HELP - Can't seem to understand my old code - it works, but I dont know why.

[ejarnutowski]

Ok, so I'm trying to manipulate some old code and I realized that I don't believe it should work but it does.  There are three pages - A login page, a verification page, and a home page.  I dont understand how when an incorrect username is typed in, i get redirected back to the first page saying "incorrect username and password."  Any help??  thanks.

 

PS.  the lines are (hr) tags

 

 

 

 

 

 

PAGE 1 - rmslogin.php

 

 

 

 

        <?php

        session_start();

        include '../_private/dbconnect.php';

 

                 if (isset($_SESSION['invalid'])) {

                          Print '<br><h2>The username or password you entered was incorrect<br>Please try again<br><br></h2>';

                                        }

                                         ?>

                                   <form action="rmsloginverify.php" method="post">

                                    <table border="0" id="RMSlogin" cellspacing="0" cellpadding="0">

                                    <tr><td><label><h2>Username: </h2></td><td><input type="text" name="loginname" size="30"/></label></td>

                                    <tr><td><label><h2>Password: </h2></td><td><input type="password" name="loginpassword" size="30"/></label></td>

                                    </table>

                                    <h2><input type="submit" value="Login" /></h2>

                                    </form>

 

 

 

PAGE 2 - rmsloginverify.php

 

 

 

<?php

session_start();

include '../_private/dbconnect.php';

 

        if (!isset($_POST['username'])) {

                $_SESSION['invalid']='invalid';

                header("location:rmslogin.php");

        }

       

// username and password sent from signup form

$username=$_POST['loginname'];

$userpassword=md5($_POST['loginpassword']);

 

$sql="SELECT * FROM user WHERE username='$username' and userpassword='$userpassword'";

$result=mysql_query($sql);

 

// Mysql_num_row is counting table row

$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

 

if($count==1){

// Register $myusername, $mypassword and redirect to file "rms.php"

$_SESSION['username']=$username;

$_SESSION['userpassword']=$userpassword;

header("location:rms.php");

}

?>

 

 

 

 

PAGE 3 - rms.php

 

 

 

<?php

session_start();       

 

        if (!isset($_SESSION['username'])) {

                header("location:rmslogin.php");

        }

        else {

        }

 

include '../_private/dbconnect.php';

 

$data = mysql_query("SELECT * FROM customer, user WHERE userid=user.id AND username='$username' ORDER BY datesub DESC")

or die(mysql_error());

Print "<hr />";

Print "<table cellspacing=10>";

Print "<tr><th><h2>DateSubmitted</h2></th><th><h2>Company</h2></th><th><h2>Domain Name</h2></th><th><h2>% Done</h2></th><th><h2>Last Updated</h2></th><th><h2>Contact Name</h2></th><th><h2>Phone</h2></th><th><h2>Site Cost</h2></th><th><h2>My Payout</h2></th></tr>";

 

while($info = mysql_fetch_array( $data ))

{

 

Print "<tr><td><h2>".$info['datesub'] . "</td></h2> ";

Print "<td><h2>".$info['companyname'] . "</td><h/2> ";

Print "<td><h2>".$info['domainname'] . "</td></h2>";

Print "<td><h2>".$info['devstatus'] . "</td></h2>";

Print "<td><h2>".$info['lastupdated'] . "</td></h2>";

Print "<td><h2><a href=mailto:".$info['contactemail'] . ">".$info['contactfirst'] . " " . $info['contactlast'] . "</td></h2>";

Print "<td><h2>".$info['contactphone'] . "</td></h2>";

Print "<td><h2>".$info['sitecost'] . "</td></h2>";

Print "<td><h2>".$info['payout'] . "</td></h2></tr>";

}

 

Print "</table>";

Print "<hr/>";

 

?>

 

 

</td>

</tr>

</table>

</td>

</tr>

</table>

 

</body>

 

</html>

       

 

[zenag]

just unset session.....

if ($_SESSION['invalid']=='invalid') {
                          Print '
<h2>The username or password you entered was incorrect
Please try again

</h2>';unset($_SESSION['invalid']);
                                        }
                                         ?>  

[ejarnutowski]

The code works fine for some reason, i just dont get how the user is sent back to rmslogin.php if they type in the incorrect username or password. 

[zenag]

this will redirect you to rmslogin.php if they typed incorrect username or password

<?php  
$username=$_POST['loginname']; 

$userpassword=$_POST['loginpassword'];

$sql="SELECT * FROM user WHERE username='$username' and password='$userpassword'";
$result=mysql_query($sql);
if (mysql_num_rows($result)==0) {
                $_SESSION['invalid']='invalid';
                header("Location:rmslogin.php");
        }
       
// Mysql_num_row is counting table row
if(mysql_num_rows($result)>1)
// If result matched $myusername and $mypassword, table row must be 1 row

{
// Register $myusername, $mypassword and redirect to file "rms.php"
$_SESSION['username']=$username;
$_SESSION['userpassword']=$userpassword;
header("location:rms.php");
}


?>

[ejarnutowski]

I appreciate all your help, but the issue is that it works fine and i dont know why.  currently, when a user enters incorrect login information, the ARE redirected to rmslogin.php and that page says "The username or password you entered was incorrect

Please try again."  I just dont see how this could possibly work.  Also, on rmsloginverify.php, shouldn't there never be a $_POST['username'] and always send the user back to rmslogin.php because there was only a post of loginname and loginpassword on rmslogin.php?

[zenag]

can u able to redirect it to rms.php if username & password entered is correct?????

[zenag]

it seems that if username & password entered is corredt it displays the same message ..

""The username or password you entered was incorrect

Please try again""

 

[ejarnutowski]

yes it works perfect for some reason.  if correct username and password are entered, it's redirected to rms.php.  if incorrect username and password are entered or no username or no password are entered, you are redirected back to rmslogin.php with the "incorrect info" error.  I just dont get it.  it doesn't look like it should work but it does.

[Psycho]

Is it really that difficult to understand?

 

In rmsloginverify.php you have these lines:

$sql="SELECT * FROM user WHERE username='$username' and password='$userpassword'";
$result=mysql_query($sql);
if (mysql_num_rows($result)==0) {
   $_SESSION['invalid']='invalid';
   header("Location:rmslogin.php");
}

 

So if the username & password combination doesn't exist in the table a seesion variable is set and the user is redirected to rmslogin.php

 

In the rmslogin.php page you have these lines:

if (isset($_SESSION['invalid'])) {
   Print '<h2>The username or password you entered was incorrect Please try again</h2>';
}

Which detects if that session value has been set (thereby indicating a failed login) and displays an appropriate error message.

 

By the way, don't double post.

[zenag]

rmsverifylogin.php first checks for $_POST["username]; but u have not assigned it in login page...just change it to $_POST["loginname]; ...so that it gets redirected to login page .

[ejarnutowski]

mjdamato - it would be easy to understand if that was the code i posted, but my code is above. 

 

The issue is not how do i make it work, but why does it work.  i cant fathom why a user can login, surpassing the following code when there is no post of "username"

 

        if (!isset($_POST['username'])) {
                $_SESSION['invalid']='invalid';
                header("location:rmslogin.php");
        }

[Psycho]

mjdamato - it would be easy to understand if that was the code i posted, but my code is above. 

 

The issue is not how do i make it work, but why does it work.  i cant fathom why a user can login, surpassing the following code when there is no post of "username"

 

        if (!isset($_POST['username'])) {
                $_SESSION['invalid']='invalid';
                header("location:rmslogin.php");
        }

 

Sorry, I thought that first bit of code was from your previous post. Well, you just need to trace what is going on. The first thing I would do would be to put this code right before that IF statement:

echo "<pre>";
print_r($_POST);
echo "<pre>";
die();

 

Do the values make sense to what you expect? Is 'username' one of the values? Take a look at that output and then determine what to check next. Is there any chance the very first page the user is presented to log in is NOT rmslogin.php?

[ejarnutowski]

i'm positive that it's rmslogin.php.  someone mentioned something about not placing an exit function after the header() on rmsloginverify.php, but i was under the impression that header() redirects as soon as its read and no code after will be executed.  the biggest thing though, is how would it send the user back to the first page if incorrect username and password where inputted.

[johnny44]

the biggest thing though, is how would it send the user back to the first page if incorrect username and password where inputted.

 

When rmsloginverify.php is called, the header to redirect to rmslogin.php is laid down, since $username is not set. But the script carries on, since no exit command has been declared. And since $loginname and $loginpassword are incorrect, the second header to redirect to rms.php is ignored. So, at the end of the script, you are redirected to rmslogin.php, as per the first header that was laid down.

 

On the other hand, if $loginname and $loginpassword are correct, the second header is successfully laid down and overrides the first header. So you are taken to rms.php instead.

[ejarnutowski]

great answer, but why would the first header of rmslogin.php be used afer it was omitted initially because there was no username posted?  Shouldnt the page just stay on rmsloginverify.php, displaying nothing, because no executions were made?

[johnny44]

... why would the first header of rmslogin.php be used afer it was omitted initially because there was no username posted?  ...

 

Sorry, don't understand the question. If no username is posted, isn't the header committed, rather than omitted?