Page 1 of 1
Redirect Issue
Posted: Wed Jul 05, 2006 2:19 pm
by bfdexp
I am having trouble with the redirect in my code. I am using this password script for my password page. I need each user to have his own page. This is a pretty standard, widely used PHP script for password protection. All I really did is add a "page" category in the SQL Query and changed the successful login variable to get that "page" category. However when I successfully login, it just redirects me to the same page, the login screen. Any ideas?
Code: Select all
<?php require($_SERVER['DOCUMENT_ROOT'].'/Connections/pwdbase.php'); ?>
<?php
// *** Validate request to login to this site.
// If session has not been started, start session.
if (!isset($_SESSION)) {
session_start();
}
//
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = $_GET['page'];
$MM_redirectLoginFailed= "test.html";
$MM_redirecttoReferrer = true;
mysql_select_db($database_pwdbase, $pwdbase);
$LoginRS__query=sprintf("SELECT user, pass, page FROM main WHERE user='%s' AND pass='%s'",get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
$LoginRS = mysql_query($LoginRS__query, $pwdbase) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
if (isset($_SESSION['PrevUrl']) && true) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: ". $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
Posted: Wed Jul 05, 2006 4:27 pm
by Yossarian
if (isset($_SESSION['PrevUrl']) && true) {
What is true? What is being tested here?
I think this will always fail hence you always fall through the if into the redirect.
Why dont you echo all your variables onto the page and have a good look at what is going on?
Posted: Wed Jul 05, 2006 4:40 pm
by printf
This is a pretty standard, widely used PHP script for password protection.
I hope not...
It' really difficult to even begin to understand your problem, if one doesn't know how the script is called when your requesting a login. What I mean is that the script seems to work off, basic if() type questions, so knowing what question was asked will help diagnose what problem you are having with the redirect. Other than that, this script can very dangerous and is filled with shady logic, login check can be bypassed, I hope you know that!
Posted: Wed Jul 05, 2006 5:17 pm
by RobertGonzalez
I would also venture to say that you are going to have problems checking for isset($_SESSION) when you haven't initialized the session yet. You can't start a session on an if (you can, but in my opinion that is bad practise). Start the session, the do what you will, regadless of whether there is a set $_SESSION array.
Code: Select all
<?php
require($_SERVER['DOCUMENT_ROOT'].'/Connections/pwdbase.php');
session_start();
$loginFormAction = $_SERVER['PHP_SELF'];
if ( isset($_GET['accesscheck']) ) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if ( isset($_POST['username']) ) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = $_GET['page'];
$MM_redirectLoginFailed= "test.html";
$MM_redirecttoReferrer = true;
mysql_select_db($database_pwdbase, $pwdbase) or die ('Could not get the database: ' . mysql_error());
$LoginRS__query=sprintf("SELECT user, pass, page FROM main WHERE user='%s' AND pass='%s'",get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
$LoginRS = mysql_query($LoginRS__query, $pwdbase) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
if (isset($_SESSION['PrevUrl']) && true) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
/*
* Word of warning... use FULL urls for redirecting
* and try to stay away from taking raw querystring
* data and using that as a redirect location
*/
header("Location: ". $MM_redirectLoginSuccess );
} else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
Posted: Wed Jul 05, 2006 7:02 pm
by Weirdan
Yossarian wrote:I think this will always fail
It will fail
unless isset($_SESSION['PrevUrl'])
Issue
Posted: Wed Jul 05, 2006 8:46 pm
by bfdexp
Thank you so much for the replys. I said the code is a pretty common PHP password script, because it is Dreamweaver's built-in User Login Script. This is the PHP application that is generated when you set up a PHP login in Dreamweaver. The downfall with it is that you can only define a success and fail page, you cannot generate individual pages for each user.
This is a common thread in a few PHP forums and no one has figured it out. If you define an URL and not a variable in $MM_redirectLoginSuccess, it will work. So logically I thought and many other users tried to just add a field to the mySQL database called "page". Then call that as a variable in $MM_redirectLoginSuccessand it should work right?
From studying the code for hours, I fell the problem lies in the following if statement:
if (isset($_SESSION['PrevUrl']) && true) {$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
Because this statement says if the session has not been set on a successful login, then go to the previous URL, hence it redirecting to the login screen on a successful login. When it is an unsucessful login, it does go to the defined URL. When I change the successful URL from the variable, back to an URL it works.
So how does this make any sense? When a URL is defined in the successful login variable, $MM_redirectLoginSuccess, it works. However, when I change it to a variable it does not work. Any suggestions, did I define the variable wrong maybe? The code actually does work before I make any changes and the only changes I made were:
1. $LoginRS__query=sprintf("SELECT user, pass, page.... < - Added the page column to the SQL call
2. $MM_redirectLoginSuccess = $_GET['page']; < - Changed the URL to a variable that I believe is linked to the page column in the mySQL table, correct?
THANKS SO MUCH FOR YOUR TIME!!!!!!!!
Jason
Posted: Wed Jul 05, 2006 10:15 pm
by RobertGonzalez
A couple of things are going on that could manipulate the page that a user is redirected to. Also keep in mind that the landing page on success is being set early on in the script with this line is there is a querystring var named
accesscheck...
Code: Select all
<?php
if ( isset($_GET['accesscheck']) ) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
?>
So at this point, if there was a querystring var named
accesscheck, then the session var 'PrevUrl' is going to be set to whatever value was passed inside of
accesscheck.
NOTE: If there was no accesscheck querystring var, this session var will not be set.
Next thing that is happening is, if the form was posted, is to set some vars by way of the post vars. Note here also that there is absolutely no validation being done. Also at this point the variable
$MM_redirectLoginSuccess is being set to a querystring var named
page.
NOTE: If there was no page querystring var, the $MM_redirectLoginSuccess variable will be set to an empty string.
After the query is run, if there are any number of rows found over zero, then the script assumes that the user is found. At this point, the script sets some session vars and then checks to see if the session var 'PrevUrl' is set and if true (still not sure what the heck this is all about) and if both evaluate to true, then the
$MM_redirectLoginSuccess variable is set to the 'PrevUrl' session var. If for some reason the if check evaluates to false, this setting of the
$MM_redirectLoginSuccess variable does not take place. if this is the case, the last value of
$MM_redirectLoginSuccess is used, which will either be the querystring var 'page' or an empty string.
Now the script redirects to the success page IF the user was found in the database. If there were zero users found in the database, the script will header redirect to 'text.html' as per the variable in the following code...
Code: Select all
<?php
$MM_redirectLoginFailed= "test.html";
?>
I hope this clears up the process this script follows. It is a really bad example of how to process logins, but it may be a good teach of what not to do when developing a login system.
Issue
Posted: Thu Jul 06, 2006 10:07 am
by bfdexp
Thanks again for your time and thr reply. From reading your post, I think I have an idea of why it redirects to the same page, the login page, when there is a successful login. Let me know if I am on the right track.
When the form is posted, it calls the variable $MM_redirectLoginSuccess. This variable, as in the $MM_redirectLoginFailed, are usually defining an URL. In my case I want this variable to be pointed to a column in the mySQL table. Since I did not link this variable properly to the mySQL query string it is not picking up an URL from the table. Hence it redirecting to the same page or basically nothing.
So how can I point $MM_redirectLoginSuccess to the page column in the mySQL table?
Jason
Re: Issue
Posted: Thu Jul 06, 2006 10:16 am
by RobertGonzalez
bfdexp wrote:So how can I point $MM_redirectLoginSuccess to the page column in the mySQL table?
If you can, clarify this idea for me? What do you mean by 'pointing' to a column in a MySQL table?
Posted: Thu Jul 06, 2006 12:03 pm
by bfdexp
Hi,
What I mean by pointing is the following. I set up an additional column or category in the mySQL database. In addition to the user and pass, I added a page category or column. So when there is a successful login, instead of redrecting by an url defined in $MM_redirectLoginSuccess, it will redirect by an URL defined in the SQL table.
So the orignal process was:
if success, redirect to $MM_redirectLoginSuccess
$MM_redirectLoginSuccess = "sucess.html"
I changed it to :
if success, redirect to $MM_redirectLoginSuccess
$MM_redirectLoginSuccess = $_GET['page']
** 'page' is in the SQL query $LoginRS__query=sprintf("SELECT user, pass, page
So, what I am asking is if I did this link or pointing correct. Am I properly linking the variable $MM_redirectLoginSuccess to the SQL table category of 'page'? If not how do you I link the variable $MM_redirectLoginSuccess to the element 'page' in the SQL table so that when a user logs in properly the URL defined in his row of the page column will be used as he URL. So more or less, each member has their own page defined in the SQL table.
More Info
Posted: Thu Jul 06, 2006 1:28 pm
by bfdexp
IT WORKS!!!
From looking at other post regarding this topic, I found this one that was the answer to the big problem:
http://www.thescripts.com/forum/thread492485.html
One poster in this group suggest that the "dynamic redirect" does not work because there is no query fetch in the code they suggested adding a query fetch so that the "page" column can be fetched from the sql table and used in the redirect. Here is their suggested code, what do you guys think. In addition, he stated that the infamous
$MM_redirectLoginSuccess, has to be located after the query and fetch in order to work. Here is the modified code:
Code: Select all
$LoginRS__query=sprintf("SELECT user, pass, page FROM main WHERE user='%s' AND pass='%s'",
get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
$LoginRS = mysql_query($LoginRS__query, $lp_database) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
$newArray = mysql_fetch_array($LoginRS); // The fetch for the "page" column in the SQL table once it has been found
$MM_redirectLoginSuccess = "../" . $newArray['page']; // The redirect linked to the fetch
Posted: Thu Jul 06, 2006 1:40 pm
by RobertGonzalez
My take on this...
You should have two pages: 1) On success, the landing page that all people see when a successful login occurs, and 2) a failing page that the user sees when there is no successful login.
The way I do this is pretty simple. I set a var called $login_good to false early in the script load. I check for a form submission, then taking that passed data, I check for appropriate credentials. If everything passes, I set the $login_good var to true. Then after all the checking of post data and everything else, I do an if check for the value of $login_good. If it is true, then I redirect to a known successful login page. If it is bad, then I show the same form again with any errors returned in the form processing section.