Search the Community

I wrote a very simple log in page that I am going to build on by adding code to prevent XSS and to encrypt the password but as of right now I cannot get the showForm() messages to display properly. In fact if nothing is entered, or if any information is entered (valid or not), it takes you to a blank screen. Here is the code I wrote. Can anyone see as to where I missed something? I've looked it over so many times I am most likely missing the obvious. Thank you. <?php session_start(); //validate text was entered in UserName text box switch(true){ case (empty($_POST['btnSubmit']) && empty($_POST['txtUserName']) && empty($_POST['txtPassword'])): showForm('Log in to WisCon'); break; case (isset($_POST['btnSubmit']) && isset($_POST['txtPassword']) && empty($_POST['txtUserName'])): showForm('Enter your user name.'); break; case (isset($_POST['btnSubmit']) && isset($_POST['txtPassword']) && empty($_POST['txtUserName'])): showForm('Enter your password.'); break; case (isset($_POST['btnSubmit']) && (isset($_POST['txtUserName'])) && isset($_POST['txtPassword'])): $UserName = $_POST['txtUserName']; $Password = $_POST['txtPassword']; //database login $dsn = 'mysql:host=XXX;dbname=XXX'; $username='XXX'; $password='XXX'; //variable for errors $options = array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION); //try to run code try { //object to open database $db = new PDO($dsn,$username,$password, $options); //check username against password $SQL = $db->prepare("Select USER_PASSWORD FROM user WHERE user_name = :UserName and USER_PASSWORD = :Password"); $SQL->bindValue(':UserName', $UserName); $SQL->bindValue(':Password', $Password); $SQL->execute(); $username = $SQL->fetch(); if($username === false) { $password = null; } else { $password = $username['USER_PASSWORD']; include 'index.php'; } return $password; $SQL->closeCursor(); $db = null; } catch(PDOException $e){ $error_message = $e->getMessage(); echo("<p>Database Error: $error_message</p>"); exit(); } } function showForm($formMessage = "Welcome.") {?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Log In</title> <link rel="stylesheet" href="styles/default-styles.css" type="text/css" /> <link rel="stylesheet" href="styles/FormStyle.css" type="text/css" /> <script type="text/javascript" src="js/validateLogInForm.js/validateLogInForm.js"></script> </head> <body id="logPage"> <div id="wrapper"> <?php include('includes/header.php'); ?> <?php include('includes/topNavigation.php'); ?> <div id="mainContent"> <div class="formDiv"> <form name="registerForm" id="registerForm" action="" method="post"> <?php if ($formMessage !="") echo "<h2 style=\"color:#FF0000; text-align: center\">".$formMessage."</h2>"; ?> <h1 style="color:#FF530D; text-align: center">Log into your account here!</h1> <fieldset id="security"> <legend>Security</legend> <label for="txtUserName" class="boxLabel">User Name:</label> <input type="text" id="txtUserName" name="txtUserName" autofocus="autofocus" required="required" /> <script type="text/javascript"> if(!("autofocus" in document.createElement("input"))) { setTimeout(function(){ document.getElementById("txtUserName").focus(); }, 10); } </script> <label for="txtPassword" class="boxLabel">Password:</label> <input type="password" id="txtPassword" name="txtPassword" required="required" /> </fieldset> <fieldset id="submission"> <div id="buttons"> <input type="submit" id="btnSubmit" name="btnSubmit" value="Submit" onclick="return validateLogInForm()"/> <input type="reset" id="btnReset" name="btnReset" > </div><!--end buttons--> </fieldset> </p> </form> </div><!--end div class=formDiv--> </div><!--end div id=mainContent--> <?php include('includes/footer.php'); ?> </div><!--end div id=wrapper--> </body> </html> <?php } ?> Also, here is a more crude form of the log in page. This one displays the first showForm("Please Enter A User Name") message when you first hit the page (which I'd prefer the "Welcome " message to display and does not change to the other messages if improper data is entered, but hits the database and if the username and password do not exist or match it keeps you on the log in page and if they do match it sends you to the index.php page, as it should. <?php session_start(); //validate text was entered in UserName text box if(empty($_POST['txtUserName'])) { showForm('Please Enter A User Name'); exit(); } else { $UserName = $_POST['txtUserName']; } //validate text was entered in password text box if(empty($_POST['txtPassword'])) { showForm('Please Enter A Valid Password'); exit(); } else { $Password = $_POST['txtPassword']; } if($Password != Password($UserName)) { showForm('User Name And Password Do Not Match!'); exit(); } function Password($UserName) { //database login $dsn = 'mysql:host=XXX;dbname=XXX'; $username='XXX'; $password='XXX'; //variable for errors $options = array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION); //try to run code try { //object to open database $db = new PDO($dsn,$username,$password, $options); //check username against password $SQL = $db->prepare("Select USER_PASSWORD FROM user WHERE user_name = :UserName and USER_PASSWORD = :Password"); $SQL->bindValue(':UserName', $UserName); $SQL->bindValue(':Password', $Password); $SQL->execute(); $username = $SQL->fetch(); if($username === false) { $password = null; } else { $password = $username['USER_PASSWORD']; include 'index.php'; } return $password; $SQL->closeCursor(); $db = null; } catch(PDOException $e){ $error_message = $e->getMessage(); echo("<p>Database Error: $error_message</p>"); exit(); } } function showForm($formMessage = "Welcome.") {?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Log In</title> <link rel="stylesheet" href="styles/default-styles.css" type="text/css" /> <link rel="stylesheet" href="styles/FormStyle.css" type="text/css" /> <script type="text/javascript" src="js/validateLogInForm.js/validateLogInForm.js"></script> </head> <body id="logPage"> <div id="wrapper"> <?php include('includes/header.php'); ?> <?php include('includes/topNavigation.php'); ?> <div id="mainContent"> <div class="formDiv"> <form name="registerForm" id="registerForm" action="" method="post"> <?php if ($formMessage !="") echo "<h2 style=\"color:#FF0000; text-align: center\">".$formMessage."</h2>"; ?> <h1 style="color:#FF530D; text-align: center">Log into your account here!</h1> <fieldset id="security"> <legend>Security</legend> <label for="txtUserName" class="boxLabel">User Name:</label> <input type="text" id="txtUserName" name="txtUserName" autofocus="autofocus" required="required" /> <script type="text/javascript"> if(!("autofocus" in document.createElement("input"))) { setTimeout(function(){ document.getElementById("txtUserName").focus(); }, 10); } </script> <label for="txtPassword" class="boxLabel">Password:</label> <input type="password" id="txtPassword" name="txtPassword" required="required" /> </fieldset> <fieldset id="submission"> <div id="buttons"> <input type="submit" id="btnSubmit" name="btnSubmit" value="Submit" onclick="return validateLogInForm()"/> <input type="reset" id="btnReset" name="btnReset" > </div><!--end buttons--> </fieldset> </p> </form> </div><!--end div class=formDiv--> </div><!--end div id=mainContent--> <?php include('includes/footer.php'); ?> </div><!--end div id=wrapper--> </body> </html> <?php } ?>