PDA

View Full Version : include usr login - echo "hello world"; or echo "wrong paswd"


gavimobile
06-28-2008, 02:55 PM
hey folks,
im trying to make a script which will be included to each page of my website.

the script should do something like this.

on submit from <my form> or if session is found echo "hello world";

if session isnt found echo "invalid user or pass"; echo "<my login form>"


here is the code i already completed, however when i click on a link after im logged in, the form is displayed as if it lost the session.


<?php
if ($usr_usr && $usr_pass){

$query = sprintf("SELECT * FROM usr WHERE usr_usr='$usr_usr' and usr_pass = '$usr_pass'");
$result = @mysql_query($query);
$row = @mysql_fetch_array($result);
}

if ($row){
// logged in
$id = $_SESSION['id'];

include('includes/login_query.php');
echo "welcome back " . $row['usr_usr'];
exit;

}elseif($submitted){

echo "error: wrong username or password";
exit;

}
?>
<h1>User Login</h1>
<form name="form1" method="post" action="<? $_SERVER['PHP_SELF']; ?>">
<p>
<label>Username</label>
<input name="usr_usr" type="text" size="30" />
<label>Password</label>
<input name="usr_pass" type="password" size="30" />
<br />
<input class='checkbox' type='checkbox' name='cbox' /> Remember Me
<input class="gobutton" type="submit" value="Go" />
</p>
<p><a href='forgot_password.php'>Forgot Your Password?</a></p>
<input type="hidden" name="submitted" id="submitted" value="1" />
</form>


session_start(); is in the page which includes the above code. if i add it in the above code i get a header error.
tia

davidj
06-28-2008, 05:49 PM
what you have posted and what you have discribed is completley different

if your want to test if a session has been set then you need the following

if($_SESSION['test']){

//do stuff here

}else{

//do some other stuff

}


or


if(isset($_SESSION['test'])){

//do stuff here

}else{

//do some other stuff

}


or


if($_SESSION['test']== "value"){

//do stuff here

}else{

//do some other stuff

}

davidj
06-28-2008, 05:54 PM
remember always assign error messages to a var and then echo the var in the html

dont echo above the html

2bz2p
06-29-2008, 02:26 PM
remember always assign error messages to a var and then echo the var in the html

dont echo above the html

Why not echo above the html?

davidj
06-29-2008, 04:01 PM
you have less control where the message is output and also you are outputting above the <html> and therefore the page is invalid.

2bz2p
06-29-2008, 04:59 PM
O i see, i echo stuff outside the htmfor testing but not on the finished code (which never seems finished).

once again thank you.
2b

gavimobile
07-04-2008, 10:17 PM
finally!!!
here is my code


<?

session_start();

if ($adm_usr && $adm_pass){

$query = sprintf("SELECT * FROM adm WHERE adm_usr='$adm_usr' and adm_pass = '$adm_pass'");
$result = @mysql_query($query);
$row = @mysql_fetch_array($result);
}

if ($row){

$_SESSION['id'] = $row['adm_id'];

echo "welcome";
exit; // <---this exit stops my footer and other things from being displayed

}elseif($submitted){

//displayed if there is a error loggin in
echo "<p id='mod_error'>" . $error_login . "</p>";
include("includes/login_form.php");
exit;
}

//displayed before logging in
include("includes/login_form.php"); //<--displays always except if i exit script
?>


im not sure what to do now.. once it logs in sucessfully its ok if it exits the script but i dont want it to stop my footer and other things from showing..

or the other option is to do something with the form on the bottom.
thats the form that displays before user logs in or before user gets an error.

tia
gavimobile

davidj
07-05-2008, 09:28 AM
remove the exit

gavimobile
07-05-2008, 10:01 AM
but if i remove exit; than the form will display when i am logged in

davidj
07-05-2008, 11:28 AM
if you login successfully then you should redirect the user to the site

gavimobile
07-05-2008, 12:01 PM
SOLVED
if you login successfully then you should redirect the user to the site
dj you replied to quick! thanks for not answering though.. I applied my first IF ELSE statement and i got it to work.
this was all me!!!
here is my code.. please look it over and tell me if this it makes sence.. and it works perfect!
btw.. i dont want to redirect... that was the entire point!! this is a module i made!


<?
$id = $_SESSION['id'];
include('adm/includes/login_query.php');

if ($adm_usr && $adm_pass){

$query = sprintf("SELECT * FROM adm WHERE adm_usr='$adm_usr' and adm_pass = '$adm_pass'");
$result = @mysql_query($query);
$row = @mysql_fetch_array($result);
}

if ($row){
$id = $row['adm_id'];

//user is logged in

//end of logged in

}elseif($submitted){

//displayed if there is a error loggin in
?>
<h1>Member Login</h1>
<form name="form1" method="post" action="<? $_SERVER['PHP_SELF']; ?>">
<? echo "<p id='mod_error'>" . $error_login . "</p>"; ?>
<p><label>Username</label>
<input class="longtext" name="adm_usr" id="adm_usr" type="text" size="30" />
<label>Password</label>
<input class="longtext" name="adm_pass" id="adm_pass" type="password" size="30" />
<br />
<input class="checkbox" type='checkbox' name='cbox' /> Remember Me
<input class="gobutton" type="submit" value="Go" />

</p>
<p><a href='#'>Forgot Your Password?</a></p>

<input type="hidden" name="submitted" id="submitted" value="1" />
</form>
<?
exit;
//end of error
}


if ($id)

//user is logged in
echo "<h1>Logged In</h1>
<p>Welcome back <strong>" . $row1['adm_usr'] . "</strong>!</p>";
//end of logged in

else

//displayed before logging in
include("includes/login_form.php");
?>

davidj
07-05-2008, 12:14 PM
gavi

you pushing your skills and wanting more

your a PHP junkie

i sugest you start looking into OOP methods

gavimobile
07-05-2008, 12:27 PM
gavi

you pushing your skills and wanting more

your a PHP junkie

i sugest you start looking into OOP methods


was that a compliment???
and what did u think of my code?

$id = $row['adm_id'];
//should really be
$_SESSION['id'] = $row['adm_id'];

gavimobile
07-05-2008, 12:57 PM
yea something is not right.. for some reason i need to log in 2 times in order for the script to echo the info!

the session is sent cause when i hit refresh it tells me the session is stored.

but i still see the form.. if i hit refresh and ok OR I enter my details in the form again it logs right in and prints out everything

here is my latest changed


<?
$id = $_SESSION['id'];

// this is the login query
$query1 = sprintf("SELECT * FROM adm WHERE adm_id='$id'");
$results1 = @mysql_query($query1);
$row1 = @mysql_fetch_array($results1);
//end of login query

if ($adm_usr && $adm_pass){

$query2 = sprintf("SELECT * FROM adm WHERE adm_usr='$adm_usr' and adm_pass = '$adm_pass'");
$results2 = @mysql_query($query2);
$row = @mysql_fetch_array($results2);
}

if ($row){
$_SESSION['id'] = $row['adm_id'];

//user is logged in

//end of logged in

}elseif($submitted){

//displayed if there is a error loggin in
?>
<h1>Member Login</h1>
<form name="form1" method="post" action="<? $_SERVER['PHP_SELF']; ?>">
<? echo "<p id='mod_error'>" . $error_login . "</p>"; ?>
<p><label>Username</label>
<input class="longtext" name="adm_usr" id="adm_usr" type="text" size="30" />
<label>Password</label>
<input class="longtext" name="adm_pass" id="adm_pass" type="password" size="30" />
<br />
<input class="checkbox" type='checkbox' name='cbox' /> Remember Me
<input class="gobutton" type="submit" value="Go" />

</p>
<p><a href='#'>Forgot Your Password?</a></p>

<input type="hidden" name="submitted" id="submitted" value="1" />
</form>
<?
exit;
//end of error
}


if ($id) {
echo "<h1>Logged In</h1>
<form>
<p>Welcome back <strong>" . $row1['adm_usr'] . "</strong>!
<br /><a href='includes/logoff.php'>Log Off</a></p>
</form>";
}

else

//displayed before logging in
include("includes/login_form.php");
?>

gavimobile
07-06-2008, 12:36 PM
im being told that my script is a piece of crap... if so why and what changes can i make?

gavimobile
07-06-2008, 01:13 PM
ok i totally rebuilt this script from scratch!

is this a piece of crap?... am i open for injection,or any other sorts of danger?

<?php
require_once('../adm/includes/config.php');

$query = sprintf("SELECT * FROM adm WHERE adm_usr='$adm_usr' and adm_pass = '$adm_pass'");
$results = @mysql_query($query);
$row = @mysql_fetch_array($results);

if ($submitted && $adm_usr == $row['adm_usr'] && $adm_pass == $row['adm_pass']) {
echo "welcome back " . $adm_usr . "!";

} elseif($submitted) {
echo " The username and/or password you entered was not found, please try again! ";
include("../includes/login_form.php");

} else {
include("../includes/login_form.php");
}
?>

davidj
07-06-2008, 03:28 PM
who is saying your script is crap

davidj
07-06-2008, 03:35 PM
validate all form input and escape all quotes sent

also if your passing any vars through the address bar make sure its secure and that the values cant be changed to send evil code through to your app or database

gavimobile
07-06-2008, 03:35 PM
who is saying your script is crap

freenod #php on irc...

someone also recommended i use a different type of query so username and password wont get sent out to the world. or something like that!

is my new script looking good?

gavimobile
07-06-2008, 03:37 PM
validate all form input and escape all quotes sent

also if your passing any vars through the address bar make sure its secure and that the values cant be changed to send evil code through to your app or database

im not sure i follow dj... sounds like me and google have so researching to do now!
thanks

nanny
07-08-2008, 01:42 AM
Hi the php manual suggests this type of useage to prevent sql injection and I am not sure why you use @ in your query:

<?php
// This could be supplied by a user, for example
$firstname = 'fred';
$lastname = 'fox';

// Formulate Query
// This is the best way to perform a SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));

// Perform Query
$result = mysql_query($query);

// Check result
// This shows the actual query sent to MySQL, and the error. Useful for debugging.
if (!$result) {
$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $query;
die($message);
}

// Use result
// Attempting to print $result won't allow access to information in the resource
// One of the mysql result functions must be used
// See also mysql_result(), mysql_fetch_array(), mysql_fetch_row(), etc.
while ($row = mysql_fetch_assoc($result)) {
echo $row['firstname'];
echo $row['lastname'];
echo $row['address'];
echo $row['age'];
}

// Free the resources associated with the result set
// This is done automatically at the end of the script
mysql_free_result($result);
?>

gavimobile
07-08-2008, 06:46 AM
Hi the php manual suggests this type of useage to prevent sql injection and I am not sure why you use @ in your query:

<?php
// This could be supplied by a user, for example
$firstname = 'fred';
$lastname = 'fox';

// Formulate Query
// This is the best way to perform a SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));

// Perform Query
$result = mysql_query($query);

// Check result
// This shows the actual query sent to MySQL, and the error. Useful for debugging.
if (!$result) {
$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $query;
die($message);
}

// Use result
// Attempting to print $result won't allow access to information in the resource
// One of the mysql result functions must be used
// See also mysql_result(), mysql_fetch_array(), mysql_fetch_row(), etc.
while ($row = mysql_fetch_assoc($result)) {
echo $row['firstname'];
echo $row['lastname'];
echo $row['address'];
echo $row['age'];
}

// Free the resources associated with the result set
// This is done automatically at the end of the script
mysql_free_result($result);
?>


thanks for your reply nanny, im gona take a look at this a little later today!
ill keep you posted!

gavimobile
07-11-2008, 02:30 PM
ok i applied the code but im still missing a few things...

are these variables?


$message = 'Invalid query: ' . mysql_error() . "\n";
$message .= 'Whole query: ' . $query;
when typing a correct username and password it works fine and prints my welcome message.

however when typing an incorrect username and password im not getting anything.

i tried echoing $message but nothing prints out. maybe I added it in the wrong place?

here is my currect code...

<?php

require_once('../adm/includes/config.php');

$query = sprintf("SELECT * FROM adm WHERE adm_usr='%s' and adm_pass = '%s' ",
mysql_real_escape_string($adm_usr),
mysql_real_escape_string($adm_pass));

$results = mysql_query($query);

if (!$results) {
$message = "Invalid query: " . mysql_error() . "\n";
$message = "Whole query: " . $query;
die($message);
}

while ($row = mysql_fetch_array($results)) {
echo "<h1>Logged In</h1>
<form>
<p>Welcome back <strong>" . $row['adm_usr'] . "</strong>!
<br /><a href='../includes/logoff.php'>Log Off</a></p>
</form>";
}

@mysql_free_results($results);

?>


also where do i put the original login form (before if or/and else)?
" include("../includes/login_form.php"); "
Note: it should not display once logged in.

davidj
07-11-2008, 04:09 PM
message will only be defined if this is true

if(!$results)

so if $result is empty your message will be set with a message

davidj
07-11-2008, 04:13 PM
also you dont need


@mysql_free_results($results);


as PHP frees the result once its finished with it

gavimobile
07-11-2008, 04:45 PM
message will only be defined if this is true

if(!$results)so if $result is empty your message will be set with a message

thanks for the reply dj..

if(!$results)

I read over nannys post and he noted that it was for helpful for debugging.
this is NOT what i need.
I was trying to add an error message if username and password were wrong.

this is what i did tell me if its good?

i first removed

if (!$results) {
$message = "Invalid query: " . mysql_error() . "\n";
$message = "Whole query: " . $query; die($message);
}

than i started my if statement like this

if ($row = mysql_fetch_array($results)) {
echo "<h1>Logged In</h1>
<form>
<p>Welcome back <strong>" . $row['adm_usr'] . "</strong>!
<br /><a href='../includes/logoff.php'>Log Off</a></p>
</form>";
}elseif($submitted){

and it works like gold!

1. my login form displays before i try to log in
2. if i log in sucessfully it shows my welcome message without a duplicated login form
3. if i enter wrong username and or password i see my error with my new login form so user can try to login again.

her is my full code, please tell me if i am still open for injection!


<?php
require_once('../adm/includes/config.php');

session_start();

$query = sprintf("SELECT * FROM adm WHERE adm_usr='%s' and adm_pass = '%s' ",
mysql_real_escape_string($adm_usr),
mysql_real_escape_string($adm_pass));

$results = mysql_query($query);

if ($row = mysql_fetch_array($results)) {
echo "<h1>Logged In</h1>
<form>
<p>Welcome back <strong>" . $row['adm_usr'] . "</strong>!
<br /><a href='../includes/logoff.php'>Log Off</a></p>
</form>";
}elseif($submitted){

//displayed if there is a error loggin in
?>
<h1>Member Login</h1>
<form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<?php echo "<p id='mod_error'>" . $error_login . "</p>"; ?>
<p><label>Username</label>
<input class="longtext" name="adm_usr" id="adm_usr" type="text" size="30" />
<label>Password</label>
<input class="longtext" name="adm_pass" id="adm_pass" type="password" size="30" />
<br />
<input class="checkbox" type='checkbox' name='cbox' /> Remember Me
<input class="gobutton" type="submit" value="Go" />
</p>
<p><a href='#'>Forgot Your Password?</a></p>
<input type="hidden" name="submitted" id="submitted" value="1" />
</form>
<?php
//end of error
}else{
//displayed before logging in
include("../includes/login_form.php");
}




?>

davidj
07-11-2008, 05:28 PM
your escaping quotes in string data for db insertion so your fine

try setting up a debug output which shows you the form field contents and try submitting some text like he'llo and t'es't

you should see he\'llo and t\'es\'t

gavimobile
07-11-2008, 05:54 PM
your escaping quotes in string data for db insertion so your fine

try setting up a debug output which shows you the form field contents and try submitting some text like he'llo and t'es't

you should see he\'llo and t\'es\'t

thanks for the reply dj.. im not exactly sure how to do what you said, however if u say that my script is fine than im not going to worry!

btw, what do i need to add to my script in order to pass the session to each page?
adding this

$_SESSION['adm_usr'] = $adm_usr;

and echoing this

echo $_SESSION['adm_usr'];

or this

echo $adm_usr;

doesnt help

davidj
07-12-2008, 08:50 AM
you need to call a session_start() on each page your using sessions

you could drop it into a connection include then you wont have to add it to every page

gavimobile
07-12-2008, 10:44 AM
I already have session_start(); on each page. I'm pretty sure that i need to add something to my code that if it finds the session than do not display the form. I am a bit confused because i already have my if statement. what and where would i add, so if session was found just display the form?


<?php
require_once('../adm/includes/config.php');

$query = sprintf("SELECT * FROM adm WHERE adm_usr='%s' and adm_pass = '%s' ",
mysql_real_escape_string($adm_usr),
mysql_real_escape_string($adm_pass));

$results = mysql_query($query);

// IF SESSION FOUND SHOULD GO STRAIT TO DISPLAYING BELOW "WELCOME BACK $_SESSION['adm_usr'];"
if ($row = mysql_fetch_array($results)) {
echo "<h1>Logged In</h1>
<form>
<p>Welcome back <strong>" . $_SESSION['adm_usr'] . "</strong>!
<br /><a href='../includes/logoff.php'>Log Off</a>&nbsp;<a href='index3.php'>next page</a></p>
</form>";
}elseif($submitted){

//displayed if there is a error loggin in
?>
<h1>Member Login</h1>
<form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<?php echo "<p id='mod_error'>" . $error_login . "</p>"; ?>
<p><label>Username</label>
<input class="longtext" name="adm_usr" id="adm_usr" type="text" size="30" />
<label>Password</label>
<input class="longtext" name="adm_pass" id="adm_pass" type="password" size="30" />
<br />
<input class="checkbox" type='checkbox' name='cbox' /> Remember Me
<input class="gobutton" type="submit" value="Go" />
</p>
<p><a href='#'>Forgot Your Password?</a></p>
<input type="hidden" name="submitted" id="submitted" value="1" />
</form>
<?php
//end of error

}else{

//displayed before logging in
include("../includes/login_form.php");
}
?>
please note my comment i made above in CAPS LOCK (line 10)

my guess would be something like this????

if ($row = mysql_fetch_array($results) && $_SESSION['adm_usr'] == $row['adm_usr']) {
echo "<h1>Logged In</h1>
<form>
<p>Welcome back <strong>" . $_SESSION['adm_usr'] . "</strong>!
<br /><a href='../includes/logoff.php'>Log Off</a>&nbsp;<a href='index3.php'>next page</a></p>
</form>";
}
i know its wrong

davidj
07-12-2008, 06:53 PM
how you setting your sessions

gavimobile
07-12-2008, 07:50 PM
how you setting your sessions

I have session_start(); inside my config file! is that what you mean by setting my session?

gavimobile
07-15-2008, 08:27 PM
I have session_start(); inside my config file! is that what you mean by setting my session?

is there any other information you would like me to provide?

gavimobile
07-20-2008, 01:06 PM
anybody????