Protecting pages, need to be logged in to view.
Moderator: General Moderators
empty() has room for a false positive, because it is checking for multiple criteria, where as isset() checks if the variable exists, and nothing else.
I agree it works in this situation, but it is poor practice to use empty when all you are checking for is if the variable exists, which is exactly what isset() is there for.
I agree it works in this situation, but it is poor practice to use empty when all you are checking for is if the variable exists, which is exactly what isset() is there for.
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
I know empty() gives notice other than that I think it perfectly solves the problem eventhough it is not advisable to use it alone and I agree with you. But using isset() avoids notices but it can lead up to serious errors when you use the variable for building SQL statements. If anyone is not lazy at coding then they should nest empty() within isset().Jenk wrote:empty() has room for a false positive, because it is checking for multiple criteria, where as isset() checks if the variable exists, and nothing else.
I agree it works in this situation, but it is poor practice to use empty when all you are checking for is if the variable exists, which is exactly what isset() is there for.
- nickman013
- Forum Regular
- Posts: 764
- Joined: Sun Aug 14, 2005 12:02 am
- Location: Long Island, New York
ok, i am starting to see this a little bit better.
correct me if i am wrong please.
On the pages that I want to be protected (have to be logged in to view). I have to add this to the script:
And if they are not logged in, it will include login.php which will ask for a user name and password.
My login.php script is
I dont think it works though, but it might because when I try to go to admin.php, it does include the login script, and I login, then it will redirect me back to admin.php, viewing the protected page.
If i close the browser and go to admin.php, it asks for password (which is good).
I just need to know how to make a logout button, I cant figure it out because it kills the sessions for I do anything.
I also need to know how to protect other pages. Because when Im not logged in and I go to a page I wanted protected, It views the page, and doesnt include the login.php.
Thank You Guys So Much For Helping Me!
correct me if i am wrong please.
On the pages that I want to be protected (have to be logged in to view). I have to add this to the script:
Code: Select all
<?php
session_start();
if(empty($_SESSION['loggedin'])){
include("http://www.muot.net/pages/login.php");
die();
}
?>My login.php script is
Code: Select all
if (isset($_POST['user']) && isset($_POST['pass'])){
if (($_POST['user']=='nick' && $_POST['pass']=='nickpass') || ($_POST['user']=='bob' && $_POST['pass']=='bobpass')){
//This code would go in the if block checking whether the login was successful
$_SESSION['loggedin'] = TRUE;
header("Location:/pages/admin.php"); echo "<html><font color=green size=4>SUCCESS!</font></html>";
} else {
$error = "<div align=center><font size=-1 color=red>WRONG USERNAME OR PASSWORD</FONT></div>";
echo "$error";
}
}
$form = "
<html>
<body><div align=center><form action=login.php method=post><font size=2><b>Username:
<input type=text size=10 maxlength=10 name=user><br>
<font size=2><b>Password:
<input type=password size=10 maxlength=10 name=pass><br><input type=submit value=Login.>
</form>
</div></body></html>";If i close the browser and go to admin.php, it asks for password (which is good).
I just need to know how to make a logout button, I cant figure it out because it kills the sessions for I do anything.
I also need to know how to protect other pages. Because when Im not logged in and I go to a page I wanted protected, It views the page, and doesnt include the login.php.
Thank You Guys So Much For Helping Me!
- nickman013
- Forum Regular
- Posts: 764
- Joined: Sun Aug 14, 2005 12:02 am
- Location: Long Island, New York
Where is the asset that you want me to replace?
This ?
Also what do you mean by "before any output is sent to the user agent"? would that mean, the very first line of my pageS?
This ?
Code: Select all
if (isset($_POST['user']) && isset($_POST['pass'])){Also what do you mean by "before any output is sent to the user agent"? would that mean, the very first line of my pageS?
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
I agree. It really should be the isset() check and then the specific check for condition you are looking for. That makes the code more self-documenting. Something like:Jenk wrote:And again, I'd like to point out using empty() instead of isset() when checking for the existance of a variable is bad practice.
Code: Select all
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true){(#10850)
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
- nickman013
- Forum Regular
- Posts: 764
- Joined: Sun Aug 14, 2005 12:02 am
- Location: Long Island, New York
- shiznatix
- DevNet Master
- Posts: 2745
- Joined: Tue Dec 28, 2004 5:57 pm
- Location: Tallinn, Estonia
- Contact:
here. do this
here is login.php
here is dolog.php
here is head.php
here is secure_page.php
here is secure1.php
here is secure2.php
get the idea?
ps. i use empty because it does not give errors while isset does. tell me how empty can give you false results? empty is right and isset is wrong. your oppion is bad and you should feel bad.
just kiddin kids.
here is login.php
Code: Select all
<form action="dolog.php" method="post">
user: <input type="text" name="user"><br>
pass: <input type="password" name="pass"><br>
<input type="submit" value="submit">
</form>Code: Select all
session_start();
if (empty($_POST['user']) || empty($_POST['pass']))
die('GO AWAY');
if ($_POST['user'] == 'test_user' && $_POST['pass'] == 'test_pass')
{
$_SESSION['log'] = true;
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">';
}
else
die('GO AWAY');Code: Select all
session_start();
if (empty($_SESSION['log']))
die('GO AWAY');Code: Select all
require 'head.php';
echo 'you are now logged in, go to any of the pages below<br>';
echo '<a href="secure1.php">secure1</a><br>';
echo '<a href="secure2.php">secure2</a>';Code: Select all
require 'head.php';
echo 'top secrect cia info';Code: Select all
require 'head.php';
echo 'nude photos of the president with a hooker';ps. i use empty because it does not give errors while isset does. tell me how empty can give you false results? empty is right and isset is wrong. your oppion is bad and you should feel bad.
- nickman013
- Forum Regular
- Posts: 764
- Joined: Sun Aug 14, 2005 12:02 am
- Location: Long Island, New York
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
Now turn on notices at the top of this page...and just type in the URL of the page.shiznatix wrote:Code: Select all
session_start(); if (empty($_POST['user']) || empty($_POST['pass'])) die('GO AWAY'); if ($_POST['user'] == 'test_user' && $_POST['pass'] == 'test_pass') { $_SESSION['log'] = true; echo '<meta http-equiv="refresh" content="0;url=secure_page.php">'; } else die('GO AWAY');
for nickman013, you can turn on notices by
Code: Select all
error_reporting(E_ALL);- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
- nickman013
- Forum Regular
- Posts: 764
- Joined: Sun Aug 14, 2005 12:02 am
- Location: Long Island, New York
thank you SOOOOOOO MUCH!!!!
it works just how i wanted it to, i got some questions though.
1. How would i add users to this?
would it be elseif?
2. to logout, can i just add
to login.php and the logout link would be,
<a href=login.php>logout</a>?
3. how can i keep them logged in if they go to a unprotected page?
thank you
it works just how i wanted it to, i got some questions though.
1. How would i add users to this?
Code: Select all
session_start();
if (empty($_POST['user']) || empty($_POST['pass']))
die('GO AWAY');
if ($_POST['user'] == 'test_user' && $_POST['pass'] == 'test_pass')
{
$_SESSION['log'] = true;
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">';
}
else
die('GO AWAY');2. to logout, can i just add
Code: Select all
session_destroy();<a href=login.php>logout</a>?
3. how can i keep them logged in if they go to a unprotected page?
thank you
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
From my experience, calling empty on an uninitialized variable will NOT throw a notice. I may be wrong, but I'm 90% sure about this.raghavan20 wrote:Now turn on notices at the top of this page...and just type in the URL of the page.
Actually, they very well can be:raghaven20 wrote:To shiznatix and Jenk, empty() and isset() are not a solution by themselves and I am telling this to further emphazise the importance of using them both together.
isset by itself:
Code: Select all
<?php
if(isset($_SESSION['rank']) && $_SESSION['rank'] < 2){
//Show X
}
?>empty by itself:
Code: Select all
<?php
if(empty($_POST['zipcode'])){
$errors[] = "Zipcode is required.";
}
?>Code: Select all
<?php
if(isset($_POST['zipcode'])){
if($_POST['zipcode'] != '' && $_POST['zipcode'] != 0){ //etc etc
}
}
?>- nickman013
- Forum Regular
- Posts: 764
- Joined: Sun Aug 14, 2005 12:02 am
- Location: Long Island, New York