Hello people, I'd like to do the following, but so far no go. As it stands, everything appears on the screen at once, regardless of whether you're Logged in or Logged out. You can't even Log in or out.

Any help is greatly appreciated as I've been pulling my hair (or lack of hair) out.

When Logged in, have the...

Logout button appear
Show records button appear
Collapse records button appear
Login form disappear

When Logged out, have the...

Logout button disappear
Show records button disappear
Collapse records button disappear
Login form appear

Here is my code on the index.php page.....


<?php

if (isset($_SESSION['loggedIn']));

{

echo "<form action='index.php' method='post'><input
type='submit' value='Logout' name='logout'/></form>";

echo '<form id="show_records" action="index.php" method="post">
<input name="show" type="submit" value="Show Records" /></form>';

echo '<form id="collapse_records" action="index.php" method="post">
<input type="submit" value="Collapse Records" /></form>';

}


?>


<?php 

if (isset($_SESSION['logout']))

unset($_SESSION['loggedIn']);

include "adminlogin.php";

?>

Here is my code on the adminlogin.php page.....


<div id="login">

<form action="index.php" method="post">
<h3 style="margin-left: 0px;">Administration</h3>
Username:<br />
<input type="text" name="user" /><br/><br/>
Password:<input type="password" name="pass" /><br/><br/>

<input type='hidden' id='loginAttempt' name='loginAttempt' value='1' />
<input type="submit" value="Login" name="login" />

</form>

</div>

<div id="login_status">

<?php

session_start();
$errorMsg = "";

$username="";
$password="";
$database="";

if ($debug) echo ">".$_POST['id']."<";

$id=$_POST['id'];
mysql_connect('localhost',$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

if ($_POST['user'] && $_POST['pass']) $notBlank = 1;

if ($notBlank)
{
$query_login = mysql_query("SELECT * FROM adminlogin");
$error = mysql_error();
echo $error;
$maxItems = 0;
while ($login[] = mysql_fetch_array($query_login))
{
$maxItems++;
}
$userFound = 0;
$passFound = 0;
for ($ctr=0; $ctr<$maxItems; $ctr++)
{
if ($_POST['user'] == $login[$ctr]['user'] && $_POST['pass'] == $login[$ctr]['pass'])
{
$userFound++;
}
}
if ($userFound == 0)
{
echo "Incorrect Username or Password.";
unset($_SESSION['loggedIn']);
}
else
{

$_SESSION['loggedIn'] = 1;
}


}

?>

    if (isset($_SESSION['loggedIn']));

{

    is that semi colon not giving you any issues? if statements do not need them.

    The code looks fine, btw you are making the login area hard for yourself.

    you can just do

    sprintf('SELECT * FROM adminlogin WHERE user="%s" AND pass="%s"',$user,$pass);

      Thanks for the tips. It works fine now, except now I have to click 'Login' twice for it to Log in.

      The adminlogin.php code remains the same (I will simplify it like you said) but the index.php file looks like this.

      If I take include "adminlogin.php"; out of that PHP statement and give it its own, only one 'click' is required, otherwise, it needs two 'clicks' for some reason.

      Of course, it has to remain in that PHP statement so that it reacts with the other elements on the screen.

      <?php

if (isset($_POST['logout']))

unset($_SESSION['loggedIn']);


?>

<?php include "insert.php"; ?>

<?php

if (isset($_SESSION['loggedIn']))

{

echo

<<<EOD

<form action="index.php" method="post">
<input name="show" type="submit" value="Show Records" />
</form>

<form action="index.php" method="post">
<input type="submit" value="Collapse Records" />
</form>

<form action='index.php' method='post'>
<input type='submit' value='Logout' name='logout'/></form>

EOD;

}

else

{
include "adminlogin.php";
}


?>

        K that's fixed. I'm on my last error now. Has to do with deleting records. When I click 'Yes' to deleted a record, I get:

        Notice: Undefined variable: id in /home/nicksonm/public_html/c_panel/Business/deleted.php on line 35
        Record deleted.

        But nothing is deleted. This is the code.

        <?php

session_start();

//if (isset($_POST['id'])) $_SESSION['id']=$_POST['id'];

//echo $_SESSION['id'];

?>

<?php

error_reporting(E_ALL);
ini_set('display_errors',
true);
ini_set('html_errors', false);


if
(isset($_POST['yes']))

{

// $id=$_SESSION['id'];

$username="nicksonm_aususer";
$password="aususer2";
$database="nicksonm_ausmouldings";


mysql_connect('localhost',$username,$password);



$query="DELETE from contacts WHERE id='$id';";  <----- Line 35
@mysql_select_db($database)or die( "Unable to select database");
mysql_query($query);
$sqlstatus=mysql_error();

echo "$sqlstatus<br />";
echo "Record deleted.";

unset($_SESSION['id']);

}



?>

          A notice is not an error, it does not halt processing, however $id not being set means the query can't work, there is nothing to say where $id comes from in your posted code.

            Made line 35 :

            $query="DELETE from contacts WHERE id='".$_POST['id']."';";

              dangerous, never put user input directly in to a query

                Good Job!

                BTW dagon is right, very bad idea having the user's input being put straight into a query.

                Check out mysql_real_escape_string(); etc, im sure some of the other readers of this thread will post more security tips.

                  As dagon and DexterMorgan point out, user-supplied data should never be placed directly into a SQL query string else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize it with a function such as [man]mysql_real_escape_string/man for string data (as the function name implies).

                  In the case where the data is numeric, however, that function should not be used - instead, you could cast the data to the appropriate type (e.g. cast an integer ID number to (int) or use [man]intval/man).

                    Write a Reply...