Question in regards to session code

thebaxter

hello,

i am trying to create a simple login form with some old code i had that worked prior to the change of register_globals being turned off.

i tried my best to update the code, but i'm not doing so well with the transition:

first here is the code for the simple login screen:

function loginForm() {

global $PHP_SELF;

link_header();
?>

<form method="POST" action="<?php echo $PHP_SELF ?>"> 
<input type="hidden" name="cmd" value="added">
<table align="left" cellpadding=2 cellspacing=0 border=0> 
<td class="cell">Username:</td><td><input type="text" name="userid" size=10 class="eventForm"></td><tr> 
<td class="cell">Password:</td><td><input type="password" name="userpassword" size=10 class="eventForm"></td><tr> 
<td>&nbsp;</td><td><input type="submit" name="submit" value="log in" class="formButtons"></td> 
</table>
</form> 

<?
link_footer();
}

now here is the code to start the sessions:

session_start();
if(!isset($_POST['userid'])) {
	loginForm();
	exit;
}
else {
	$_SESSION['userid'];
	$_SESSION['userpassword'];
	$userid = $_POST['userid'];
	$userpassword = $_POST['userpassword'];

$user = authUser($userid, $userpassword);
if(!$user) {
	echo "wrong password<br><br>";
	$_SESSION = array();
	loginForm();

	exit;
}
}

and here is the extra to verify if the user is in the mysql database:

function authUser($userid, $userpassword) {

global $PHP_SELF;
global $admintable, $userid, $userpassword;

$_POST['userid'] = addslashes($_POST['userid']);
$_POST['userpassword'] = addslashes($_POST['userpassword']);

$userid = $_POST['userid'];
$userpassword = $_POST['userpassword'];


$linkID = db_connect('guernica');
$result = mysql_query("SELECT count(*) FROM $admintable WHERE userid = '$userid' AND userpassword = password('$userpassword')", $linkID);

while($row = mysql_fetch_row($result)) {
	if($row[0] < 0) {
		return 0;
	}
	else {
	if($row[0] > 0) {
		return $row[0];
	}
}

} 
}

what happens is first the session is initialized, but if the userid isn't recognized the user is sent to the login form. the user submits their info and the authUser function verifies their info, if correct then they go to the admin page.

any help would greatly be appreciated.

thank you!

LordShryku

First thing I see is global $PHP_SELF;, which should be $_SERVER['PHP_SELF'], and doesn't need to be declared because it's already global. Maybe an explanation of the actual problem will help here....
What's not working? What's it doing to give you the impression it doesn't work?

thebaxter

well happens is that and i think is the problem is that once i enter a correct login the script wont take me to the admin page.

it just leaves me at the login page giving me the message of "wrong password" meaning that some where between the form and checking the DB the info isn't carried correctly.