$_POST question

fxpepper

Hello,

I have a form and it's posting back to itself (for validation purposes) before it redirects to the next page (if valid). I;m not sure if this was the best way, but this seemed the easier way...
Anyway, I have a hidden field for logged in status - so my login.php pages does something like this:

<?php 

if(isset($_POST['submit'])) { // form has been submitted

	$errors = array();


	// Some form Validation, not complete
	$required_fields = array('username','password');
	foreach($required_fields as $fieldname) {
		if(!isset($_POST[$fieldname]) || empty($_POST[$fieldname]) && !is_numeric($_POST[$fieldname])) {
			$errors[] = $fieldname;
		}
	}

	if(empty($errors)) {

		$username = trim(mysql_prep($_POST['username']));
		$password = trim(mysql_prep($_POST['password']));
		$hash_password = sha1($password);

		$query = "SELECT id, username ";
		$query .= "FROM users ";
		$query .= "WHERE username = '{$username}' ";
		$query .= "AND hash_password = '{$hash_password}' ";

		$result = mysql_query($query, $connection);
		confim_query($result); // checks $result for false response

		if(mysql_num_rows($result) == 1) {				
			$message = "Login successful";
			redirect("staff.php");
		} else {
			$message = "Invalid Username or Password. Please try again.";
			$message .= "<br />" . mysql_error();

		}			
	}

} else { // form has not been submitted
	$username = "";
	$hash_password = "";
}

?>
<?php include("header.php"); ?>

<div id="page">
<form action="login.php" method="post">
	<input type="hidden" name="login_status" id="login_status" value="logged_in" />

<p>
<label for="">Username: </label>
<input type="text" name="username" id="username" value="<?php echo ($username); ?>" />
</p>

<p>
<label for="">Password: </label>
<input type="password" name="password" id="password" />
</p>

<input type="submit" id="submit" name="submit" value="Login" />

</form>

</div>

So the submit part actually works - but my question is in regards to $_POST['login_status'] (for the hidden field). Can I use this on another page, if it's not "posting" to there first? As you can see I am redirecting if it's a success (using javascript function)?? I tried using it on the "staff.php" page but it's not working....
This is what I have on the "staff.php" page:

<?php 
   $ls = $_POST['login_status'];
   if ($ls == "logged_in") {
      $ls = "Logout";
   } else {
      $ls = "Login";
   }
?>

then I tried to echo it out but it doesn't work:
<li><a href="login.php"><?php echo $ls; ?></a></li>

// I know the link would have to change too...

I tried with $GET and it works but I thought that was less secure (although I;m not totally sure about that even) and I am trying to get a better understanding on $POST

anyway, please let me know if you need any more info to clarify

thanks!

vicodin

Don't do it that way... Very insecure... You gonna want to start session when the user logs in. That way once the user logs in you will be able to use session variables to check if they are logged in. Here is a good beginners tutorial...

http://www.tizag.com/phpT/phpsessions.php

fxpepper

Okay, thank you.