PHP Simple Login Form

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
anfion
Forum Newbie
Posts: 4
Joined: Tue Jun 07, 2005 8:47 am

PHP Simple Login Form

Post by anfion »

Hi guys, i have a very big problem. i'm a database and an upload form from which yuo can insert new rows into the database, but i want only my friends to be able to do that so i though about a general password and creating a simple login form taht only has one textfield for the password. that login page echoes to itself when you click the submit button and through a hidden field i assign a value that is checked at the begining, if that value is already set, then the pagesends via post the password to the row-insertion page and through a

Code: Select all

header("Location:register.php")
i redirected to the row-insertion-page. at the beginig of the body of that page i check the post variable and if it's the same passowrd i coded there, then continues displaying the page, but if the pass is different then it redirects to the login form again. the code i used:

Code: Select all

function check() {
if($_POST[contrasena]=='apollonia'){
	
}else{
  header("Location: loginform.php");
}
}
it worked excelent on my machine using apache. then i uploeaded those file to the internet and the headers at the row-insertion page don't work. it seays a message like "header info cannot be changed once sent" or something like it. the headers at the login form do work and redirect me to the register.php when i click the button, if the password is correct then the register page opens perfectly, but if it is not, then it appears the strange message above and displays the page still.
i am kind of new to php so if you could please help me, i don't know much about php
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

well this is definatly not the correct forum to post this but take a look at ob_start() if you want a quick fix and look at this post if you want a real solution

viewtopic.php?t=1157
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: PHP Simple Login Form

Post by josh »

Also, I'm off topic but I'm real picky about code.
anfion wrote: header("Location: loginform.php");
Should be

Code: Select all

header("location:http://domain.com/loginform.php");
You could run into some problems if you don't put the full URL
anfion wrote: $_POST[contrasena]
Should be

Code: Select all

$_POST['contrasena']
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Re: PHP Simple Login Form

Post by hawleyjr »

jshpro2 wrote:Also, I'm off topic but I'm real picky about code.
anfion wrote: header("Location: loginform.php");
Should be

Code: Select all

header("location:http://domain.com/loginform.php");
You could run into some problems if you don't put the full URL
Why? There is nothing wrong with using relative paths if you are on the same domain.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

One thing to be careful of, when using header, is that you can break sessions with it. The PHP auto-propagate sessionid by GET/hidden vars in post technique when cookies are rejected will not add the SID to the url in a header.

I use a function like this:

Code: Select all

function localRedirect($url)
{

    if (isset($_COOKIE["PHPSESSID"]))
	header("Location: $url");
    else
	header("Location: $url?" .SID);
}
to avoid this problem, plus it also make it clear that its a local redirection and not an offsite one. Plus it saves me from having to type "Location:" every time.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: PHP Simple Login Form

Post by Roja »

hawleyjr wrote:
jshpro2 wrote:Also, I'm off topic but I'm real picky about code.
anfion wrote: header("Location: loginform.php");
Should be

Code: Select all

header("location:http://domain.com/loginform.php");
You could run into some problems if you don't put the full URL
Why? There is nothing wrong with using relative paths if you are on the same domain.
Yes there is: http://us2.php.net/header .

Note: HTTP/1.1 requires an absolute URI as argument to Location: including the scheme, hostname and absolute path, but some clients accept relative URIs.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Re: PHP Simple Login Form

Post by hawleyjr »

Roja wrote:
hawleyjr wrote:
jshpro2 wrote:Also, I'm off topic but I'm real picky about code. Should be

Code: Select all

header("location:http://domain.com/loginform.php");
You could run into some problems if you don't put the full URL
Why? There is nothing wrong with using relative paths if you are on the same domain.
Yes there is: http://us2.php.net/header .

Note: HTTP/1.1 requires an absolute URI as argument to Location: including the scheme, hostname and absolute path, but some clients accept relative URIs.
Learn something new every day. Thanks Roja...
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: PHP Simple Login Form

Post by Roja »

hawleyjr wrote: Learn something new every day. Thanks Roja...
The sad part is that it took me probably an hour to find where that was documented.

I get so many truly oddball errors from people running my code in the WEIRDEST combinations imaginable that I trip over a huge number of weirdo corner cases like this. Then I change my code, and promptly forget why I "always do it this way".

Which sounds cool to my friends, but on a forum, it just sounds snobbish/arrogant. :P
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Actually I totally understand. Experience is invaluable. When we hire new developers straight from college it’s always fun to watch them come across odd ball rules and errors and then try and explain why...

The funny thing is I just did a "Find All" I have 150 header() changes/verifications...Yeah, thanks again :twisted:
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Re: PHP Simple Login Form

Post by shiflett »

jshpro2 wrote:header("location:http://domain.com/loginform.php");
I'm glad to see someone else pointing this out. :-)

Be careful, however - the L should be uppercase, and there's a space after the colon:

header('Location: http://example.org/');
Roja wrote:The sad part is that it took me probably an hour to find where that was documented.
If you're interested in where this is really documented, it's in section 14.30 of RFC 2616, the HTTP/1.1 specification:

http://ietf.org/rfc/rfc2616.txt
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: PHP Simple Login Form

Post by Roja »

shiflett wrote:
Roja wrote:The sad part is that it took me probably an hour to find where that was documented.
If you're interested in where this is really documented, it's in section 14.30 of RFC 2616, the HTTP/1.1 specification:

http://ietf.org/rfc/rfc2616.txt
You mean the RFC thats linked from the header page on php's manual, which I included the link for, which also explains how to implement it properly in php?

Dept. of redundancy dept.
Post Reply