user validation/error reporting

gotissues68

I'm trying to toss an error message if a user has a failed login attmept rather then my current code of just refreshing the login page. I've looked around and found a couple expamples using sessions to figure out whether the page has been access previously and I tried that method but it didn't seem to work for me (not sure if I did something funked up or not). Here's my current code, any suggestions or pointers greatly appreciated.

<?
ob_start();
?>
        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
        <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
        <head>
        <meta http-equiv="content-type" content="text/html; charset=utf-8" />
        <link rel="stylesheet" href="../nendocs-old/default.css" type="text/css" />
        </head>

<?
        $db = mysql_connect('', '', '') or die("Couldn't connect to the database.");
        mysql_select_db('bindusers') or die("Couldn't select the database");
        $_POST['user'] = addslashes($_POST['user']);
        $_POST['pass'] = md5($_POST['pass']);
        $result = mysql_query("SELECT count(userId) FROM users WHERE userPass='$_POST[pass]' AND userName='$_POST[user]'");
        $num = mysql_result($result, 0);
 if (!$num) {
        echo "<body>";
        echo "<div id=loginbox>";
        echo "<div class=\"center\">";
        echo "<h5>TAC Login</h5>";

    echo "
    <form action='$_SERVER[PHP_SELF]' method='post'>
    <div class=row><span class=label>Username:</span><span class=formw><INPUT TYPE=\"text\" NAME=\"user\" SIZE=\"15\"></span></div><br>
    <div class=row><span class=label>Password:</span><span class=formw><INPUT TYPE=\"password\" NAME=\"pass\" SIZE=\"15\"></span></div><br><br>
    <input type='submit' value='Login'>
    </form>";
    echo "</div>";
    echo "</div>";
    } else {
    session_start();
    $_SESSION['user'] = $_POST['user'];
    $_SESSION['pass'] = $_POST['pass'];
    header('Location: index.php');
    }
ob_end_flush();
echo "</body>";
?>

konsu

even if your sql query returns zero rows you still get a valid resultset back. you need to check for number of rows in the resultset.

Weedpacket

Originally posted by konsu
even if your sql query returns zero rows you still get a valid resultset back. you need to check for number of rows in the resultset.

No, the result will always contain exactly one row; with one field (which is being looked at).

I can't see anything immediately wrong (except for ill-formed XHTML), so could I ask what it is doing?

konsu

Originally posted by Weedpacket
No, the result will always contain exactly one row; with one field (which is being looked at).

I can't see anything immediately wrong (except for ill-formed XHTML), so could I ask what it is doing?

you are right. i did not look at the query. i guess there is nothing wrong with the code, except for the test "!$num", which i consider a bad programming practice ; -). the author just wants to show an error if a postback is detected and the login fails and they ask how to do it. so the answer is i believe that the mere presence of variables on the _POST array is an indication of a postback.

gotissues68

Originally posted by Weedpacket
No, the result will always contain exactly one row; with one field (which is being looked at).

I can't see anything immediately wrong (except for ill-formed XHTML), so could I ask what it is doing?

Heh yea I know about the XHTML :p I need to fix that.

Here's what its doing though.

Its an authentication page, that simply is querying a database with stored usernames and passwords. My intent or what I'd like to do with it is such that when a user first visits the page that it displays normally and when/if they enter an invalid password rather then just refreshing the page so it shows a blank login again it throws an error of some sort (invalid password ect). I mentioned it earlier but I wrote the post rather hastily is that I've tried various permutations of sessions and I even tried cookies but neither worked, obviously not because they won't work but rather I'm implementing them wrong somehow, sadly I didn't save the examples of what I was doing 🙁

Here's the page itself in working form

http://www.techiekb.com/beta

Weedpacket

So if($num==0) && !empty($POST['username']) you want to echo "Invalid username/password" somewhere on the page? And if $POST['username'] and $_POST['pass'] are both empty then that must be because the page is being displayed for the first time and hence there is no need for an error message?

gotissues68

Originally posted by Weedpacket
So if($num==0) && !empty($POST['username']) you want to echo "Invalid username/password" somewhere on the page? And if $POST['username'] and $_POST['pass'] are both empty then that must be because the page is being displayed for the first time and hence there is no need for an error message?

Exactly. The assumption is made of course that the user has entered something if the SQL query is run since it is session based if they have attempted to auth (but only sessionized once they successfully auth).