Strange script result - page cannot be found

hbradshaw

Hi,

I have the following login form which posts to a login.php script:

<html>

<head>
<title>Login to Secret Area</title>
</head>

<body>
<form method="post" action="login.php">
<p><b>Username:</b><br>
<input type="text" name="username" size="10"></p>
<p><b>Password:</b><br>
<input type="password" name="password" size="10"></p>
<p><input type="submit" name="submit" value="Login"></p>
</form>
</body>
</html>

=====
After I type in the username and password and I click Login, I'm receiving the following message:

The page cannot be found

====
This doesn't make sense since I checked my directory and the login.php file is there. I'm not sure whether there is something within login.php that might be causing this error.

Can someone help me out?
Thanks in advance.

====
Here is login.php:

<?php
include "conn.inc.php";

// Check to see if values were entered
if ((!$POST[username]) || (!$POST[password]))
{
header("Location: test2.htm");
exit();
}

// SQL statement which matches the values entered to the values in the table
$sql = "SELECT * FROM member WHERE username = '$POST[username]' AND password = password('$POST[password]')";

// Variable to hold results of the query
$result = @($sql,$conn) or die(mysql_error());

// Counts the number of rows from the results of the query
$num = mysql_num_rows($result);

// If number of rows is greater than 0, a match is found - if zero, no match is found
if ($num != 0 )
{
header("Location: member_area.htm");
}
else
{
header("Location: test2.htm");
exit;
}
?>

bradgrafelman

Do both test2.htm and member_area.htm exist?

Can you supply us with a link to this script?

hbradshaw

Hello:

Yes all the files referenced are on the server: test2.htm, member_area.htm, conn.inc.php.

Here's the link for the script:
http://www.bridgemilltennis.com/test2.htm

Thanks for the reply.

bradgrafelman

A few things:

$POST[username] should be $POST['username'] since, without quotes, PHP first looks for a constant named username. Likewise with all other arrays. (This will result in a Warning, as PHP will fail on finding the constant but resort to converting it to a string)
RFC standards require you to use FULL PATHS in your headers, i.e. "Location: http://www.bridgemilltennis.com/member_area.htm" and so on.
http://www.bridgemilltennis.com/member_area.htm does not exist. HTTP 404!

EDIT: 4. Instead of logging in, I can simply type in /member_area.htm as my URL and gain access. Use PHP scripts and a [man]session[/man]/[man]setcookie[/man] to make your site more secure.

hbradshaw

Hi,

Oh, thank you, thank you, thank you.

I made the changes as you suggested and the script worked.

As for the member_area.htm it should have been member-area.htm.

One thing, you mentioned that in headers you need to use full path names. In the many PHP books I have, none of the sample scripts show full path names. They just show the file.

Another question, in regard to your Edit #4; I thought about doing sessions but I'm not quite sure how they make things more secure.

bradgrafelman

I didn't say that I was telling you to do so; section 14.30 of the HTTP RFC does, though.

I must admit, I've used relative paths in my headers, but never in a production environment mindset. I guess you shouldn't start a bad habit though, so I've been recommending that people start out right by using full HTTP paths.

EDIT: Also, read the first line of my sig 😉

hbradshaw

Hi,

I never meant to imply "you" told me to do so. I'm sorry. I just can't believe that making that change, made the script work.

I'm not sure if you saw my edit to my reply. This is in regard to sessions. I have read about sessions, looked at code, and I'm just fuzzy as to how sessions will make things more secure.

Do you happen to have an explanation for a newbie?

Thanks.

bradgrafelman

Right now, your secret "members area" is simply a different HTM page.

Anyone with brains and knack for guessing names such as 'member-area' will soon find the page.

With sessions, you can store logon info and transfer it from page to page. Theoretically, you could have the login script, error page, and member's area all in one "member.php" script. For simplicity and ease of editing, however, you would probably split up the login/error stuff from the member page.

What sessions enable you to do though, is prevent someone from skipping the logon process. If i tried to go directly to your member's page, session validation could check my session (if I have one) to see if I was logged in ($_SESSION['loggedIn'] == 1), etc.

When you store variables in the $SESSION[] superglobal, they are transferred from page to page (after using [man]session_start/man etc.) and can be accessed from the $SESSION superglobal.

Basically, once a valid login is submitted, you start a session and create some variable.. $_SESSION['loggedIn'] is what I used above. If that variable isn't set ([man]isset/man), the user tried to skip or bypass the login process, at which point you tell the user to [man]die/man since they are sneaky :p

hbradshaw

Thank you. I will be look into sessions a lot more closely.