Page 1 of 2
Login Redirect Question
Posted: Sat Mar 21, 2009 10:32 am
by gestedatha
I have a simple form with one field. When a user enters a four digit number in the field I need to have them redirected to a specific web page corresponding with the four digit number. Example: user enters 1234 and then is redirected to
http://www.website.com/1234.
There are two fields in table "users": username, webaddress
I have limited knowledge of PHP but have put this script together. However, when entering the four digit number I receive the following in the address bar:
http://www.website.com/Array
Can someone review this and help me figure out how to make it work?
Here is the script:
Code: Select all
<?php
// Connects to your Database
mysql_connect("localhost", "db_username", "db_password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());
$result = mysql_query("SELECT * FROM users
WHERE username='$username'");
{
while($row = mysql_fetch_array($result))
$row['webaddress']
{
header("Location:$row")
}
?>
<html>
<head>
<title>PHP Test Page</title>
</head>
<body>
<center><b>
<form action="testing.php" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Username:</td><td>
<input type="text" name="username" maxlength="40">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
</b></center>
</body>
</html>
<?php
}
?>
Re: Login Redirect Question
Posted: Sat Mar 21, 2009 10:53 am
by php_east
Code: Select all
header("Location:$row['webaddress']")
Re: Login Redirect Question
Posted: Sat Mar 21, 2009 1:09 pm
by gestedatha
I made the change you suggested:
Code: Select all
<?php
// Connects to your Database
mysql_connect("localhost", "db_username", "db_password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());
$result = mysql_query("SELECT * FROM users
WHERE username='$username'");
{
while($row = mysql_fetch_array($result))
$row['webaddress']
{
header("Location:$row['webaddress']")
}
?>
It gives the following error:
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/flamer99/public_html/testing.php on line 13
Re: Login Redirect Question
Posted: Sat Mar 21, 2009 2:08 pm
by jayshields
Missing semi-colon after the newly inserted line. You should enclose the variable on that line with curly brackets too.
Re: Login Redirect Question
Posted: Sat Mar 21, 2009 2:38 pm
by gestedatha
Didn't need the ; but did need the curly brackets. Here is the working script: Thanks for all your help guys!
Code: Select all
<?php
// Connects to your Database
mysql_connect("localhost", "db_username", "db_password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());
$result = mysql_query("SELECT * FROM users WHERE username='$username'");
{
while($row = mysql_fetch_array($result))
$row['webaddress']
{
header("Location:{$row['webaddress']}")
}
?>
<html>
<head>
<title>PHP Test Page</title>
</head>
<body>
<center><b>
<form action="testing.php" method="post">
<table border="0">
<tr><td colspan=2><h1>Login</h1></td></tr>
<tr><td>Username:</td><td>
<input type="text" name="username" maxlength="40">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
</b></center>
</body>
</html>
<?php
}
?>
Re: Login Redirect Question
Posted: Sat Mar 21, 2009 3:01 pm
by jayshields
I'm surprised that works. You've actually got two missing semi-colons, and a completely unnecessary line (9).
You really need to sort it out. You've got register globals on, and you're passing a form field straight into MySQL - leaving you open for SQL injection attacks. Also, your login mechanism is very poor.
Re: Login Redirect Question
Posted: Sat Mar 21, 2009 3:18 pm
by crazycoders
To both of you, you don't need a ; (semi-colon) all lines... as soon as you use a block delimiter (in the case of PHP {}) you don't need the ; because the statement automatically ends. This is valid in most cases except where you use:
Code: Select all
$value = 'hey '.${'priv'.$variablename};
In this case, the {} around $variable name is used to create a block relationship between the string and the $variablename variable but doesn't end the statement. but in the case of:
It would be actually valid to do because the different statements are splitted out because of the {}...
Oh and just so you know, lines of code don't exist, it's called a statement. Visual Basic type languages have statements based on lines of code because the line feed character is the statement ender. And since it's clearer, to code line by line, we usually say to look at the codeline #something..

Cheers and good luck to you gestedatha
Re: Login Redirect Question
Posted: Sat Mar 21, 2009 3:31 pm
by gestedatha
jayshields wrote:I'm surprised that works. You've actually got two missing semi-colons, and a completely unnecessary line (9).
You really need to sort it out. You've got register globals on, and you're passing a form field straight into MySQL - leaving you open for SQL injection attacks. Also, your login mechanism is very poor.
I'll have to read up on what you mean by register globals being on and I'll have to read up on SQL injection attacks. I'm not sure if I need the login mechanism to be very sophisticated since I'm only using it as a way to redirect traffic based on the four-digit number entered into the field. Do you have any suggestions then on the code below that would strengthen the login mechanism and security?
I made changes as you suggested. Deleted previous line 9 and added a semi-colon to line 10:
Code: Select all
<?php
mysql_connect("localhost", "db_username", "db_password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());
$result = mysql_query("SELECT * FROM users WHERE username='$username'");
{
while($row = mysql_fetch_array($result))
{
header("Location:{$row['webaddress']}");
}
?>
Re: Login Redirect Question
Posted: Sat Mar 21, 2009 4:41 pm
by jayshields
crazycoders wrote:you don't need a ; (semi-colon) all lines... as soon as you use a block delimiter (in the case of PHP {}) you don't need the ; because the statement automatically ends.
I would say it's very bad practice to ever leave out semi-colons. I didn't even know that you could get away with leaving them out if your ending the {} block.
crazycoders wrote:Oh and just so you know, lines of code don't exist, it's called a statement.
What did you want me to say to him? Statement 5 is unnecessary? I think that would have been harder for him to find than line 9.
gestedatha wrote:Do you have any suggestions then on the code below that would strengthen the login mechanism and security?
Never ever pass a user-submitted value straight into an SQL query. Use mysql_real_escape_string() on the variable. Imagine what the executed query would look like if the user entered
Re: Login Redirect Question
Posted: Sat Mar 21, 2009 5:36 pm
by gestedatha
Thanks jayshields,
I'm going to take a look at your last suggestion and learn more about it. I really appreciate your help and definitely referring to line 9 made more sense to me.
The field is limited to 4 characters so that may help me for now. I'm reading up on your suggestion.
I'm just now getting into PHP and its been a nice challenge. Thanks again.
Re: Login Redirect Question
Posted: Sat Mar 21, 2009 10:41 pm
by php_east
crazycoders wrote:To both of you, you don't need a ; (semi-colon) all lines... as soon as you use a block delimiter (in the case of PHP {}) you don't need the ; because the statement automatically ends. This is valid in most cases except where you use:
you might as well say <?php is not needed, we can use <? and is valid.
what i am saying is that when you want to read 1000 lines of code quickly, not having a semi colon is like reading a book without punctuation.
@gestedatha
sorry, i was just pointing out the error made, did not give you a proper syntax/code because i presumed you would take care of that. i really don't want to dive into your codes, it makes me dizzy a bit

Re: Login Redirect Question
Posted: Sun Mar 22, 2009 5:24 am
by jayshields
How many characters the field is limited to doesn't matter. If you're using the HTML maxlength attribute it definately doesn't enforce any strict validation. Besides, SQL injection can probably be done in less than 4 characters. It's very easy to just use mysql_real_escape_string() on every user-submitted variable that's used with SQL!
Re: Login Redirect Question
Posted: Mon Mar 23, 2009 3:58 pm
by gestedatha
php_east - no problem...I appreciate your help. I'm trying to learn this starting with the basics.
jayshields - A SQL injection is used by someone wanting to see private data within the table correct? I'm going to get the code sorted out as you suggest. In the meantime there are only two fields in the table:
4-digit code: which someone enters in the field
webaddress: the page (not secure or private) that is referenced by the code.
No private or secure data in table.
There isn't anything they could see or find that isn't already available via our site. Its just a way for me to direct visitor traffic.
Like this?
Code: Select all
<?php
mysql_connect("localhost", "db_username", "db_password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());
$pcode = mysql_real_escape_string($pcode);
$result = mysql_query("SELECT * FROM users WHERE pcode='$pcode'");
{
while($row = mysql_fetch_array($result))
{
header("Location:{$row['webaddress']}");
}
?>
Re: Login Redirect Question
Posted: Mon Mar 23, 2009 4:29 pm
by jayshields
gestedatha wrote:jayshields - A SQL injection is used by someone wanting to see private data within the table correct?
Noooooo! SQL injection is an attack by which a malicious user can execute an unintended SQL query, it doesn't have to be to do with viewing data, it can be destorying it too.
Seeing private data is rare, because your code would also need a means to output the fetched data to the browser. My previous example input was stupid... I posted that without thinking too much... A better example malicious input for your query would be
which would redirect the user to the website which is in the first row in the table, often a row for an administrator.
Edit: Yeah your example is fine, but could do with adapting to some best practices to help with debugging/readability. Read the PHP manual examples and comments for ideas.
Re: Login Redirect Question
Posted: Mon Mar 23, 2009 4:33 pm
by gestedatha
Thanks for your patience. Ok, I understand. I certainly wouldn't want the database taken down even with a good backup. Loss of time = loss of money. In your opinion, what is the best book for learning php? PHP Cookbook?