Bad Login Page - Have no idea what's wrong. Worked fine last week.

Capoeirista

Hi There -

Am working on my final project for my PHP class (an ecommerce application) and a page that I wrote a couple weeks ago, that worked just fine last week, isn't working anymore.

I know that I used it to work from for a different kind of login page, so I could have messed it up then somehow. I have so much work ahead of me and I thought this was okay and I have no clue what's going on and I've been working for five hours on this one page and I just can't see anything anymore and my head really hurts.

But the page is very tidy.

Here's what's going on:
When I log in and click enter, I get a completely fresh login screen again.
I've tested the connection include on other files and it's fine.

Please help me!

(If you have any other helpful ideas to make my code more presentable, clear, clever, etc., I'd love to hear them.)

Thanks, -Lee

<?php session_start(); ?>
<html>

<!-- this got errors no matter where I put it: <?php header("Cache-Control:no-cache"); ?> -->

<!-- Employee Table Structure: | Emp_ID | Emp_Fname | Emp_Lname  | Emp_Password | Emp_Email |-->


<body bgcolor= "#6da9dc" text="#551a8b">
<div align="center">
<br><br><br><br>

<?php

/*****************************************************************************\
	Login Page that sends info to itself
\*****************************************************************************/

/************************ IF THE PASSWORD HAS ALREADY BEEN ENTERED ************/

if (isset($entered_Password)) 
{

include("includes/connect2db.php");

$sqlString="SELECT Emp_Password from employee where Emp_Lname ='$Emp_Lname'";

$result=mysql_query($sqlString,$con);
$row = mysql_fetch_assoc ($result);
$Emp_Password = ($row["Emp_Password"]);
echo "<br><br>";
echo "$Emp_Password<br>";
echo "$Emp_Fname <br>"; 
echo "$Emp_Lname <br>";


/************************ IF LOGIN INFO IS CORRECT ****************************/

if ($entered_Password == $Emp_Password AND ($Emp_Fname != NULL OR $Emp_Lname != NULL)) {
	echo "**Login Successful** <br><br>";


// REGISTER SESSION VARIABLES

	session_register("Emp_Fname");
	session_register("Emp_Lname");


	echo("You are logged in as $Emp_Fname $Emp_Lname. <br><br>");
	include("includes/menu.php");
}

/************************ IF LOGIN INFO IS INCORRECT ***************************/

else  if ($entered_Password !== $Emp_Password) { 
	echo ("<b>**Login Failed**</b><br><br>Please Try Again<br><br>"); 
	?>


	<form method="post" action="<?php echo($PHP_SELF); ?>" >

	<table>
		<tr>
		<td align='right'>First Name: </td><td><input type="text" name="Emp_Fname" size="10"></td>
		</tr>
		<tr>
		<td align='right'>Last Name: </td><td><input type="text" name="Emp_Lname" size="10"></td>
		</tr>
		<tr>
		<td align='right'>Password: </td><td><input type="password" name="entered_Password" size="10"></td> 
		</tr>
		<tr>
		<td align='right'><input type="submit" value="Login"> </td><td> <input type="reset" value="Clear"></td> 
		</tr>
	</table

	</form>
<?php
}

}

/************************ IF NO PASSWORD ENTERED YET (FRESH LOGIN SCREEN) *****/

else {
	echo "<b>**Please Log In**</b>"; 
 ?>
	<form method="post" action="<?php echo($PHP_SELF); ?>" >

	<table>
		<tr>
		<td align='right'>First Name: </td><td><input type="text" name="Emp_Fname" size="10"></td>
		</tr>
		<tr>
		<td align='right'>Last Name: </td><td><input type="text" name="Emp_Lname" size="10"></td>
		</tr>
		<tr>
		<td align='right'>Password: </td><td><input type="password" name="entered_Password" size="10"></td> 
		</tr>
		<tr>
		<td align='right'><input type="submit" value="Login"> </td><td> <input type="reset" value="Clear"></td> 
		</tr>
	</table

</form>
<?php
} 
?>

</div>
</body>
</html>

rgermain

I guess I don't see any $_POST[''] 's I am think that globals variables aren't turned on and you aren't actually passing the entered_Password variable. Try something like....

$entered_password = $_POST['entered_password'];

Put something like that before you if statement. See if that helps.

PS: If this is the case you will need to do this with all variables that are being sent by the form.

rincewind456

Like rgermain said this page can only work if you have register_globals set to on, in which case it is so insecure that you may as well not have a login page.

Capoeirista

Oh.

Yeah, I did turn that off on my localhost when I found out that it was a security risk so that my localhost would mimic more closely my clients' hosts.

Interesting that my teacher would recommend this method then. The good news is that I can set it to on for my exam, where we just show the working application on our laptops. The bad news is that I'm not sure what else register_globals is affecting so that when I venture out into the real world in December, my education is questionable. . . as in, what ELSE am I not being taught?

I'm assuming that it's the $PHP_SELF variable. Please let me know if I'm wrong.

If this is so, do people still send stuff to the same page? I'd like what I'm working on now to be worth something in the real world. I'm open to any suggestions you may have. Should I just separate these into different pages? Is there a better technique?

I'm grateful for any advice you can give me.

Thanks,

Lee

rincewind456

I'm assuming that it's the $PHP_SELF variable. Please let me know if I'm wrong.

$PHP_SELF should be called like

 $_SERVER['PHP_SELF']

All the variables that you reference from the form are being referenced by, for instance, $emp_Lname this should be called like

$_POST['emp_Lname']

or $_GET if you were using a GET form posting method.

So really there is not a lot that you need to do to that script to make it compatible with a register_globals off environment.

I personally would always do forms like this on the same page, I see no real need to have different pages.

Capoeirista

Thanks so much for your thoughts. I appreciate it.

Just to make sure I get it, my post lines would read:

<form method="post" action="<?php echo($_SERVER['PHP_SELF']); ?>" >

And at the top, if the password is set, initialize the variables like this:

$emp_Lname = $_POST['emp_Lname'];

Right?

Thanks again,

Lee

Capoeirista

Okay, I put the variables before the if statement. . . Like rgermain said, and I didn't get errors like I thought I would if I did that. (I thought I'd get an undefined variable if there was no post data, but it wouldn't know that the password isset, now, would it?)

And a login that I know was in the database failed.

So now I know there's something wrong with the logic and I can try to figure it out. When I do, I'll post a whole working copy here. If anyone spots the problem and feels like posting, I'll gladly accept help. But this post was for the other problem and I don't want to prevail to much on people's generosity. I appreciate the patient help I've gotten.

Thanks,

Lee

rincewind456

Just to make sure I get it, my post lines would read:
<form method="post" action="<?php echo($_SERVER['PHP_SELF']); ?>" >

Yes.

And at the top, if the password is set, initialize the variables like this:
$emp_Lname = $_POST['emp_Lname'];
Right?

Yes but you're not so much initializing the variables as assigning the $POST vars to in-script vars. BTW you need to do that with all your $POST vars.

rincewind456

Okay I haven't fully checked this but I think it should work

<?php session_start(); ?> 
<html> 

<!-- this got errors no matter where I put it: <?php header("Cache-Control:no-cache"); ?> --> 

<!-- Employee Table Structure: | Emp_ID | Emp_Fname | Emp_Lname  | Emp_Password | Emp_Email |--> 


<body bgcolor= "#6da9dc" text="#551a8b"> 
<div align="center"> 
<br><br><br><br> 

<?php 

/*****************************************************************************\
Login Page that sends info to itself
\*****************************************************************************/

/************************ IF THE PASSWORD HAS ALREADY BEEN ENTERED ************/

if (isset($_POST['entered_Password'])) // <--- edited here
{

include("includes/connect2db.php");

$Emp_Fname = trim($_POST['Emp_Fname']);	// <--- edited here
$Emp_Lname = mysql_real_escape_string(trim($_POST['Emp_Lname']));	// <--- edited here
$entered_Password = trim($_POST['entered_Password']);	// <--- edited here

$sqlString="SELECT Emp_Password from employee where Emp_Lname ='$Emp_Lname'";

$result=mysql_query($sqlString,$con);
$row = mysql_fetch_assoc ($result);
$Emp_Password = ($row["Emp_Password"]);
echo "<br><br>";
echo "$Emp_Password<br>";
echo "$Emp_Fname <br>";
echo "$Emp_Lname <br>";


/************************ IF LOGIN INFO IS CORRECT ****************************/

if ($entered_Password == $Emp_Password AND ($Emp_Fname != NULL OR $Emp_Lname != NULL)) {
	echo "**Login Successful** <br><br>";


	// REGISTER SESSION VARIABLES

	session_register("Emp_Fname");
	session_register("Emp_Lname");


	echo("You are logged in as $Emp_Fname $Emp_Lname. <br><br>");
	include("includes/menu.php");
}

/************************ IF LOGIN INFO IS INCORRECT ***************************/

else  if ($entered_Password !== $Emp_Password) {
	echo ("<b>**Login Failed**</b><br><br>Please Try Again<br><br>");
    ?> 


    <form method="post" action="<?php echo($_SERVER['PHP_SELF']); ?>" > <!--- edited here-->

    <table> 
        <tr> 
        <td align='right'>First Name: </td><td><input type="text" name="Emp_Fname" size="10"></td> 
        </tr> 
        <tr> 
        <td align='right'>Last Name: </td><td><input type="text" name="Emp_Lname" size="10"></td> 
        </tr> 
        <tr> 
        <td align='right'>Password: </td><td><input type="password" name="entered_Password" size="10"></td> 
        </tr> 
        <tr> 
        <td align='right'><input type="submit" value="Login"> </td><td> <input type="reset" value="Clear"></td> 
        </tr> 
    </table 

    </form> 
<?php 
}

}

/************************ IF NO PASSWORD ENTERED YET (FRESH LOGIN SCREEN) *****/

else {
	echo "<b>**Please Log In**</b>";
?> 
    <form method="post" action="<?php echo($_SERVER['PHP_SELF']); ?>" > <!--- edited here-->

    <table> 
        <tr> 
        <td align='right'>First Name: </td><td><input type="text" name="Emp_Fname" size="10"></td> 
        </tr> 
        <tr> 
        <td align='right'>Last Name: </td><td><input type="text" name="Emp_Lname" size="10"></td> 
        </tr> 
        <tr> 
        <td align='right'>Password: </td><td><input type="password" name="entered_Password" size="10"></td> 
        </tr> 
        <tr> 
        <td align='right'><input type="submit" value="Login"> </td><td> <input type="reset" value="Clear"></td> 
        </tr> 
    </table 

</form> 
<?php 
}
?> 

</div> 
</body> 
</html>

As you can seeI have marked the areas I have edited.

I have also added an essential function when passing user input into a database, [man]mysql_real_escape_string/man.

Capoeirista

I hope something really terrific happens to you this week - something life changing and wonderful.

I'd figured out what I did wrong, but I didn't know about trim() or mysql_real_escape_string(). I was all set to come and paste my success onto this page when I found your version and it's much cooler.

Uh oh. Wait a minute. Neither of them fail when I supply an incorrect password now.

Now isn't that just interesting?

Still think you're the bee's knees for helping me out.

Capoeirista

Got it going. Changed the line after

/********************* CHECK IF LOGIN INFO IS CORRECT *************************/

from this:

if ($entered_Password == $Emp_Password AND ($Emp_Fname != NULL OR $Emp_Lname != NULL)) {

to this:

if ($entered_Password == $Emp_Password AND (($Emp_Fname != NULL) OR ($Emp_Lname != NULL))) {

...by adding parentheses to the OR statement.

Thanks again! Have a terrific week!

Here's the entire thing:

<?php session_start(); ?>
<html>

<!-- this got errors no matter where I put it: <?php header("Cache-Control:no-cache"); ?> -->

<!-- Employee Table Structure: | Emp_ID | Emp_Fname | Emp_Lname  | Emp_Password | Emp_Email |-->


<body bgcolor= "#6da9dc" text="#551a8b">
<div align="center">
<br><br><br><br>

<?php

/*****************************************************************************\
Login Page that sends info to itself by Lee 
With gratitude to rgermain and rincewind456 at PHPBuilder.com's message boards.
Class: Database Driven Web Design
Northeastern University
\*****************************************************************************/

/************************ IF THE PASSWORD HAS ALREADY BEEN ENTERED ************/

if (isset($_POST['entered_Password'])) // 
{

include("includes/connect2db.php");

$Emp_Fname = trim($_POST['Emp_Fname']);    // <--- edited here
$Emp_Lname = mysql_real_escape_string(trim($_POST['Emp_Lname']));    // <--- edited here
$entered_Password = trim($_POST['entered_Password']);    // <--- edited here

$sqlString="SELECT Emp_Password from employee where Emp_Lname ='$Emp_Lname'";

$result=mysql_query($sqlString,$con);
$row = mysql_fetch_assoc ($result);
$Emp_Password = ($row["Emp_Password"]);
echo "<br><br>";
echo "$Emp_Password<br>";
echo "$Emp_Fname <br>";
echo "$Emp_Lname <br>";


/************************ CHECK IF LOGIN INFO IS CORRECT ****************************/

if ($entered_Password == $Emp_Password AND (($Emp_Fname != NULL) OR ($Emp_Lname != NULL))) {
    echo "**Login Successful** <br><br>";


    // REGISTER SESSION VARIABLES

    session_register("Emp_Fname");
    session_register("Emp_Lname");


    echo("You are logged in as $Emp_Fname $Emp_Lname. <br><br>");
    include("includes/menu.php");
}

/************************ IF LOGIN INFO IS INCORRECT ***************************/

else  if ($entered_Password !== $Emp_Password) {
    echo ("<b>**Login Failed**</b><br><br>Please Try Again<br><br>");
    ?>


    <form method="post" action="<?php echo($_SERVER['PHP_SELF']); ?>" > <!--- edited here-->

    <table>
        <tr>
        <td align='right'>First Name: </td><td><input type="text" name="Emp_Fname" size="10"></td>
        </tr>
        <tr>
        <td align='right'>Last Name: </td><td><input type="text" name="Emp_Lname" size="10"></td>
        </tr>
        <tr>
        <td align='right'>Password: </td><td><input type="password" name="entered_Password" size="10"></td>
        </tr>
        <tr>
        <td align='right'><input type="submit" value="Login"> </td><td> <input type="reset" value="Clear"></td>
        </tr>
    </table

    </form>
<?php
}

}

/************************ IF NO PASSWORD ENTERED YET (FRESH LOGIN SCREEN) *****/

else {
    echo "<b>**Please Log In**</b>";
?>
    <form method="post" action="<?php echo($_SERVER['PHP_SELF']); ?>" > <!--- edited here-->

    <table>
        <tr>
        <td align='right'>First Name: </td><td><input type="text" name="Emp_Fname" size="10"></td>
        </tr>
        <tr>
        <td align='right'>Last Name: </td><td><input type="text" name="Emp_Lname" size="10"></td>
        </tr>
        <tr>
        <td align='right'>Password: </td><td><input type="password" name="entered_Password" size="10"></td>
        </tr>
        <tr>
        <td align='right'><input type="submit" value="Login"> </td><td> <input type="reset" value="Clear"></td>
        </tr>
    </table

</form>
<?php
}
?>

</div>
</body>
</html>