Page 1 of 1

A simple script - login isn't working

Posted: Mon Oct 22, 2007 4:54 pm
by toasty2
I whipped up this little script and I've looked over it many times, I can't figure out why its not working as intended.

Its a script to be used for logging in and editing a text file which is to be included by another page. But, after logging in its taking me back to the login form part even though it should have authenticated me and let me edit the file.

Code: Select all

<?php session_start();

if ($_SESSION['auth'] != true)
{
	exit('<form action="?a=login" method="post">
	Username: <input type="text" name="username" /><br />
	Password: <input type="password" name="password" /><br />
	<input type="submit" value="Login" />
	</form>');
}

if($_GET['a']=='login')
{
	if($_POST['username']=='username' and $_POST['password']=='password')
	{
		$_SESSION['auth'] = true; header('Location: edit.php'); exit;
	}
	else
	{
		$_SESSION['auth'] = false; header('Location: edit.php'); exit;
	}
}
elseif($_GET['a']=='logout')
{
	session_destroy();
	exit('You are now logged out.');
}
elseif($_GET['a']=='edit' and !empty($_POST['text']))
{
	file_put_contents('file.txt',$_POST['text']); exit;
}
?>

<form action="?a=edit" method="post">
<textarea name="text" cols="6" rows="12" />
<input type="submit" value="Edit" />
</form>

Order of Conditions

Posted: Tue Oct 23, 2007 11:16 am
by churt
It appears to be the order of the if conditions. Try the following. I also added "</textarea>" in the text form as it can cause issues without it. Hope this helps.

Code: Select all

<?php session_start();

if($_GET['a']=='login')
{
        if($_POST['username']=='username' and $_POST['password']=='password')
        {
                $_SESSION['auth'] = true; header('Location: edit.php'); exit;
        }
        else
        {
                $_SESSION['auth'] = false; header('Location: edit.php'); exit;
        }
}
elseif($_GET['a']=='logout')
{
        session_destroy();
        exit('You are now logged out.');
}
elseif($_GET['a']=='edit' and !empty($_POST['text']))
{
        file_put_contents('file.txt',$_POST['text']); exit;
}

if ($_SESSION['auth'] != true)
{
        exit('<form action="?a=login" method="post">
        Username: <input type="text" name="username" /><br />
        Password: <input type="password" name="password" /><br />
        <input type="submit" value="Login" />
        </form>');
}

?>

<form action="?a=edit" method="post">
<textarea name="text" cols="6" rows="12" /></textarea>
<input type="submit" value="Edit" />
</form>

Posted: Tue Oct 23, 2007 11:45 am
by Christopher
You are a little exit() happy and could use some work in the structured programming dept. After a redirect is one of the few places where exit() is used.

I would recommend not having the login/logout and the editing on the same page. You semi-agree with that because you redirect to edit.php even though you have editing code here. Keep the login/logout code on this page and code edit.php separately.

Something like this:

Code: Select all

<?php
session_start();

if(isset($_POST['a'])) {
	if ($_POST['a']=='logout') {
		$_SESSION['auth'] = false; 
		echo 'You are now logged out.';
	} else {
		if(($_POST['username']=='username') && ($_POST['password']=='password')) {
			$_SESSION['auth'] = true; 
			session_write_close();
			header('Location: edit.php');
			exit;
		}
	}
}

if (isset($_SESSION['auth']) && ($_SESSION['auth'] == true))
{
	echo '<form action="" method="post">
	<input type="hidden" name="a" value="logout"/>
	<input type="submit" value="Logout" />
	</form>';
} else {
	echo '<form action="" method="post">
	<input type="hidden" name="a" value="login"/>
	Username: <input type="text" name="username" /><br />
	Password: <input type="password" name="password" /><br />
	<input type="submit" value="Login" />
	</form>';
}