If password is correct go to other page

Migz

hi. i have been looking for some books of php in the last 2 days..
and still got one question not really answered

i have a password in the database..
and the user enters a password..
if they are equal .. the user must go to another page..

any idea how i could do this .. thanks a lot

NogDog

header()

Migz

hm.. i read it all . . and i tried this

if($database_password == $login_password)
	{echo "Password Correct"; }
           header("Location: index.php");
		else
	{echo "Password Incorrect"; }

but it didn't work.. thanks for the reply mate. but could you help me out here please

NogDog

You can not output anything (echo(), print(), etc.) prior to any header() commands. If you need to output something, then you'll need to use a meta refresh tag in your HTML to do the redirection.

Sangre

<?php
if($database_password == $login_password) 
    {
     header("Location: index.php");
     } 
     else 
    {exit("Password Incorrect"); } 
?>

make sure there are NO spaces or enters or whatever before <?php and after ?>
also like nogdog said, no echo's or prints.

its not allowed to send any form of data to the client before you change headerinformation

Migz

well. everything worked now..

but now people can also access my page directly ( the member page )
is there any way of preventing this. . tx

jignesh1

start a session and
then create a session variable and put on the pages u want to restrict the pages

Will_Poulson

I check the login against the database, make a random HASH number, write that hash to the cookie, then write that hash to the database along with an IP and an expiration date.

Then on every page load I check the hash in the cookie, and the IP against the one in the database, and then update the expiration date. (20 minutes, 2 hours, 8 hours, whatever works for you)

And remember the password and login areas are the first weakness for SQL injection exploits, so do something like:

$value = preg_replace('!\\+|/+!', '', $value);

Against the password and the login.

Good luck

bradgrafelman

Will Poulson wrote:
And remember the password and login areas are the first weakness for SQL injection exploits, so do something like:

$value = preg_replace('!\\+|/+!', '', $value);

Or simply use [man]mysql_real_escape_string/man on every single variable used in SQL queries that the user has control over (e.g. $GET, $POST, $COOKIE, some of $SERVER, etc.).