Problem with userid and password verification and redirection

[titanite]

Hello,

This script just doesn't work. Can someone advise me on what went wrong?

Titanite

_____________________________________

--------- login.php ------------

<form method="POST" action="login_verification.php">

<?

$pagetitle = "Login";

if ($message == "invalid") {
print ("The user name and password you have entered do not match what is on file.\n");
}
print ("<form method=POST action=\"login_verification.php\">\n");
print ("<p>Username: <input type=text name=userid size=50><br>\n");
print ("Password: <input type=password name=pwd size=50></p>\n");
print ("<p><input type=submit value=Submit><input type=reset></p>\n");

?>

</form>


--------- login_verification.php ------------

<?

if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS))
$$name = $value;
if (!empty($HTTP_POST_VARS)) while(list($name, $value) = each($HTTP_POST_VARS))
$$name = $value;

$userid=$_POST['userid'];s
include "../fukitol.php";
$link = mysql_connect("localhost",$username,$password);
if (! $link)
die("Couldn't connect to MySQL");
mysql_select_db($db , $link)
or die("Couldn't open $db: ".mysql_error());

$query="SELECT * FROM congress5 WHERE userid='$userid'";
$result=mysql_query($query);
?>

<?
if ((userid == '$userid') && (pwd == '$pwd')) {
header ("Location: http://(full url )/formindex.php?userid=$userid");
exit;
} else {
header ("Location: http://(full url )/login.php?message=invalid");
exit;
}
?>

[Twey]

Can someone advise me on what went wrong?

Many, many things. That is some hideous code.

Code:

if ($message == "invalid") {

$message is never defined.

Code:

if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS))
$$name = $value;
if (!empty($HTTP_POST_VARS)) while(list($name, $value) = each($HTTP_POST_VARS))
$$name = $value;

$HTTP_GET_VARS and $HTTP_POST_VARS are deprecated in favour of $_GET and $_POST. Variable variables are almost never necessary, since arrays can be associative. This will make the program from here on much harder to debug, but I shall try anyway.

Code:

$userid=$_POST['userid'];s

What's that "s" all about?

Code:

$link = mysql_connect("localhost",$username,$password);

$username and $password are never defined.

Code:

mysql_select_db($db , $link)

$db is never defined.

Code:

if ((userid == '$userid') && (pwd == '$pwd')) {

The constants "userid" and "pwd" are never defined, and the fact that $userid and $pwd are in single quotes will cause them to not be parsed, meaning that you're checking against the literal strings '$userid' and '$pwd', dollar signs and all.

Code:

header ("Location: http://(full url )/formindex.php?userid=$userid");

There, you're allowing any user to switch to another user's profile simply by changing a number in the address bar.

[djr33]

Heh. Ouch.

Seems it might just be better to start over with a new script...

[titanite]

:S
I copied a lot from a book.. and tried to incorporate it with something else for my use. Oh dear, I should have explained better.

Here goes...

2 php files: login.php, login_verification.php

On login.php, there is this message which will appear if you do not enter the right userid and password. Hence, when that happens, $message=invalid and you get redirected back to the login.php with that message.

The userid and password gets sent to login_verification.php

No worries about the db login information on login_verification.php, because the db, dbusername, dbpassword all get saved in this file included "../fukitol.php". I have tested the connection and all, and everything is correct there.

So when the userid and pwd get verified with the record stored in the right table in the db, called congress5 in this case, it will be redirected to another page called formindex.php.

Hence you see the if/else with the header() code.

The full code was from the book but the part where I verify with the db is mine.

There is no error code, it just doesn't work because the information doesn't get verified with that stored in the db, so the if-else does not work, or the header () does not work at all.

Am I making sense? (

[Twey]

Code:

There is no error code, it just doesn't work because the information doesn't get verified with that stored in the db, so the if-else does not work, or the header () does not work at all.

It's probably the if-else I mentioned above. However, fix the other errors I pointed out as well. It will almost certainly work afterwards.

[djr33]

If you are using another page, it might not hurt to post that as well, with sensative data (passwords, etc) removed, of course.

Haha, Twey, getting tired? I think you've started using code tags so much, they're taking over.

[Twey]

Haha, Twey, getting tired? I think you've started using code tags so much, they're taking over.

Oops! I always do that, actually; usually I catch myself and change them back to quotes.

[djr33]

Hehe.

[titanite]

Hi guys,

Thanks for the help.

I conclude that header () does not work for me!!

I have entered the wrong userid and password on login.php: nothing happens when it is supposed to redirect to Google.
I entered the right one: the information gets printed out.

So, the if-else works, so does the authentification. Which leads me to conclude that the header () does not work. I have tried entered the full server path and the full URL, but nothing works.





________________________________

login_verification.php

This is what I have modified for login_verification.php:


<html>
<head>
<link rel="stylesheet" type="text/css" href="../../css/style.css">
<title>Login Verification</title>
</head>
<body>

<h3>Login Verification</h3>

<?

$userid=$_POST['userid'];
include "../fukitol.php";
$link = mysql_connect("localhost",$username,$password);
if (! $link)
die("Couldn't connect to MySQL");
mysql_select_db($db , $link)
or die("Couldn't open $db: ".mysql_error());

$query = "SELECT 1 AS AUTH FROM congress5 WHERE userid='$userid' AND pwd='$pwd'";
$result = mysql_query($query, $link);
$row = mysql_fetch_array($result, MYSQL_ASSOC);

$query="SELECT * FROM congress5 WHERE userid='$userid'";
$result=mysql_query($query);
$num = mysql_num_rows($result);
$i=0;
while ($i < $num) {
$organisationname = mysql_result($result,$i,"organisationname");
++$i;
}


if($row['AUTH']) {
print ("Your userid is $userid. Your organisation is $organisationname.");
exit;
}
else {
header ("Location: http://www.google.com");
exit;
}

?>


</body>
</html>


________________________________

login.php

This is my login.php.


<html>
<head>
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<h3>Login</h3>
<p>Enter your username and password.</p>

<form method="POST" action="login_verification.php">

<?

$pagetitle = "Login";

if ($message == "invalid") {
print ("The user name and password you have entered do not match what is on file.\n");
}
print ("<form method=POST action=\"login_verification.php\">\n");
print ("<p>Username: <input type=text name=userid size=50><br>\n");
print ("Password: <input type=password name=pwd size=50></p>\n");
print ("<p><input type=submit value=Submit><input type=reset></p>\n");

?>

</form>

</body>
</html>

[titanite]

hi guys,

I have also stripped all html tags before and after <? ?> on both pages. Still no redirection... why?.................