Page 2 of 3
Posted: Mon Jan 23, 2006 5:54 am
by Jenk
empty() has room for a false positive, because it is checking for multiple criteria, where as isset() checks if the variable exists, and nothing else.
I agree it works in this situation, but it is poor practice to use empty when all you are checking for is if the variable exists, which is exactly what isset() is there for.
Posted: Mon Jan 23, 2006 6:45 am
by raghavan20
Jenk wrote:empty() has room for a false positive, because it is checking for multiple criteria, where as isset() checks if the variable exists, and nothing else.
I agree it works in this situation, but it is poor practice to use empty when all you are checking for is if the variable exists, which is exactly what isset() is there for.
I know empty() gives notice other than that I think it perfectly solves the problem eventhough it is not advisable to use it alone and I agree with you. But using isset() avoids notices but it can lead up to serious errors when you use the variable for building SQL statements. If anyone is not lazy at coding then they should nest empty() within isset().
Posted: Mon Jan 23, 2006 9:12 am
by nickman013
ok, i am starting to see this a little bit better.
correct me if i am wrong please.
On the pages that I want to be protected (have to be logged in to view). I have to add this to the script:
Code: Select all
<?php
session_start();
if(empty($_SESSION['loggedin'])){
include("http://www.muot.net/pages/login.php");
die();
}
?>
And if they are not logged in, it will include login.php which will ask for a user name and password.
My login.php script is
Code: Select all
if (isset($_POST['user']) && isset($_POST['pass'])){
if (($_POST['user']=='nick' && $_POST['pass']=='nickpass') || ($_POST['user']=='bob' && $_POST['pass']=='bobpass')){
//This code would go in the if block checking whether the login was successful
$_SESSION['loggedin'] = TRUE;
header("Location:/pages/admin.php"); echo "<html><font color=green size=4>SUCCESS!</font></html>";
} else {
$error = "<div align=center><font size=-1 color=red>WRONG USERNAME OR PASSWORD</FONT></div>";
echo "$error";
}
}
$form = "
<html>
<body><div align=center><form action=login.php method=post><font size=2><b>Username:
<input type=text size=10 maxlength=10 name=user><br>
<font size=2><b>Password:
<input type=password size=10 maxlength=10 name=pass><br><input type=submit value=Login.>
</form>
</div></body></html>";
I dont think it works though, but it might because when I try to go to admin.php, it does include the login script, and I login, then it will redirect me back to admin.php, viewing the protected page.
If i close the browser and go to admin.php, it asks for password (which is good).
I just need to know how to make a logout button, I cant figure it out because it kills the sessions for I do anything.
I also need to know how to protect other pages. Because when Im not logged in and I go to a page I wanted protected, It views the page, and doesnt include the login.php.
Thank You Guys So Much For Helping Me!
Posted: Mon Jan 23, 2006 11:10 am
by Jenk
to maintain a session you must have session_start() at the top of every page, before any output is sent to the user agent.
And again, I'd like to point out using empty() instead of isset() when checking for the existance of a variable is bad practice.
Posted: Mon Jan 23, 2006 11:27 am
by nickman013
Where is the asset that you want me to replace?
This ?
Code: Select all
if (isset($_POST['user']) && isset($_POST['pass'])){
Also what do you mean by "before any output is sent to the user agent"? would that mean, the very first line of my pageS?
Posted: Mon Jan 23, 2006 11:43 am
by Christopher
Jenk wrote:And again, I'd like to point out using empty() instead of isset() when checking for the existance of a variable is bad practice.
I agree. It really should be the isset() check and then the specific check for condition you are looking for. That makes the code more self-documenting. Something like:
Code: Select all
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true){
Posted: Mon Jan 23, 2006 12:06 pm
by d3ad1ysp0rk
Haha, I love the war I started. I would personally use isset as well in this situation, it was a mistype.
Anyways, why are you including the login.php page? Why not just send them to it?
Posted: Mon Jan 23, 2006 12:20 pm
by nickman013
i am including login.php , because i cant send them to it, because the header doesnt work, because it says it is already sent out.
Posted: Mon Jan 23, 2006 3:26 pm
by shiznatix
here. do this
here is login.php
Code: Select all
<form action="dolog.php" method="post">
user: <input type="text" name="user"><br>
pass: <input type="password" name="pass"><br>
<input type="submit" value="submit">
</form>
here is dolog.php
Code: Select all
session_start();
if (empty($_POST['user']) || empty($_POST['pass']))
die('GO AWAY');
if ($_POST['user'] == 'test_user' && $_POST['pass'] == 'test_pass')
{
$_SESSION['log'] = true;
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">';
}
else
die('GO AWAY');
here is head.php
Code: Select all
session_start();
if (empty($_SESSION['log']))
die('GO AWAY');
here is secure_page.php
Code: Select all
require 'head.php';
echo 'you are now logged in, go to any of the pages below<br>';
echo '<a href="secure1.php">secure1</a><br>';
echo '<a href="secure2.php">secure2</a>';
here is secure1.php
Code: Select all
require 'head.php';
echo 'top secrect cia info';
here is secure2.php
Code: Select all
require 'head.php';
echo 'nude photos of the president with a hooker';
get the idea?
ps. i use empty because it does not give errors while isset does. tell me how empty can give you false results? empty is right and isset is wrong. your oppion is bad and you should feel bad.

just kiddin kids.
Posted: Mon Jan 23, 2006 3:43 pm
by nickman013
thank you so much, i will try this code now!
Posted: Mon Jan 23, 2006 4:30 pm
by raghavan20
shiznatix wrote:
Code: Select all
session_start();
if (empty($_POST['user']) || empty($_POST['pass']))
die('GO AWAY');
if ($_POST['user'] == 'test_user' && $_POST['pass'] == 'test_pass')
{
$_SESSION['log'] = true;
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">';
}
else
die('GO AWAY');
Now turn on notices at the top of this page...and just type in the URL of the page.
for nickman013, you can turn on notices by
To shiznatix and Jenk, empty() and isset() are not a solution by themselves and I am telling this to further emphazise the importance of using them both together.
Posted: Mon Jan 23, 2006 5:19 pm
by Chris Corbyn
LMAO. Nice example pages Shiz

Posted: Mon Jan 23, 2006 9:31 pm
by nickman013
thank you SOOOOOOO MUCH!!!!
it works just how i wanted it to, i got some questions though.
1. How would i add users to this?
Code: Select all
session_start();
if (empty($_POST['user']) || empty($_POST['pass']))
die('GO AWAY');
if ($_POST['user'] == 'test_user' && $_POST['pass'] == 'test_pass')
{
$_SESSION['log'] = true;
echo '<meta http-equiv="refresh" content="0;url=secure_page.php">';
}
else
die('GO AWAY');
would it be elseif?
2. to logout, can i just add
to login.php and the logout link would be,
<a href=login.php>logout</a>?
3. how can i keep them logged in if they go to a unprotected page?
thank you
Posted: Mon Jan 23, 2006 10:54 pm
by d3ad1ysp0rk
raghavan20 wrote:Now turn on notices at the top of this page...and just type in the URL of the page.
From my experience, calling empty on an uninitialized variable will NOT throw a notice. I may be wrong, but I'm 90% sure about this.
raghaven20 wrote:To shiznatix and Jenk, empty() and isset() are not a solution by themselves and I am telling this to further emphazise the importance of using them both together.
Actually, they very well can be:
isset by itself:
Code: Select all
<?php
if(isset($_SESSION['rank']) && $_SESSION['rank'] < 2){
//Show X
}
?>
There is no need to call empty on that, because you don't care. All you care is if it's there, and whether it's less than 2 or not. If it's initialized, but empty, it won't be less than two; so you're fine.
empty by itself:
Code: Select all
<?php
if(empty($_POST['zipcode'])){
$errors[] = "Zipcode is required.";
}
?>
This is like saying:
Code: Select all
<?php
if(isset($_POST['zipcode'])){
if($_POST['zipcode'] != '' && $_POST['zipcode'] != 0){ //etc etc
}
}
?>
So you don't need isset. It would be redundant.
Posted: Mon Jan 23, 2006 11:26 pm
by nickman013
lol 3 quarters of this thread is arguing over isset and empty lol