Hi.

I've made a log-in page, which really isn't a log-in page, it's just a verification page for people who know the password and username. Very simple really. But I keep getting a problem.

Here is the script:


$pass = $_POST('pass');
$user = $_POST('user');
if ($pass != "f45ls" && $user != "gxydef_user") {
echo "<script>onload=function() {document.body.style.display=\"none\"}</script>";
};

I'm not familiar with how echo works in PHP but, if it doesn't require quotes, the outer pair should be removed:


$pass = $_POST('pass');
$user = $_POST('user');
if ($pass != "f45ls" && $user != "gxydef_user") {
echo <script>onload=function() {document.body.style.display="none"}</script>;
};

If it does require them, the inner pair should be escaped using whatever the PHP escape character is (if any) or replaced by single quotes:


$pass = $_POST('pass');
$user = $_POST('user');
if ($pass != "f45ls" && $user != "gxydef_user") {
echo "<script>onload=function() {document.body.style.display='none'}</script>";
};

On the other hand, if this is just a javascript which is accepting input from the server, something like:


var pass = <? $_POST('pass') ?>;
var user = <? $_POST('user') ?>;
if (pass != "f45ls" && user != "gxydef_user") {
document.write('<script>onload=function() {document.body.style.display="none"}<\/script>');
};

The && (logical and) might really be intended to be || (logical or).

I don't think you can use PHP inside JavaScript variables though.... Thanks for your help though.

There are far too many errors in this for it to run :-\


$pass = $_POST('pass');
// Square brackets ("[" and "]") are used to access an array element.
$user = $_POST('user');
// Ditto.

if ($pass != "f45ls" && $user != "gxydef_user") {
// As John said, you really want || here, or
// it would let the user through if s/he got
// only one right. Also, braces are not necessary
// when only one statement is conditional.
echo "<script>onload=function() {document.body.style.display=\"none\"}</script>";
// Relying on Javascript to do something like this
// is pointless, overly verbose, and insecure. Use
// die() to prevent output from the rest of the page.
};
// This semicolon is unnecessary and possibly illegal.In short:
if ($_POST['pass'] != 'f45ls' || $_POST['user'] != 'gxydef_user')
die();

Also, braces are not necessary when only one statement is conditional.

No, they aren't required, but they are a good idea.



Use die() to prevent output from the rest of the page.

The exit function, preferably. The die function is an alias and should be avoided. See Appendix J List of Function Aliases in the PHP manual.



};
// This semicolon is unnecessary and possibly illegal.

Probably not. I should imagine that it would be considered an empty statement.

It would be nice if the PHP developers published a formal grammar. Perhaps because the language isn't designed with enough forethought, the grammar isn't stable enough to be included in the manual.

Mike

There's no official one, but the PEAR coding standards (http://pear.php.net/manual/en/standards.php) provide guidelines.

I must say, though, I've never liked braces on ifs. I've just hit a possible reason to use them, though: code where they're optional has a different scope just as if braces had been used, which is theoretically confusing.

Well... Thanks Twey and mwinter. About the square-brackets in the form element, that was a huge typo, sorry about that :).

Is there a way to redirect the user to another page if the values aren't correct with PHP?

<?php
if ($_POST['pass'] != 'f45ls' || $_POST['user'] != 'gxydef_user'){
$url = 'http://somepage.com/page.html';//MUST BE AN ABSOLUTE URI eg. http://www.somesite.com/page.html NOT page.html
header('Location: '.$url,true,303);
exit('<html><head><title>Sorry</title><body><p>Sorry, you could not be automatically redirected. Please <a href="'.$url.'">click here</a>.</p></body></html>');
}
?>

Thanks!