Problem with script

[mburt]

Hi.

I've made a log-in page, which really isn't a log-in page, it's just a verification page for people who know the password and username. Very simple really. But I keep getting a problem.

Here is the script:

PHP Code:

$pass = $_POST('pass');
$user = $_POST('user');
if ($pass != "f45ls" && $user != "gxydef_user") {
echo "<script>onload=function() {document.body.style.display=\"none\"}</script>";
}; 


[jscheuer1]

I'm not familiar with how echo works in PHP but, if it doesn't require quotes, the outer pair should be removed:

PHP Code:

$pass = $_POST('pass');
$user = $_POST('user');
if ($pass != "f45ls" && $user != "gxydef_user") {
echo <script>onload=function() {document.body.style.display="none"}</script>;
}; 


If it does require them, the inner pair should be escaped using whatever the PHP escape character is (if any) or replaced by single quotes:

PHP Code:

$pass = $_POST('pass');
$user = $_POST('user');
if ($pass != "f45ls" && $user != "gxydef_user") {
echo "<script>onload=function() {document.body.style.display='none'}</script>";
}; 


On the other hand, if this is just a javascript which is accepting input from the server, something like:

Code:

var pass = <? $_POST('pass') ?>;
var user = <? $_POST('user') ?>;
if (pass != "f45ls" && user != "gxydef_user") {
document.write('<script>onload=function() {document.body.style.display="none"}<\/script>');
};

The && (logical and) might really be intended to be || (logical or).

[mburt]

I don't think you can use PHP inside JavaScript variables though.... Thanks for your help though.

[Twey]

There are far too many errors in this for it to run :-\

PHP Code:

$pass = $_POST('pass');
// Square brackets ("[" and "]") are used to access an array element.
$user = $_POST('user');
// Ditto.

if ($pass != "f45ls" && $user != "gxydef_user") {
// As John said, you really want || here, or
// it would let the user through if s/he got
// only one right.  Also, braces are not necessary
// when only one statement is conditional.
  echo "<script>onload=function() {document.body.style.display=\"none\"}</script>";
  // Relying on Javascript to do something like this
  // is pointless, overly verbose, and insecure.  Use
  // die() to prevent output from the rest of the page.
};
// This semicolon is unnecessary and possibly illegal. 


In short:

Code:

if ($_POST['pass'] != 'f45ls' || $_POST['user'] != 'gxydef_user')
  die();

[mwinter]

Also, braces are not necessary when only one statement is conditional.

No, they aren't required, but they are a good idea.

Use die() to prevent output from the rest of the page.

The exit function, preferably. The die function is an alias and should be avoided. See Appendix J List of Function Aliases in the PHP manual.

};
// This semicolon is unnecessary and possibly illegal.

Probably not. I should imagine that it would be considered an empty statement.

It would be nice if the PHP developers published a formal grammar. Perhaps because the language isn't designed with enough forethought, the grammar isn't stable enough to be included in the manual.

Mike

[Twey]

There's no official one, but the PEAR coding standards provide guidelines.

I must say, though, I've never liked braces on ifs. I've just hit a possible reason to use them, though: code where they're optional has a different scope just as if braces had been used, which is theoretically confusing.

[mburt]

Well... Thanks Twey and mwinter. About the square-brackets in the form element, that was a huge typo, sorry about that .

Is there a way to redirect the user to another page if the values aren't correct with PHP?

[blm126]

PHP Code:

<?php
if ($_POST['pass'] != 'f45ls' || $_POST['user'] != 'gxydef_user'){
    $url = 'http://somepage.com/page.html';//MUST BE AN ABSOLUTE URI eg. http://www.somesite.com/page.html NOT page.html
    header('Location: '.$url,true,303);
    exit('<html><head><title>Sorry</title><body><p>Sorry, you could not be automatically redirected. Please <a href="'.$url.'">click here</a>.</p></body></html>');
}
?>

[mburt]

Thanks!