PDA

View Full Version : Problem with script



mburt
09-02-2006, 02:17 AM
Hi.

I've made a log-in page, which really isn't a log-in page, it's just a verification page for people who know the password and username. Very simple really. But I keep getting a problem.

Here is the script:


$pass = $_POST('pass');
$user = $_POST('user');
if ($pass != "f45ls" && $user != "gxydef_user") {
echo "<script>onload=function() {document.body.style.display=\"none\"}</script>";
};

jscheuer1
09-02-2006, 05:10 AM
I'm not familiar with how echo works in PHP but, if it doesn't require quotes, the outer pair should be removed:


$pass = $_POST('pass');
$user = $_POST('user');
if ($pass != "f45ls" && $user != "gxydef_user") {
echo <script>onload=function() {document.body.style.display="none"}</script>;
};

If it does require them, the inner pair should be escaped using whatever the PHP escape character is (if any) or replaced by single quotes:


$pass = $_POST('pass');
$user = $_POST('user');
if ($pass != "f45ls" && $user != "gxydef_user") {
echo "<script>onload=function() {document.body.style.display='none'}</script>";
};

On the other hand, if this is just a javascript which is accepting input from the server, something like:


var pass = <? $_POST('pass') ?>;
var user = <? $_POST('user') ?>;
if (pass != "f45ls" && user != "gxydef_user") {
document.write('<script>onload=function() {document.body.style.display="none"}<\/script>');
};

The && (logical and) might really be intended to be || (logical or).

mburt
09-02-2006, 02:12 PM
I don't think you can use PHP inside JavaScript variables though.... Thanks for your help though.

Twey
09-02-2006, 02:39 PM
There are far too many errors in this for it to run :-\


$pass = $_POST('pass');
// Square brackets ("[" and "]") are used to access an array element.
$user = $_POST('user');
// Ditto.

if ($pass != "f45ls" && $user != "gxydef_user") {
// As John said, you really want || here, or
// it would let the user through if s/he got
// only one right. Also, braces are not necessary
// when only one statement is conditional.
echo "<script>onload=function() {document.body.style.display=\"none\"}</script>";
// Relying on Javascript to do something like this
// is pointless, overly verbose, and insecure. Use
// die() to prevent output from the rest of the page.
};
// This semicolon is unnecessary and possibly illegal.In short:
if ($_POST['pass'] != 'f45ls' || $_POST['user'] != 'gxydef_user')
die();

mwinter
09-02-2006, 07:45 PM
Also, braces are not necessary when only one statement is conditional.

No, they aren't required, but they are a good idea.



Use die() to prevent output from the rest of the page.

The exit function, preferably. The die function is an alias and should be avoided. See Appendix J List of Function Aliases in the PHP manual.



};
// This semicolon is unnecessary and possibly illegal.

Probably not. I should imagine that it would be considered an empty statement.

It would be nice if the PHP developers published a formal grammar. Perhaps because the language isn't designed with enough forethought, the grammar isn't stable enough to be included in the manual.

Mike

Twey
09-02-2006, 08:56 PM
There's no official one, but the PEAR coding standards (http://pear.php.net/manual/en/standards.php) provide guidelines.

I must say, though, I've never liked braces on ifs. I've just hit a possible reason to use them, though: code where they're optional has a different scope just as if braces had been used, which is theoretically confusing.

mburt
09-02-2006, 10:58 PM
Well... Thanks Twey and mwinter. About the square-brackets in the form element, that was a huge typo, sorry about that :).

Is there a way to redirect the user to another page if the values aren't correct with PHP?

blm126
09-02-2006, 11:08 PM
<?php
if ($_POST['pass'] != 'f45ls' || $_POST['user'] != 'gxydef_user'){
$url = 'http://somepage.com/page.html';//MUST BE AN ABSOLUTE URI eg. http://www.somesite.com/page.html NOT page.html
header('Location: '.$url,true,303);
exit('<html><head><title>Sorry</title><body><p>Sorry, you could not be automatically redirected. Please <a href="'.$url.'">click here</a>.</p></body></html>');
}
?>

mburt
09-02-2006, 11:11 PM
Thanks!