Hello again,

I got a really newbie-one for ya :glare:

I have a navigation menu containing four different links with PHP_SELF in there along with a variable called $sectionid. $sectionid just cantains a number from 0-3.

My intention is to use $GET to pick the sectionid from the URL when a menulink is clicked and then load the same page, but this time only outputting the section of the file that matches the id pulled from $GET, but for some reason, $GET comes up empty (not set) when using PHP_SELF. I have no problem getting the value from $GET if I write a separate file containing the $_GET code and direct to that file within the link instead of using PHP_SELF.

Why does using the combination of $GET and PHP_SELF in the link produce an unset $sectionid, but a set $sectionid when pulling with $GET from a different file?

Thanx for reading, hope you can help.

Bye,

    please paste what is not working.

      Top of the page:

      session_start();
include 'music_files/music_includes/dbconnector.php';
include 'music_files/music_includes/musicart_functions.php';
$_SESSION['disallowed'] = TRUE;
//if ($_SESSION['allowed'] = TRUE) unset($_SESSION['disallowed']);
print_r($_SESSION);
ini_set('display_errors', ON);
error_reporting(E_ALL);

      <body>
<div class="siteframe">
<?php
$sectionid = (isset($_GET['sectionid']) AND is_numeric($_GET['sectionid'])) ? $_GET['sectionid'] : "failed";
$loginform = "<form method='post' action='{$_SERVER['PHP_SELF']}'>
<fieldset>
<legend>LOG-IN</legend>
<p><label>Name:</label><input name='formusername' type='text' size='15' maxlength='20' /></p>
<p><label>Password:</label><input name='formpassword' type='password' size='15' maxlength='20' /></p>
<p><input class='submit' type='submit' value='Log-in' name='login' /></p>
</fieldset>
</form>";
if ($sectionid == 1) //AND ($_SESSION['authorized'] == TRUE))
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 1!";
      die("</div><!-- applicationarea end -->");
      }
if ($sectionid == 2)
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 2!";
      die("</div><!-- applicationarea end -->");
      }
if ($sectionid == 3)
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 3!";
      die("</div><!-- applicationarea end -->");
      }
if ($sectionid == 4)
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 4!";
      die("</div><!-- applicationarea end -->");
      }
if (isset($_POST['login']))
{
$formusername = mysql_real_escape_string(strip_tags(trim($_POST['formusername'])));
$formpassword = mysql_real_escape_string(strip_tags(trim($_POST['formpassword'])));
              if (!preg_match('/[a-z]+/', $formusername) OR
                  !preg_match('/[A-Z]+/', $formusername) OR
                  !preg_match('/[0-9]+/', $formusername))
                  {
                  echo "<div class='applicationarea'>";
                  echo "<span class='warning'>FAILURE: Authentication failed. Username failed character criteria.</span>";
                  echo $loginform;
                  die("</div><!-- applicationarea end -->");
                  } 
              if (!preg_match('/[a-z]+/', $formpassword) OR
                  !preg_match('/[A-Z]+/', $formpassword) OR
                  !preg_match('/[0-9]+/', $formpassword))
                  {
                  echo "<div class='applicationarea'>";
                  echo "<span class='warning'>$formpassword FAILURE: Authentication failed. Password failed character criteria.</span>";
                  echo $loginform;
                  die("</div><!-- applicationarea end -->");
                  }
                  elseif (strlen($formusername) <5 OR strlen($formusername) >20)
                         {
                         echo "<div class='applicationarea'>";
                         echo "<span class='warning'>FAILURE: Authentication failed. Username illegal length.</span>";
                         echo $loginform;
                         die("</div><!-- applicationarea end -->");
                         }                   
      
                  elseif (strlen($formpassword) <8 OR strlen($formpassword) >20)
                         {
                         echo "<div class='applicationarea'>";
                         echo "<span class='warning'>FAILURE: Authentication failed. Password illegal length.</span>";
                         echo $loginform;
                         die("</div><!-- applicationarea end -->");
                         }
                      else 
                         {
                         $formpassword = md5($formpassword);
                         $formusername = md5($formusername);
//
// DB stuff below and authorization if userdata validates and matches fetched DB values.
//
$query = mysql_query("SELECT name, param FROM parameter WHERE name='siteuser' OR name='siteuserpasswd'") OR die(mysql_error());
 while($row = mysql_fetch_array($query))
      {
      $$row['name'] = $row['param'];
      }
   if ($siteuser !== $formusername)
      {
      echo "<div class='applicationarea'>";
      echo "<span class='warning'>FAILURE: Authentication failed. Wrong username.</span>";
      echo $loginform;
      die("</div><!-- applicationarea end -->");
      }
   if ($siteuserpasswd !== $formpassword)
      {
      echo "<div class='applicationarea'>";
      echo "<span class='warning'>FAILURE: Authentication failed. Wrong password.</span>";
      echo $loginform;
      die("</div><!-- applicationarea end -->");
      }
   if (($siteuser == $formusername) AND ($siteuserpasswd == $formpassword)) 
      {
      //$_SESSION['allowed'] = TRUE;
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "<h1>Greetings 0' exalted one, my master!</h1>";
      die("</div><!-- applicationarea end -->");
      } 
    }
  }
else {
echo "<div class='applicationarea'>";
echo $loginform;
die("</div><!-- applicationarea end -->");
}
?>
</div><!-- siteframe -->
</body>
</html>

        works for me as expected. Are the urls produced by the menu correct?

          What? It works for you? Could it have something to do with the fact that the code is placed in an if of a nested if/else?

          Yes, I believe they are correct as they all lead back to the main page with $sectionid=0 (up to 3) appended to each URL when the links are clicked, so they must be correct.

          the links resemble this

          <a href="mainpage.php?sectionid=0">link title</a>

          I'm at work now, but when I get home I'll post the code so you can spot the problem.

            I'm just gonna post the whole thing, but as it really isn't too complex, you shouldn't have any probs looking over it, as It's basically just a login routine with some sanitization and string length checking. If everything works out, the user is dumped at the last "if" near the bottom where the $GET is, and all four sections will be placed.

            $loginform = "<form method='post' action='{$_SERVER['PHP_SELF']}'>
<fieldset>
<legend>LOG-IN</legend>
<p><label>Name:</label><input name='formusername' type='text' size='15' maxlength='20' /></p>
<p><label>Password:</label><input name='formpassword' type='password' size='15' maxlength='20' /></p>
<p><input class='submit' type='submit' value='Log-in' name='login' /></p>
</fieldset>
</form>";
if (isset($_POST['login']))
{
$formusername = mysql_real_escape_string(strip_tags(trim($_POST['formusername'])));
$formpassword = mysql_real_escape_string(strip_tags(trim($_POST['formpassword'])));
              if (!preg_match('/[a-z]+/', $formusername) OR
                  !preg_match('/[A-Z]+/', $formusername) OR
                  !preg_match('/[0-9]+/', $formusername))
                  {
                  echo "<div class='applicationarea'>";
                  echo "<span class='warning'>FAILURE: Authentication failed. Username failed character criteria.</span>";
                  echo $loginform;
                  die("</div><!-- applicationarea end -->");
                  } 
              if (!preg_match('/[a-z]+/', $formpassword) OR
                  !preg_match('/[A-Z]+/', $formpassword) OR
                  !preg_match('/[0-9]+/', $formpassword))
                  {
                  echo "<div class='applicationarea'>";
                  echo "<span class='warning'>$formpassword FAILURE: Authentication failed. Password failed character criteria.</span>";
                  echo $loginform;
                  die("</div><!-- applicationarea end -->");
                  }
                  elseif (strlen($formusername) <5 OR strlen($formusername) >20)
                         {
                         echo "<div class='applicationarea'>";
                         echo "<span class='warning'>FAILURE: Authentication failed. Username illegal length.</span>";
                         echo $loginform;
                         die("</div><!-- applicationarea end -->");
                         }                   
            
                  elseif (strlen($formpassword) <8 OR strlen($formpassword) >20)
                         {
                         echo "<div class='applicationarea'>";
                         echo "<span class='warning'>FAILURE: Authentication failed. Password illegal length.</span>";
                         echo $loginform;
                         die("</div><!-- applicationarea end -->");
                         }
                      else 
                         {
                         $formpassword = md5($formpassword);
                         $formusername = md5($formusername);
//
// DB stuff below and authorization if userdata validates and matches fetched DB values.
//
$query = mysql_query("SELECT name, param FROM parameter WHERE name='siteuser' OR name='siteuserpasswd'") OR die(mysql_error());
 while($row = mysql_fetch_array($query))
      {
      $$row['name'] = $row['param'];
      }
   if ($siteuser !== $formusername)
      {
      echo "<div class='applicationarea'>";
      echo "<span class='warning'>FAILURE: Authentication failed. Wrong username.</span>";
      echo $loginform;
      die("</div><!-- applicationarea end -->");
      }
   if ($siteuserpasswd !== $formpassword)
      {
      echo "<div class='applicationarea'>";
      echo "<span class='warning'>FAILURE: Authentication failed. Wrong password.</span>";
      echo $loginform;
      die("</div><!-- applicationarea end -->");
      }
   if (($siteuser == $formusername) AND ($siteuserpasswd == $formpassword)) 
      {
      $_SESSION['allowed'] = TRUE;
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "<h1>Greetings 0' exalted one, my master!</h1>";
      // Adminforms below...
      $sectionid = (isset($_GET['sectionid']) && is_numeric($_GET['sectionid'])) ? $_GET['sectionid'] : "failure";
      echo $sectionid;
      if ($sectionid == 1) 
         {
         echo "<div class='applicationarea'>";
      echo "Welcome to section 1!";
      die("</div><!-- applicationarea end -->");
         }   
            
      die("</div><!-- applicationarea end -->");
      }
    }
  }
else {
echo "<div class='applicationarea'>";
echo $loginform;
die("</div><!-- applicationarea end -->");
}
?>

            When I arrive after log-in, I see the "failed" message. Fair enough as no links has been clicked. But when I click the second menulink from the top, it just tosses me straight out to the log-in prompt.

            Why can't I get to the "Welcome to section 1" message? Why does $_GET not get set?

              $siteuser is never defined, you mean $row['name']

                both $siteuser and $siteuserpasswd is defined by the use of the variable variables ($$row['name'] = $row['param']😉. The problem is elsewhere. The content of $$row itself becomes a variable then set to the content of the "param" field in the same row afterwards.

                $row['name'] is "siteuser" A new variable $siteuser is created by using $$row. Same procedure creates $siteuserpasswd.

                anybody's input is welcome here, I'm totally stuck.😕

                  ok i think i have it, tested it locally and the problem is the get is lost after the post, so you need to store the get var in the form in a hidden field then they will be sent in the post and you check them there.

                    <input type='hidden' value='{$_GET['sectionid']}' name='sectionid' />

                    in the form at the top then check $_POST['sectionid']

                      Ok, I'll try it tomorrow. It's rather late at my end now. Thanx though, sounds like it just might work.

                      So the problem is not that $GET can't be used with PHP_SELF, but rather that $POST is wiping out $_GET?

                      Just to be clear on this stuff. Can you explain to me why $POST wipes out $GET?

                        you could add the get vars to the url you post to, but i personally prefer not to mix the two,.

                        if you do a print_r($_SERVER); you will see what server vars you can use including ones with the get vars instead of php_self

                          "you could add the get vars to the url you post to"

                          But posting with PHP_SELF and using $_GET was exactly what didn't work...

                          Maybe I'm just not getting what you mean. Do you mean the PHP_SELF in the form "action" attribute in the original log-in form?

                            Ok, did as I believe was suggested, The code:

                            $sectionid = (isset($_GET['sectionid']) && is_numeric($_GET['sectionid'])) ? $_GET['sectionid'] : "failed";
echo $sectionid;
$loginform = "<form method='post' action='{$_SERVER['PHP_SELF']}'>
<fieldset>
<legend>LOG-IN</legend>
<p><label>Name:</label><input name='formusername' type='text' size='15' maxlength='20' /></p>
<p><label>Password:</label><input name='formpassword' type='password' size='15' maxlength='20' /></p>
<input type='hidden' value='{$_GET['sectionid']}' name='sectionid' />
<p><input class='submit' type='submit' value='Log-in' name='login' /></p>
</fieldset>
</form>";

                            I get: Notice: Undefined index: sectionid in /home/arioch/public_html/musicartcenter.php on line 144 like it isn't set?

                            print_r($_GET) comes up. "0Array ( [sectionid] => 0 )
                            Notice: Use of undefined constant sectionid - assumed 'sectionid' in...".

                              you have to check the $_POST[sectionid] not the get

                                print_r($SESSION) and print_r($POST) Gives me: Array ( [authorized] => 1 ) Array ( [formusername] => Admin00 [formpassword] => Admin00 [sectionid] => [login] => Log-in )

                                As you can see, $sectionid is still empty, and clicking any of the menu links still just tosses me out to the log-in form.

                                Just to get you current, the section I'm working on is:

                                $sectionid = (isset($_GET['sectionid']) AND is_numeric($_GET['sectionid'])) ? $_GET['sectionid'] : "failed";
echo $sectionid;
print_r($_SESSION);
$loginform = "<form method='post' action='{$_SERVER['PHP_SELF']}'>
<fieldset>
<legend>LOG-IN</legend>
<p><label>Name:</label><input name='formusername' type='text' size='15' maxlength='20' /></p>
<p><label>Password:</label><input name='formpassword' type='password' size='15' maxlength='20' /></p>
<input type='hidden' value= '{$_GET['sectionid']}' name='sectionid' />
<p><input class='submit' type='submit' value='Log-in' name='login' /></p>
</fieldset>
</form>";
if (($sectionid == 1) AND ($_SESSION['authorized'] == TRUE))
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 1!";
      die("</div><!-- applicationarea end -->");
      }
else Die('sorry underling, you are not authorized to view this section');
if (($sectionid == 2)  AND ($_SESSION['authorized'] == TRUE))
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 2!";
      die("</div><!-- applicationarea end -->");
      }
if (($sectionid == 3  AND ($_SESSION['authorized'] == TRUE))
else Die('sorry underling, you are not authorized to view this section');
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 3!";
      die("</div><!-- applicationarea end -->");
      }
if (($sectionid == 4  AND ($_SESSION['authorized'] == TRUE))
else Die('sorry underling, you are not authorized to view this section');
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 4!";
      die("</div><!-- applicationarea end -->");
      }

                                This works except for one thing: The $_SESSION['allowed'] == 1 is now empty, so the check fails. I do have "session_start" at the top of the page, so the variable should be intact, correct?

                                  before you post the form view source and see if the hidden field sectionid is filled in.

                                    It is filled in, no problem and I can fetch it with $GET. Using $POST was useless here.

                                    One final issue remains. As soon as I click one of the links in the admin menu $_SESSION['allowed'] == 1 looses it's value. Without the admin check and it's else upon failure when attemting access to the sections, the process works.

                                    print_r($_SESSION); gives me: Array ( [allowed] => ) 4

                                    We're getting close now.

                                    How do I preserve that variable when "session_start()" at the top of the page doesn't cut it? As it is now, I can just copy/paste a URL from the admin side into the browserline and hit enter to circumvent my way around the log-in procedure to go straight to the admin menu.

                                      its in a form that is posted, so its a post var not a get var

                                        Ok. Using $GET without having to park the value in a hidden field in the form to $POST now works, but $_SESSION still causes quirks.

                                        When the page first loads both $SESSION['allowed'] and $SESSION['disallowed'] is set to true. Why? According to the code, $SESSION['allowed'] should not be set until after log-in where $SESSION['disallowed'] is then unset as the consequence but that doesn't happen either.

                                        Note: I have posted the latest code in place of the old in my second post of the thread.