myjournal help with password

music_man

I am trying to make my own journal system where I can visit my page and see the entries. There is a field on the page where I can type in a password (no username) and then it will allow me to post. I am trying to do it all on one page. I have this code but it doesn't seem to work, nor does it seem very safe. I don't know how to use sessions.

I was thinking of just setting the password in the code and not use a mysql database for it.

Here it is. Any help would greatly be appreciated.

<?php $page = myjournal; include ("top.php"); ?>
<h2><img src="myjournaltop.png"  alt="My Journal" /></h2>
<br /><br />
<h3>

<?php



if(a==post)

{

if($loggedin=true)

{

include ("connection.php");

$dateposted=date('jS F Y');
$title=$_POST['title'];
$post=$_POST['post'];


 $res = mysql_query ("INSERT INTO entries (title, entry, dateposted) VALUES ('$title', '$entry','$dateposted')"); 
if (!$res) { 
  die(mysql_error()); 
} 

include ("close.php");

}
}
?>





<?php

if

(a==login)

{

$password="xxx";

if 

{

$_POST['password'] = $password;

$loggedin="true";

}{

else

$loggedin="false";

echo "Wrong password";

}

}

?>




<form method="post" action="myjournal.php?a=login" name="login">
Password <input type="text" name="title" value="" style="border-bottom: 1px solid black; border-left:transparent; border-right:transparent; border-top:transparent;>&nbsp;<input type="submit" value="Login">
</form>

<?php

if

$loggedin=true

echo"

<form method="post" action="myjournal.php?a=post" name="postentry">
<input type="text" name="title" value="title" onclick="this.value=''"><br />
<textarea name="entry"></textarea><br />
<input type="submit" value="Post">
</form>
";

else

echo "";

?>



<?php include ("connection.php");

$qs="SELECT title,entry,dateposted FROM entries";
$re=mysql_query($qs);

while ($row=mysql_fetch_array($re, MYSQL_ASSOC))

{

echo "{$row['title']}<br /> " . "{$row['dateposted']}<br />" . "{$row['entry']}";
echo "<hr />";

}

include ("close.php");


?>


</h3>

<?php include ("footer.php"); ?>

kburger

Wow, lots of problems here. First, the syntax errors.

if(a==post) -- This will always evaluate to FALSE. 'a' will never be 'post'. I think you meant if ($a == "post")
Actually, unless register_globals is on you probably meant if ($_POST['a'] == "post")
if($loggedin=true) -- This will always evalue to TRUE. You used the assignment operator '=' rather than the comparison operator '=='. I think you meant if ($loggedin == true)

This should probably be changed from this

$res = mysql_query ("INSERT INTO entries (title, entry, dateposted) VALUES ('$title', '$entry','$dateposted')"); 
if (!$res) { 
  die(mysql_error()); 
}

to this

$res = mysql_query ("INSERT INTO entries (title, entry, dateposted) VALUES ('$title', '$entry','$dateposted')") or die (mysql_error());

This doesn't make much sense

if 

{

$_POST['password'] = $password;

$loggedin="true";

}{

else

$loggedin="false";

echo "Wrong password";

}

Change it to this:

if ($_POST['password'] == $password) {
	$loggedin=true;
} else {
	$loggedin=false;
	echo "Wrong password";
}

This is going to throw lots of parse errors:

echo"

<form method="post" action="myjournal.php?a=post" name="postentry">
<input type="text" name="title" value="title" onclick="this.value=''"><br />
<textarea name="entry"></textarea><br />
<input type="submit" value="Post">
</form>
";

You need to escape the quotes like this:

echo "

<form method=\"post\" action=\"myjournal.php?a=post\" name=\"postentry\">...";

Many other repeated problems.
Whew! I'm tired. I think I'll take a break and let you digest this. This should get you started. Post your revised code and I'll help you out. But really, I think your logic should be something like this:

If not submitting form, create form including a password field. If submitting form, check to see that the posted password matches your hard coded password. If it does, insert the record. If not, display an error message.

music_man

Thanks so much for your reply.

I looked for a tutorial about sessions and login and found one that seems to work. I have implemented it here

<?
$pword = "test";
session_start();
?>
<?php $page = myjournal; include ("top.php"); ?>
<h2><img src="myjournaltop.png"  alt="My Journal" /></h2>
<br /><br />
<h3>
<?php 
if (!$password) {
echo '<form name=login method=post action="">
<input type=text name=password style="border-bottom: 1px solid #ccc; border-top: transparent;border-left:transparent;border-right:transparent;background-color:transparent;"><input type=submit value="Post an entry perhaps?" style="border:1px solid #ccc;">
</form>';
}
else {
if ($password=="$pword")  {
session_register("password");
$form="true";
}
else echo "nope";
}
if ($m==1) {
session_unregister("password");
}

?>

<?php

if ($postentry)

{

include ("connection.php");

$dateposted=date('jS F Y');
$title=$_POST['title'];
$post=$_POST['post'];


 $res = mysql_query ("INSERT INTO entries (title, entry, dateposted) VALUES ('$title', '$entry','$dateposted')"); 
if (!$res) { 
  die(mysql_error()); 
} 

include ("close.php");

echo "<script language=\"JavaScript\" type=\"text/JavaScript\">

window.location= \"myjournal.php\"

</script>";

}

?>


<?php

if($form=="true")

{

echo '
<form method="post" action="" name="postentry">
<div style="border: 1px solid #ccc; padding: 3px; text-align:left;">
<a href="?m=1">Logout</a><br /><br />
<input type="text" name="title" style="border-bottom: 1px solid #ccc; border-top: transparent;border-left:transparent;border-right:transparent;background-color:transparent;"><br /><br /><textarea name="entry" rows="10" cols="40" style="border:1px solid #ccc;"></textarea><br /><br />
<input type="submit" value="Add" name="postentry" style="border:1px solid #ccc;">
</form>
</div>
';

}

?>

<?php include ("connection.php");

$qs="SELECT title,entry,dateposted FROM entries";
$re=mysql_query($qs);

while ($row=mysql_fetch_array($re, MYSQL_ASSOC))

{

echo "{$row['title']}<br /> " . "{$row['dateposted']}<br />" . "{$row['entry']}";
echo "<hr />";

}

include ("close.php");


?>


</h3>

<?php include ("footer.php"); ?>

It displays the login form when no password has been entered and there is no session active, then when there is a session active it displays a logout link and a post form.

Is this the best way? If not I could go back to my old code and use your fixes. I thought sessions would be more secure.

I'm just wondering if I could get rid of more of the <?'s and also I tried to add in the mysql query for displaying the journal ORDER BY dateposted DESC but it didn't work.

Thanks a lot.

halojoy

you have found
<code> tag in this forum!
now use tag two steps to the right: PHP
and we will see php syntax highlighting in COLORS

kburger

Sessions might be a bit of overkill in this case. But it might be a good learning experience.

I had a little trouble reading your code so I reformatted it but didn't change any real code, just some whitespace removal and indenting. I just did that so I could read and follow it a little better. I made my comments inline.

<?
$pword = "test";
session_start();
$page = myjournal; 
include ("top.php"); 
?>
<h2><img src="myjournaltop.png" alt="My Journal" /></h2>
<br /><br />
<h3>
<?php 
if (!$password) { // looks like register_globals is on?
	echo '<form name=login method=post action="">
	<input type=text name=password style="border-bottom: 1px solid #ccc; border-top: transparent;border-left:transparent;border-right:transparent;background-color:transparent;">
	<input type=submit value="Post an entry perhaps?" style="border:1px solid #ccc;">
	</form>';
} else {
	if ($password=="$pword") { // No need to quote the variable.  Could be written if ($password==$pword)
		session_register("password"); 
		// OK great.  You've registered it, but you never check to see if it's been 
		// registered before doing the insert below.
		$form="true"; // Works.  But really it should be $form = true;
	} else echo "nope";
}
if ($m==1) {
	session_unregister("password");
}

if ($postentry) { // here's where we should be checking to see if the session is registered
	include ("connection.php");
	$dateposted=date('jS F Y');
	$title=$_POST['title']; // now looks like register_globals must be off?
	$post=$_POST['post'];
	 $res = mysql_query ("INSERT INTO entries (title, entry, dateposted) VALUES 
	  ('$title', '$entry','$dateposted')"); 
	if (!$res) { 
	  die(mysql_error()); 
	} 

include ("close.php");
echo "<script language=\"JavaScript\" type=\"text/JavaScript\">
window.location= \"myjournal.php\"
</script>";
}

if ($form=="true") { // Again, it works.  But this is probably better: if ($form == true)
	echo '
	<form method="post" action="" name="postentry">
	<div style="border: 1px solid #ccc; padding: 3px; text-align:left;">
	<a href="?m=1">Logout</a><br /><br />
	<input type="text" name="title" style="border-bottom: 1px solid #ccc; border-top: transparent;border-left:transparent;border-right:transparent;background-color:transparent;"><br /><br /><textarea name="entry" rows="10" cols="40" style="border:1px solid #ccc;"></textarea><br /><br />
	<input type="submit" value="Add" name="postentry" style="border:1px solid #ccc;">
	</form>
	</div>
	';
}

include ("connection.php");

$qs="SELECT title,entry,dateposted FROM entries";
$re=mysql_query($qs); 
// until you know it works it would be better to make this:
// $re=mysql_query($qs) or die(mysql_error());

while ($row=mysql_fetch_array($re, MYSQL_ASSOC)) {
	echo "{$row['title']}<br /> " . "{$row['dateposted']}<br />" . "{$row['entry']}";
	echo "<hr />";
}

include ("close.php");
?>


</h3><!-- oops? -->

<?php include ("footer.php"); ?>

music_man

Hey

I have incorporated what you have commented and added a redirection for when I log out.

Should the settings be for all globals off? I don't know how to do that.

I'm just thinking of a way to have it so when I am logged in, it displays the posts as textfields with the option to update each one as well as delete them. Sould I have it so when I am logged in it displays the update form and delete option and if I am not then it displays the plain text?

So it is sort of the same script as displaying the login box when not logged in and displaying the post box when logged in.

Here is my update code. I really appreciate your help.

<?
$pword = "test";
session_start();
$page = myjournal;
include ("top.php");
?>
<h2><img src="myjournaltop.png" alt="My Journal" /></h2>
<br /><br />
<h3>
<?php
if (!$password) { // looks like register_globals is on?
       echo '<form name=login method=post action="">
       <input type=text name=password style="border-bottom: 1px solid #ccc; border-top: transparent;border-left:transparent;border-right:transparent;background-color:transparent;">
       <input type=submit value="Post an entry perhaps?" style="border:1px solid #ccc;">
       </form>';
} else {
       if ($password==$pword) { // No need to quote the variable.  Could be written if ($password==$pword)
               session_register("password");
               // OK great.  You've registered it, but you never check to see if it's been
               // registered before doing the insert below.
               $form=true; // Works.  But really it should be $form = true;
       } else echo "Sorry you are not allowed to post<br />";
}
if ($m==1) {
       session_unregister("password");
       echo "<script language=\"JavaScript\" type=\"text/JavaScript\">
       window.location= \"myjournal.php\"
       </script>";
}

if ($postentry) { // here's where we should be checking to see if the session is registered
       include ("connection.php");
       $dateposted=date('jS F Y');
       $title=$_POST['title']; // now looks like register_globals must be off?
       $post=$_POST['post'];
        $res = mysql_query ("INSERT INTO entries (title, entry, dateposted) VALUES
         ('$title', '$entry','$dateposted')");
       if (!$res) {
         die(mysql_error());
       }

   include ("close.php");
   echo "<script language=\"JavaScript\" type=\"text/JavaScript\">
   window.location= \"myjournal.php\"
   </script>";
   // Don't we have an errant '>' above?
}

if ($form==true) { // Again, it works.  But this is probably better: if ($form == true)
       echo '
       <form method="post" action="" name="postentry">
       <div style="border: 1px solid #ccc; padding: 3px; text-align:left;">
       <a href="?m=1">Logout</a><br /><br />
       <input type="text" name="title" style="border-bottom: 1px solid #ccc; border-top: transparent;border-left:transparent;border-right:transparent;background-color:transparent;"><br /><br /><textarea name="entry" rows="10" cols="40" style="border:1px solid #ccc;"></textarea><br /><br />
       <input type="submit" value="Add" name="postentry" style="border:1px solid #ccc;">
       </form>
       </div>
       ';
}

include ("connection.php");

$qs="SELECT title,entry,dateposted FROM entries";
$re=mysql_query($qs);
// until you know it works it would be better to make this:
// $re=mysql_query($qs) or die(mysql_error());

while ($row=mysql_fetch_array($re, MYSQL_ASSOC)) {
       echo "{$row['title']}<br /> " . "{$row['dateposted']}<br />" . "{$row['entry']}";
       echo "<hr />";
}

include ("close.php");
?>


</h3>

<?php include ("footer.php"); ?>

I opened h3 tag at the top of the page.

Thanks

halojoy

Hello, music_man
I had a website providing mp3 downloads for free
some year ago

Here is a nice set of 4 pages to DEMO SESSION USE.
I recommend you try it out!

It might seem very simple, but in fact it is not.
It will 'sense' if someone is user and logged and display options different for user / guests
I have also added some comments, about what is happening.
Main action is in page1, with form.

Enjoy!
🙂

<?php
// home.php
session_start();
$user='Guest';
if(isset($_SESSION['name']) && !empty($_SESSION['name'])){
$user=$_SESSION['name'];
echo "Welcome home <b>$user</b>";
}
else 
echo "Welcome <b>$user</b>";

if($user=='Guest')
echo "<br><br><a href='page1.php'>Join this website</a>";
else
echo "<br><br><a href='page1.php'>Change my profile</a>";
?>

<!-- //////////////////////////////-->
<?php
// page1.php
// session hasto be started when store or read
session_start();

if ( !isset($_SESSION['name']) || $_POST['reset'] ) $_SESSION['name'] = '';
if ( !isset($_SESSION['pass']) || $_POST['reset'] ) $_SESSION['pass'] = '';

if ($_POST['submit']) {
$usern = trim($_POST['username']);
$passw = trim($_POST['password']);
if ($usern=='?') $usern='';
if ($passw=='?') $passw='';
if(!empty($usern)) $_SESSION['name'] = $usern;
if(!empty($passw)) $_SESSION['pass'] = $passw;
}

$usern = '?';
$passw = '?';
if(!empty($_SESSION['name'])) $usern = $_SESSION['name'];
if(!empty($_SESSION['pass'])) $passw = $_SESSION['pass'];
?>

<!-- when action empty, goes back this page again -->
<form action='' method='post'>
<input type='text' name='username' value='<?php echo $usern ?>'> Username
<br>
<input type='text' name='password' value='<?php echo $passw ?>'> Password
<br>
<input type='submit' name='submit' value='SUBMIT'>
<input type='submit' name='reset' value='RESET'>
<br><br>
<a href='home.php'>Cancel</a>
<br>
<a href='page2.php'>Continue</a>

<!-- //////////////////////////////-->
<?php
// page2.php
// hasto start SESSION
session_start();

$uname = $_SESSION['name'];
$upass = $_SESSION['pass'];

echo "User Name: $uname";
echo '<br>';
echo "Pass Word: $upass";

?>

<br><br>
<a href='page1.php'>Back</a>
<br>
<a href='home.php'>Cancel</a>
<br>
<a href='page3.php'>Continue</a>

<!-- //////////////////////////////-->
<?php
// page3.php

echo "This is";
echo '<br>';
echo "The End";

?>

<br><br>
<a href='home.php'>Home</a>