whats wrong with this user authentication code???

dgr

hey

i'm creating a database driven login script, the code for which is shown below. its all on the same page, i.e. the input form is sent to the same page, where php decides whether on not to run the validateuser function.

becuase my global variables it set to off, i use http_session_vars

the problem lies, when the user has been authenticated, i return the value of http_session_vars[curentuser] out of the validate user function. this has been set to the username of the user that has been autherised. in the use:

$HTTP_SESSION_VARS = fvalidateuser($HTTP_SESSION_VARS);

to reset http_session_vars to this returned value. but i get error 500s!!!!!

what wrong? i can;t figure it out for the life of me.

and i really don't want to have to turn on global variables - this is a big project, besides i'm trying to make my code as portable as possible.

cheers for any help

dgr

<?php

session_start();

//if currentuser is not yet registered (!), register it, and set its value to null (to get rid of those those undefined errors).
if (!session_is_registered ("currentuser")){
session_register("currentuser");
$HTTP_SESSION_VARS['currentuser'] = "";
}

require("header.inc");

fopendb ($database);
//open database

//validate the user - first check if fields are filled in.
function fvalidateuser($database, $arraylogin, $table, $link, $HTTP_SESSION_VARS){
If ($arraylogin["loginusername"] == "" ){
print("<i>error - you must enter a username</i><p>");
}elseif ($arraylogin["loginpassword"] == "" ){
print("<i>error - you must enter a password</i><p>");
}else{
//next check if user in username table
$result = mysql_query("select from $table where (username='$arraylogin[loginusername]')");
$numrows = mysql_num_rows($result);
if ($numrows != 1 ){
print("error - username not found<p>");
}else{
//next check if username and password match - if they do then login.
$result = mysql_query("select from $table where (username='$arraylogin[loginusername]') and (password='$arraylogin[loginpassword]') ");
$numrows = mysql_num_rows($result);
if ($numrows != 1 ){
print("error - incorrect password<p>");
}else{
$HTTP_SESSION_VARS['currentuser'] = $arraylogin["loginusername"];
print("Successfully logged in. Please use the menu to the left to navigate the system.<p>");
return $HTTP_SESSION_VARS;
}
}
}
}

If (isset($POST["arraylogin"])){ //if the post(arraylogin) is set, that is has been passed on from the form, then set $arraylogin to its value.
$arraylogin = $POST["arraylogin"];
$table = "username";
fvalidateuser ($database, $arraylogin, $table, $link, $HTTP_SESSION_VARS);
//call function fvalidateuser
$HTTP_SESSION_VARS = fvalidateuser($HTTP_SESSION_VARS);
//let $HTTP_SESSION_VARS['currentuser'] equal the returned value, that is change the currentuser to the new user.
}

If ($HTTP_SESSION_VARS['currentuser'] == "") {
print <<<output
<b>Please enter your username and password</b><p>
<form action="index.php" method=post>
Username <input type=text name="arraylogin[loginusername]" size=10><br>
Password <input type=password name="arraylogin[loginpassword]" size=10><br>
<input type=submit name="submit" value="Login">
</form>
output;
}

require("footer.inc");

dgr

btw header.inc and footer.inc just connect to te database (and disconnects) and provide a little html formatting. this works perfectly

dgr

hup

dalecosp

Originally posted by dgr
hup

Gee, I was gonna answer 'til I caught that.:rolleyes:

No really, it's possible you've not attracted help for a couple of reasons. Go back and enclose your code in the php tags (a [, then a 'php', then a ']' so that your code is easier to read.

Secondly, you've mentioned a few things as if we're expected to automatically know what you mean. The "error 500", for example, is "internal server error," but it'd be easier to figure out with more detail. Access your logs and see if they know what's up...

Lastly, do some more debugging yourself. Use var_dump() to get a view of your superglobals arrays, and have the script print out some of the variables...it's quite possible that you're accessing the database with null variables, for example, or performing some other impossible operation, isn't it?

Now, I didn't exactly mean to be snotty here, but since it seems like I am, for me a little better formatting would help make the code easier to read....

Now, before you get all mad, remember that you are now back up at the top of the list, and at least I didn't say just 'hup', besides, you said 'cheers for any help'.....

dgr

thanks loads for the posting guidelines - really useful 😃. i'll do as you say....

cheers

dgr

figured out what the problem is, script as below 🙂


<?php

session_start();

//if currentuser is not yet registered (!), register it, and set its value to null (to get rid of those those undefined errors).
if (!session_is_registered ("currentuser")){
   session_register("currentuser");
   $_SESSION['currentuser'] = "";
}

require("header.inc");

fopendb ($database);
//open database

//validate the user - first check if fields are filled in.
function fvalidateuser($database, $arraylogin, $table, $link, $_SESSION){
        If ($arraylogin["loginusername"] == "" ){
                print("<i>error - you must enter a username</i><p>");
        }elseif ($arraylogin["loginpassword"] == "" ){
                print("<i>error - you must enter a password</i><p>");
        }else{
             //next check if user in username table
             $result = mysql_query("select * from $table where (username='$arraylogin[loginusername]')");
             $numrows = mysql_num_rows($result);
             if ($numrows != 1 ){
                         print("error - username not found<p>");
             }else{
                         //next check if username and password match - if they do then login.
                         $result = mysql_query("select * from $table where (username='$arraylogin[loginusername]') and (password='$arraylogin[loginpassword]') ");
                         $numrows = mysql_num_rows($result);
                         if ($numrows != 1 ){
                                     print("error - incorrect password<p>");
                         }else{
                                     $_SESSION['currentuser'] = $arraylogin["loginusername"];
                                     print("Successfully logged in. Please use the menu to the left to navigate the system.<p>");
                                     //return $_SESSION['currentuser'];
                         }
             }
        }
}

If (isset($_POST["arraylogin"])){ //if the post(arraylogin) is set, that is has been passed on from the form, then set $arraylogin to its value.
$arraylogin = $_POST["arraylogin"];
$table = "username";
fvalidateuser ($database, $arraylogin, $table, $link, $_SESSION);
//call function fvalidateuser
//$_SESSION['currentuser'] = fvalidateuser($currentuser);
//let $_SESSION['currentuser'] equal the returned value, that is change the currentuser to the new user.
}

If ($_SESSION['currentuser'] == "") {
print <<<output
<b>Please enter your username and password</b><p>
<form action="index.php" method=post>
Username <input type=text name="arraylogin[loginusername]" size=10><br>
Password <input type=password name="arraylogin[loginpassword]" size=10><br>
<input type=submit name="submit" value="Login">
</form>
output;
}

require("footer.inc");

?>

dalecosp

Kewl! 🆒

and, boy, is that some great looking PHP code!!!🙂