Redirect Issue

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bfdexp
Forum Newbie
Posts: 7
Joined: Wed Jul 05, 2006 2:14 pm

Redirect Issue

Post by bfdexp »

I am having trouble with the redirect in my code. I am using this password script for my password page. I need each user to have his own page. This is a pretty standard, widely used PHP script for password protection. All I really did is add a "page" category in the SQL Query and changed the successful login variable to get that "page" category. However when I successfully login, it just redirects me to the same page, the login screen. Any ideas?

Code: Select all

<?php require($_SERVER['DOCUMENT_ROOT'].'/Connections/pwdbase.php'); ?>
<?php
// *** Validate request to login to this site.
// If session has not been started, start session.
if (!isset($_SESSION)) {
session_start();
}
//
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = $_GET['page'];
$MM_redirectLoginFailed= "test.html";
$MM_redirecttoReferrer = true;
mysql_select_db($database_pwdbase, $pwdbase);

$LoginRS__query=sprintf("SELECT user, pass, page FROM main WHERE user='%s' AND pass='%s'",get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));

$LoginRS = mysql_query($LoginRS__query, $pwdbase) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";

//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;

if (isset($_SESSION['PrevUrl']) && true) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: ". $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
Yossarian
Forum Contributor
Posts: 101
Joined: Fri Jun 30, 2006 4:43 am

Post by Yossarian »

if (isset($_SESSION['PrevUrl']) && true) {

What is true? What is being tested here?

I think this will always fail hence you always fall through the if into the redirect.

Why dont you echo all your variables onto the page and have a good look at what is going on?
printf
Forum Contributor
Posts: 173
Joined: Wed Jan 12, 2005 5:24 pm

Post by printf »

This is a pretty standard, widely used PHP script for password protection.
I hope not...

It' really difficult to even begin to understand your problem, if one doesn't know how the script is called when your requesting a login. What I mean is that the script seems to work off, basic if() type questions, so knowing what question was asked will help diagnose what problem you are having with the redirect. Other than that, this script can very dangerous and is filled with shady logic, login check can be bypassed, I hope you know that!
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I would also venture to say that you are going to have problems checking for isset($_SESSION) when you haven't initialized the session yet. You can't start a session on an if (you can, but in my opinion that is bad practise). Start the session, the do what you will, regadless of whether there is a set $_SESSION array.

Code: Select all

<?php 
require($_SERVER['DOCUMENT_ROOT'].'/Connections/pwdbase.php'); 
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if ( isset($_GET['accesscheck']) ) {
    $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if ( isset($_POST['username']) ) {
    $loginUsername=$_POST['username'];
    $password=$_POST['password'];
    $MM_fldUserAuthorization = "";
    $MM_redirectLoginSuccess = $_GET['page'];
    $MM_redirectLoginFailed= "test.html";
    $MM_redirecttoReferrer = true;
    mysql_select_db($database_pwdbase, $pwdbase) or die ('Could not get the database: ' . mysql_error());

    $LoginRS__query=sprintf("SELECT user, pass, page FROM main WHERE user='%s' AND pass='%s'",get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));

    $LoginRS = mysql_query($LoginRS__query, $pwdbase) or die(mysql_error());
    $loginFoundUser = mysql_num_rows($LoginRS);
    if ($loginFoundUser) {
        $loginStrGroup = "";

        //declare two session variables and assign them
        $_SESSION['MM_Username'] = $loginUsername;
        $_SESSION['MM_UserGroup'] = $loginStrGroup;

        if (isset($_SESSION['PrevUrl']) && true) {
            $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
        }

/*
 * Word of warning... use FULL urls for redirecting
 * and try to stay away from taking raw querystring 
 * data and using that as a redirect location
 */
        header("Location: ". $MM_redirectLoginSuccess );
    } else {
        header("Location: ". $MM_redirectLoginFailed );
    }
}
?>
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Yossarian wrote:I think this will always fail
It will fail unless isset($_SESSION['PrevUrl'])
bfdexp
Forum Newbie
Posts: 7
Joined: Wed Jul 05, 2006 2:14 pm

Issue

Post by bfdexp »

Thank you so much for the replys. I said the code is a pretty common PHP password script, because it is Dreamweaver's built-in User Login Script. This is the PHP application that is generated when you set up a PHP login in Dreamweaver. The downfall with it is that you can only define a success and fail page, you cannot generate individual pages for each user.

This is a common thread in a few PHP forums and no one has figured it out. If you define an URL and not a variable in $MM_redirectLoginSuccess, it will work. So logically I thought and many other users tried to just add a field to the mySQL database called "page". Then call that as a variable in $MM_redirectLoginSuccessand it should work right?

From studying the code for hours, I fell the problem lies in the following if statement:
if (isset($_SESSION['PrevUrl']) && true) {$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
Because this statement says if the session has not been set on a successful login, then go to the previous URL, hence it redirecting to the login screen on a successful login. When it is an unsucessful login, it does go to the defined URL. When I change the successful URL from the variable, back to an URL it works.

So how does this make any sense? When a URL is defined in the successful login variable, $MM_redirectLoginSuccess, it works. However, when I change it to a variable it does not work. Any suggestions, did I define the variable wrong maybe? The code actually does work before I make any changes and the only changes I made were:

1. $LoginRS__query=sprintf("SELECT user, pass, page.... < - Added the page column to the SQL call

2. $MM_redirectLoginSuccess = $_GET['page']; < - Changed the URL to a variable that I believe is linked to the page column in the mySQL table, correct?

THANKS SO MUCH FOR YOUR TIME!!!!!!!!

Jason
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

A couple of things are going on that could manipulate the page that a user is redirected to. Also keep in mind that the landing page on success is being set early on in the script with this line is there is a querystring var named accesscheck...

Code: Select all

<?php
if ( isset($_GET['accesscheck']) ) {
    $_SESSION['PrevUrl'] = $_GET['accesscheck'];
} 
?>
So at this point, if there was a querystring var named accesscheck, then the session var 'PrevUrl' is going to be set to whatever value was passed inside of accesscheck. NOTE: If there was no accesscheck querystring var, this session var will not be set.

Next thing that is happening is, if the form was posted, is to set some vars by way of the post vars. Note here also that there is absolutely no validation being done. Also at this point the variable $MM_redirectLoginSuccess is being set to a querystring var named page. NOTE: If there was no page querystring var, the $MM_redirectLoginSuccess variable will be set to an empty string.

After the query is run, if there are any number of rows found over zero, then the script assumes that the user is found. At this point, the script sets some session vars and then checks to see if the session var 'PrevUrl' is set and if true (still not sure what the heck this is all about) and if both evaluate to true, then the $MM_redirectLoginSuccess variable is set to the 'PrevUrl' session var. If for some reason the if check evaluates to false, this setting of the $MM_redirectLoginSuccess variable does not take place. if this is the case, the last value of $MM_redirectLoginSuccess is used, which will either be the querystring var 'page' or an empty string.

Now the script redirects to the success page IF the user was found in the database. If there were zero users found in the database, the script will header redirect to 'text.html' as per the variable in the following code...

Code: Select all

<?php
$MM_redirectLoginFailed= "test.html";
?>
I hope this clears up the process this script follows. It is a really bad example of how to process logins, but it may be a good teach of what not to do when developing a login system.
bfdexp
Forum Newbie
Posts: 7
Joined: Wed Jul 05, 2006 2:14 pm

Issue

Post by bfdexp »

Thanks again for your time and thr reply. From reading your post, I think I have an idea of why it redirects to the same page, the login page, when there is a successful login. Let me know if I am on the right track.

When the form is posted, it calls the variable $MM_redirectLoginSuccess. This variable, as in the $MM_redirectLoginFailed, are usually defining an URL. In my case I want this variable to be pointed to a column in the mySQL table. Since I did not link this variable properly to the mySQL query string it is not picking up an URL from the table. Hence it redirecting to the same page or basically nothing.

So how can I point $MM_redirectLoginSuccess to the page column in the mySQL table?

Jason
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Issue

Post by RobertGonzalez »

bfdexp wrote:So how can I point $MM_redirectLoginSuccess to the page column in the mySQL table?
If you can, clarify this idea for me? What do you mean by 'pointing' to a column in a MySQL table?
bfdexp
Forum Newbie
Posts: 7
Joined: Wed Jul 05, 2006 2:14 pm

Post by bfdexp »

Hi,

What I mean by pointing is the following. I set up an additional column or category in the mySQL database. In addition to the user and pass, I added a page category or column. So when there is a successful login, instead of redrecting by an url defined in $MM_redirectLoginSuccess, it will redirect by an URL defined in the SQL table.

So the orignal process was:

if success, redirect to $MM_redirectLoginSuccess
$MM_redirectLoginSuccess = "sucess.html"

I changed it to :

if success, redirect to $MM_redirectLoginSuccess
$MM_redirectLoginSuccess = $_GET['page']

** 'page' is in the SQL query $LoginRS__query=sprintf("SELECT user, pass, page

So, what I am asking is if I did this link or pointing correct. Am I properly linking the variable $MM_redirectLoginSuccess to the SQL table category of 'page'? If not how do you I link the variable $MM_redirectLoginSuccess to the element 'page' in the SQL table so that when a user logs in properly the URL defined in his row of the page column will be used as he URL. So more or less, each member has their own page defined in the SQL table.
bfdexp
Forum Newbie
Posts: 7
Joined: Wed Jul 05, 2006 2:14 pm

More Info

Post by bfdexp »

IT WORKS!!!

From looking at other post regarding this topic, I found this one that was the answer to the big problem: http://www.thescripts.com/forum/thread492485.html

One poster in this group suggest that the "dynamic redirect" does not work because there is no query fetch in the code they suggested adding a query fetch so that the "page" column can be fetched from the sql table and used in the redirect. Here is their suggested code, what do you guys think. In addition, he stated that the infamous $MM_redirectLoginSuccess, has to be located after the query and fetch in order to work. Here is the modified code:

Code: Select all

$LoginRS__query=sprintf("SELECT user, pass, page FROM main WHERE user='%s' AND pass='%s'",
get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 

$LoginRS = mysql_query($LoginRS__query, $lp_database) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
$newArray = mysql_fetch_array($LoginRS); // The fetch for the "page" column in the SQL table once it has been found
$MM_redirectLoginSuccess = "../" . $newArray['page']; // The redirect linked to the fetch
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

My take on this...

You should have two pages: 1) On success, the landing page that all people see when a successful login occurs, and 2) a failing page that the user sees when there is no successful login.

The way I do this is pretty simple. I set a var called $login_good to false early in the script load. I check for a form submission, then taking that passed data, I check for appropriate credentials. If everything passes, I set the $login_good var to true. Then after all the checking of post data and everything else, I do an if check for the value of $login_good. If it is true, then I redirect to a known successful login page. If it is bad, then I show the same form again with any errors returned in the form processing section.
Post Reply