Help with Admin Login Page needed

NCC1701

trying to make a admin login page that works with a database that stores the username and passsword:
[URL=http://]http://www.sutty.f2s.com/admin_login.php[/URL]

i dont know how to get it to return an error if there are no values in the form fields, can anyone help, am i doing something wrong?


<?php 

if(!isset($HTTP_POST_VARS['username'])&&!isset($HTTP_POST_VARS['password']))
{
//Visitor needs to enter a name and password
?>

//FORM GOES HERE

<?php
}
else
{
// connect to mysql
$mysql = require_once('Connections/TanninLevel.php');
if(!$mysql)
{
echo 'Cannot connect to database.';
exit;
}
// select the appropriate database
$mysql = mysql_select_db( 'sutty' );
if(!$mysql)
{
echo 'Cannot select database.';
exit;
}


// create the query
$query = "select count(*) from employee where
username = '$username' and
password = '$password'";

//run the query
$result = mysql_query( $query );
if(!$result)
{
echo 'Cannot run query.';
exit;
}



$count = mysql_result( $result, 0, 0);

if ( $count > 0 )
{
// employee's username and password combination are correct
echo '<h1>Here it is!</h1>';
}
else
{
// employee's username and password combination are not correct
echo '<h1>Go Away!</h1>';
echo 'You are not authorized to view this page.';
}
} 
?>

Erkilite

you can use javascript or test after the form has been submitted.

jscript:

<script>
<!--

function submitform(form){
  if(form.username.value==''){
    alert('You must supply a username.');
    return false;
  }

  if(form.password.value==''){
    alert('You must supply a password.');
    return false;
  }

  return true;
}

-->
</script>

<form action="..." method="POST" onSubmit="return submitform(this);">

<input type="text" name="username" value="" />
<input type="password" name="password" value="" />
</form>

test after submit:

$username='';
$password='';

if(isset($_POST['username'])){
  $username=$_POST['username'];
}
if(isset($_POST['password'])){
  $password=$_POST['password'];
}

if(empty($username)||empty($password)){
  echo 'missing username or password.';
} else {
  //check username and password
}

NCC1701

so i can use either?

thank you mate! 😃

Erkilite

you can use either but you might want to use both, some people turn off javascript in their browsers.

NCC1701

can you just try my this link to see what happens when i add that code?

it works sort of but still allows access

Erkilite

the main page has a couple extra <html> and <body> tags. you should fix that.

The probelm i think you are having is that you need to store login status across multiple pages. I usually use session for this. However there is a lot of baggage that can go along with them.

Here is a script i wrote, you might be able to modify it, or at least get some ideas from it.

<?php
session_start();

if($_SERVER['REQUEST_METHOD']=='POST'){
	if(isset($_POST['form'])==true){
		if(strcmp($_POST['form'],'login')==0){
			if(isset($_POST['lusername'])){
				$_SESSION['username']=$_POST['lusername'];
			}
			if(isset($_POST['lpassword'])){
				$_SESSION['password']=$_POST['lpassword'];
			}
		}
	}
}

if (isset($_SESSION['username'])==false || isset($_SESSION['password'])==false){
	echo loginform();
	exit;
} else {
	if(checkaccess($dblink,$_SESSION['username'],$_SESSION['password'])==false){
		$message='Incorrect username or password, please try again.';
		echo loginform($message);
		exit;
	}
}

function checkaccess($dblink='', $username,$password){
	if(empty($username)||empty($password)) return false;

$tmpuser=new user();
$tmpuser->id=$username;

if($tmpuser->get_user($dblink)){
	$password = createpassword($password);
	if($password===$tmpuser->pass){
		return true;
	}

	$_SESSION['email']=$tmpuser->email;
	unset($tmpuser);
}

return false;
}

function loginform($message=''){
	unset($_SESSION['username']);
	unset($_SESSION['password']);
	$_SESSION = array();
	session_destroy();

$secureurl=SADMINURL;
$securelink='';
if(empty($secureurl)==false && ($_SERVER['SERVER_PORT']!=443)){
	$securelink='<a href="'.$secureurl.'home.php" class="menuitem">Click here for Secure Login &gt;</a>';
}

$field='<html>
<head>
<title>Login</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body  marginwidth="0" leftmargin="0" topmargin="0" marginheight="0">
<center>
<form action="'.$_SERVER['PHP_SELF'].'" name="login" method="post">
<input type="hidden" name="form" value="login">
<table border="0" width="800" cellspacing="0" cellpadding="2" style="border: 1px solid black;">
<tr><td colspan="2">'.create_header().'</td></tr>
<tr><td colspan="2" height="150">'.$message.'</td></tr>
<tr><td align="right" width="40%">User:</td><td align="left" width="60%"><input type="text" name="lusername" value=""></td></tr>
<tr><td align="right">Password:</td><td align="left"><input type="password" name="lpassword" value=""></td></tr>
<tr><td>&nbsp;</td><td align="left"><input type="submit" name="submit" value="Login">&nbsp;<input type="reset" name="reset" value="Reset"><br /><br />'.$securelink.'</td></tr>
<tr><td height="200" valign="bottom" align="center" colspan="2">'.
'<div class="smalllight">Powered By: <a class="menuitem" href="'.ABOUT_URL.'" target="_blank">'.ABOUT_COMPANY.'</a><br />'.
ABOUT_COPYRIGHT.'</div>'.'
</td></tr>
</table>
</form>
</center>
</body>
</html>';

return $field;
}
?>

i usually use put this in it's own file, then i include it on every page i want to restrict access to.

NCC1701

so if i put that in its own file say called test1.php how do i call it from another file?

Erkilite

any of the below.

require_once('filetoinclude.php');
include_once('filetoinclude.php');
include('filetoinclude.php');
require('filetoinclude.php');

NCC1701

$username=''; 
$password=''; 

if(isset($_POST['username'])){ 
  $username=$_POST['username']; 
} 
if(isset($_POST['password'])){ 
  $password=$_POST['password']; 
} 

if(empty($username)||empty($password)){ 
  echo 'missing username or password.'; 
} else { 
  //check username and password 
}

just added this code and it works now, thankyou everyone for your help, the only thing is i dont understand how this bit of code works, can someone add comments to this please?

thanks again!