input type="password" name="pass"><br>
<input type="submit" value="submit">
</form>
here is dolog.php

Code: Select all

session_start();
if (empty($_POST['user']) || empty($_POST['pass']))
    die('GO AWAY');

if ($_POST['user'] == 'test_user' && $_POST['pass'] == 'test_pass')
{
    $_SESSION['log'] = true;
    echo '<meta http-equiv="refresh" content="0;url=secure_page.php">';
}
else
    die('GO AWAY');
here is head.php

Code: Select all

session_start();

if (empty($_SESSION['log']))
    die('GO AWAY');
here is secure_page.php

Code: Select all

require 'head.php';
echo 'you are now logged in, go to any of the pages below<br>';
echo '<a href="secure1.php">secure1</a><br>';
echo '<a href="secure2.php">secure2</a>';
here is secure1.php

Code: Select all

require 'head.php';
echo 'top secrect cia info';
here is secure2.php

Code: Select all

require 'head.php';
echo 'nude photos of the president with a hooker';
get the idea?

ps. i use empty because it does not give errors while isset does. tell me how empty can give you false results? empty is right and isset is wrong. your oppion is bad and you should feel bad. :wink: just kiddin kids.
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

thank you so much, i will try this code now!
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

shiznatix wrote:

Code: Select all

session_start(); 
if (empty($_POST['user']) || empty($_POST['pass'])) 
    die('GO AWAY'); 

if ($_POST['user'] == 'test_user' && $_POST['pass'] == 'test_pass') 
{ 
    $_SESSION['log'] = true; 
    echo '<meta http-equiv="refresh" content="0;url=secure_page.php">'; 
} 
else 
    die('GO AWAY');
Now turn on notices at the top of this page...and just type in the URL of the page.
for nickman013, you can turn on notices by

Code: Select all

error_reporting(E_ALL);
To shiznatix and Jenk, empty() and isset() are not a solution by themselves and I am telling this to further emphazise the importance of using them both together.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

LMAO. Nice example pages Shiz :P
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

thank you SOOOOOOO MUCH!!!!

it works just how i wanted it to, i got some questions though.

1. How would i add users to this?

Code: Select all

session_start(); 
if (empty($_POST['user']) || empty($_POST['pass'])) 
    die('GO AWAY'); 

if ($_POST['user'] == 'test_user' && $_POST['pass'] == 'test_pass') 
{ 
    $_SESSION['log'] = true; 
    echo '<meta http-equiv="refresh" content="0;url=secure_page.php">'; 
} 
else 
    die('GO AWAY');
would it be elseif?


2. to logout, can i just add

Code: Select all

session_destroy();
to login.php and the logout link would be,
<a href=login.php>logout</a>?

3. how can i keep them logged in if they go to a unprotected page?


thank you
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

raghavan20 wrote:Now turn on notices at the top of this page...and just type in the URL of the page.
From my experience, calling empty on an uninitialized variable will NOT throw a notice. I may be wrong, but I'm 90% sure about this.
raghaven20 wrote:To shiznatix and Jenk, empty() and isset() are not a solution by themselves and I am telling this to further emphazise the importance of using them both together.
Actually, they very well can be:

isset by itself:

Code: Select all

<?php
if(isset($_SESSION['rank']) && $_SESSION['rank'] < 2){
  //Show X
}
?>
There is no need to call empty on that, because you don't care. All you care is if it's there, and whether it's less than 2 or not. If it's initialized, but empty, it won't be less than two; so you're fine.

empty by itself:

Code: Select all

<?php
if(empty($_POST['zipcode'])){
  $errors[] = "Zipcode is required.";
}
?>
This is like saying:

Code: Select all

<?php
if(isset($_POST['zipcode'])){
  if($_POST['zipcode'] != '' && $_POST['zipcode'] != 0){ //etc etc
  }
}
?>
So you don't need isset. It would be redundant.
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

lol 3 quarters of this thread is arguing over isset and empty lol
Post Reply