Inner "else" in log-in script fails to execute.

spookztar

Hi,

I'm having problems understanding what has gone wrong here, hope you can help.

If a user has not supplied the correct username- and password, the inner else is supposed to execute and present the log-in form again, but it doesn't. Why not? I just get a blank screen. Looking at the page source, I can see that everything below the <body> tag is missing.

What am I missing 😕

if (isset($_POST['login']))
 {
 $formusername = mysql_real_escape_string(strip_tags(trim($_POST['formusername'])));
 $formpassword = mysql_real_escape_string(strip_tags(trim($_POST['formpassword'])));
 $formpassword = sha1(md5($formpassword));
 $formusername = sha1(md5($formusername));
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
 $login_query = sprintf("SELECT cartid, username, password FROM cart WHERE username='%s' AND password='%s'", $formusername, $formpassword);
 $query = mysql_query($login_query) OR die(mysql_error());
 $credentials = mysql_fetch_row($query) OR die(mysql_error());
   if ($credentials) 
      {
      session_regenerate_id();
      //
      // We release the http headers buffered earlier, now that the sessionid has been regenerated.
      //
      ob_end_flush();
      //
      // Parking the cartid in a session variable
      //
      $_SESSION['cartnr'] = $credentials[0];
      //
      // We update existing fingerprint with fresh spice.
      //
      $_SESSION['spice'] = md5(rand(1,1000000)); 
      //
      // We generate the standard fingerprint from useragent, userIP and adminspice.
      //
      $_SESSION['sessiontag'] = sha1($_SERVER['HTTP_USER_AGENT'].getenv('REMOTE_ADDR').$_SESSION['adminspice']);
      $_SESSION['authorized'] = 'yes';
      echo "<div class='applicationarea'>";
      echo "<div class='adminbox'>";
      echo menu($sectionid);
      echo "</div><!-- adminbox end -->";
      echo "<h1 class='hlook1'>Greetings 0' exalted one, my master!</h1>";
      die("</div><!-- applicationarea end -->");
      }
  else
      {
      echo "<div class='applicationarea'>";
      echo "<span class='warning'>FAILURE: Authentication failed. One- or both of the supplied credentials are wrong.</span>";
      echo $loginform;
      die("</div><!-- applicationarea end -->
           </body>
           </html>"); 
      } 
 } // button "if" end clamp.
else
   {
echo '<div class="applicationarea>';
echo $loginform;
die("\n</div><!-- applicationarea end -->\n</div><!-- siteframe -->\n</body>\n</html>");
   }

cahva

Well seems that you use ob_end_flush(); in the first but not in another situations. So I quess this is not the whole script and you have started to put stuff in buffer but dont end it in other situations than succesfull login.

spookztar

but I was under the impression, that if an output buffer isn't ended with a deliberate flush, it automatically spills all it's content at the end of a script anyways? Right?

Thanx for responding, cahva.

spookztar

Perhaps the:

die("\n</div><!-- applicationarea end -->\n</div><!-- siteframe -->\n</body>\n</html>");

in the inner "else" prevents the script from actually finishing and thus also blocks the obligatory spilling of the buffer at the end of the script?

I will test it when I get home from work.

EDIT: adding ob_end_flush(); to the beginning of the inner "else", did nothing.

Anymore suggestions?

spookztar

No one?