Page 1 of 1

Strange problem with PHP

Posted: Tue May 31, 2005 3:22 pm
by fernando2005
Hi everyone, I'm having some trouble with a site I'm designing.
These are the pages I'm working with:
Index.php -> Control.php -> Main.php
Index.php: has a form to enter user and pwd.
Control.php: checks user, pwd and redirects the user to Main or Index depending on the correct values of these fields.
Main.php: has the code of the program.

Well, the thing is that if I open Index.php it calls Control.php, if there's any trouble in it (wrong pwd, wrong user, etc..) it calls an error function from error.php, but if everything's ok it doesn't let the user pass to Main.php unless you've previously made some mistake in entering the user or pwd.

My control.php file looks like these:

Code: Select all

<?php
session_start(); 
include "errores.php";
require ("db_config.inc.php");
   $sql = "SELECT * FROM usuariosceros WHERE usuario = '".$_POST["user"]."'";
   $result = mssql_query($sql, $conex);  
   $filas = mssql_num_rows($result);
   if ($filas <= 0)
  	{ error(13, $_POST["user"]); exit; }   
   $n1 = mssql_result($result,0, 1);  
   if (trim($n1) != trim($_POST["pwd"]))
  	{ error (1, "Usuario o ContraseƱa"); exit; }     	
   $permi = mssql_result($result, 0, 2);
   if ($permi == 0)
       { error (14, $_POST["user"]); exit; }	
   $user = $_POST["user"];
   $_SESSION["valid"]= "YES"; 
   header ("Location: Main.php?userID=".trim($user));  
?>
Any clues...Hope someone can help. I'm using IIS 5.0, PHP 5.0, MSSQL 2000. There's 0 possibility of changing IIS 5.0 cause there are other applications in other languages running OK there.

Thank you.

Posted: Tue May 31, 2005 5:51 pm
by timvw
I would rewrite that somewhat like the following:

Code: Select all

<?php
// debug
ini_set('error_reporting', E_ALL);
ini_set('display_errors', TRUE);

// start session
session_start();

// include libraries
require_once("errores.php");
require_once("db_config.inc.php");

// test if user and password have been posted
if (!isset($_POST['user']) || !isset($_POST['password']))
{
  // boe boe i dont like you
  exit();
}

// TODO: clean up the posted user and password
$user = $_POST['user'];
$password = $_POST['password'];

// See if there is a user with this password
$sql = "SELECT COUNT(*) AS count FROM usuariosceros WHERE usuario='$user' AND password='$password'";
$rs = mssql_query($sql, $conex);
$row = mssql_fetch_assoc($rs);

// Nobody found
if ($row['count'] <= 0)
{
  // invalid combination...
  exit();
}
else
{
  // valid user
  $_SESSION["valid"]= "YES";
  header("Location: Main.php?userID=$user");
}  
?>