Jump to content

HELP - Can't seem to understand my old code - it works, but I dont know why.


ejarnutowski

Recommended Posts

Ok, so I'm trying to manipulate some old code and I realized that I don't believe it should work but it does.  There are three pages - A login page, a verification page, and a home page.  I dont understand how when an incorrect username is typed in, i get redirected back to the first page saying "incorrect username and password."  Any help??  thanks.

 

PS.  the lines are (hr) tags

 

 

 

 

 

 

PAGE 1 - rmslogin.php

 

 

 

 

        <?php

        session_start();

        include '../_private/dbconnect.php';

 

                 if (isset($_SESSION['invalid'])) {

                          Print '<br><h2>The username or password you entered was incorrect<br>Please try again<br><br></h2>';

                                        }

                                         ?>

                                   <form action="rmsloginverify.php" method="post">

                                    <table border="0" id="RMSlogin" cellspacing="0" cellpadding="0">

                                    <tr><td><label><h2>Username: </h2></td><td><input type="text" name="loginname" size="30"/></label></td>

                                    <tr><td><label><h2>Password: </h2></td><td><input type="password" name="loginpassword" size="30"/></label></td>

                                    </table>

                                    <h2><input type="submit" value="Login" /></h2>

                                    </form>

 

 

 

PAGE 2 - rmsloginverify.php

 

 

 

<?php

session_start();

include '../_private/dbconnect.php';

 

        if (!isset($_POST['username'])) {

                $_SESSION['invalid']='invalid';

                header("location:rmslogin.php");

        }

       

// username and password sent from signup form

$username=$_POST['loginname'];

$userpassword=md5($_POST['loginpassword']);

 

$sql="SELECT * FROM user WHERE username='$username' and userpassword='$userpassword'";

$result=mysql_query($sql);

 

// Mysql_num_row is counting table row

$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

 

if($count==1){

// Register $myusername, $mypassword and redirect to file "rms.php"

$_SESSION['username']=$username;

$_SESSION['userpassword']=$userpassword;

header("location:rms.php");

}

?>

 

 

 

 

PAGE 3 - rms.php

 

 

 

<?php

session_start();       

 

        if (!isset($_SESSION['username'])) {

                header("location:rmslogin.php");

        }

        else {

        }

 

include '../_private/dbconnect.php';

 

$data = mysql_query("SELECT * FROM customer, user WHERE userid=user.id AND username='$username' ORDER BY datesub DESC")

or die(mysql_error());

Print "<hr />";

Print "<table cellspacing=10>";

Print "<tr><th><h2>DateSubmitted</h2></th><th><h2>Company</h2></th><th><h2>Domain Name</h2></th><th><h2>% Done</h2></th><th><h2>Last Updated</h2></th><th><h2>Contact Name</h2></th><th><h2>Phone</h2></th><th><h2>Site Cost</h2></th><th><h2>My Payout</h2></th></tr>";

 

while($info = mysql_fetch_array( $data ))

{

 

Print "<tr><td><h2>".$info['datesub'] . "</td></h2> ";

Print "<td><h2>".$info['companyname'] . "</td><h/2> ";

Print "<td><h2>".$info['domainname'] . "</td></h2>";

Print "<td><h2>".$info['devstatus'] . "</td></h2>";

Print "<td><h2>".$info['lastupdated'] . "</td></h2>";

Print "<td><h2><a href=mailto:".$info['contactemail'] . ">".$info['contactfirst'] . " " . $info['contactlast'] . "</td></h2>";

Print "<td><h2>".$info['contactphone'] . "</td></h2>";

Print "<td><h2>".$info['sitecost'] . "</td></h2>";

Print "<td><h2>".$info['payout'] . "</td></h2></tr>";

}

 

Print "</table>";

Print "<hr/>";

 

?>

 

 

</td>

</tr>

</table>

</td>

</tr>

</table>

 

</body>

 

</html>

       

 

Link to comment
Share on other sites

just unset session.....

if ($_SESSION['invalid']=='invalid') {
                          Print '
<h2>The username or password you entered was incorrect
Please try again

</h2>';unset($_SESSION['invalid']);
                                        }
                                         ?>  


Link to comment
Share on other sites

this will redirect you to rmslogin.php if they typed incorrect username or password


<?php  
$username=$_POST['loginname']; 

$userpassword=$_POST['loginpassword'];

$sql="SELECT * FROM user WHERE username='$username' and password='$userpassword'";
$result=mysql_query($sql);
if (mysql_num_rows($result)==0) {
                $_SESSION['invalid']='invalid';
                header("Location:rmslogin.php");
        }
       
// Mysql_num_row is counting table row
if(mysql_num_rows($result)>1)
// If result matched $myusername and $mypassword, table row must be 1 row

{
// Register $myusername, $mypassword and redirect to file "rms.php"
$_SESSION['username']=$username;
$_SESSION['userpassword']=$userpassword;
header("location:rms.php");
}


?>

Link to comment
Share on other sites

I appreciate all your help, but the issue is that it works fine and i dont know why.  currently, when a user enters incorrect login information, the ARE redirected to rmslogin.php and that page says "The username or password you entered was incorrect

Please try again."  I just dont see how this could possibly work.  Also, on rmsloginverify.php, shouldn't there never be a $_POST['username'] and always send the user back to rmslogin.php because there was only a post of loginname and loginpassword on rmslogin.php?

Link to comment
Share on other sites

yes it works perfect for some reason.  if correct username and password are entered, it's redirected to rms.php.  if incorrect username and password are entered or no username or no password are entered, you are redirected back to rmslogin.php with the "incorrect info" error.  I just dont get it.  it doesn't look like it should work but it does.

Link to comment
Share on other sites

Is it really that difficult to understand?

 

In rmsloginverify.php you have these lines:

$sql="SELECT * FROM user WHERE username='$username' and password='$userpassword'";
$result=mysql_query($sql);
if (mysql_num_rows($result)==0) {
   $_SESSION['invalid']='invalid';
   header("Location:rmslogin.php");
}

 

So if the username & password combination doesn't exist in the table a seesion variable is set and the user is redirected to rmslogin.php

 

In the rmslogin.php page you have these lines:

if (isset($_SESSION['invalid'])) {
   Print '<h2>The username or password you entered was incorrect Please try again</h2>';
}

Which detects if that session value has been set (thereby indicating a failed login) and displays an appropriate error message.

 

By the way, don't double post.

Link to comment
Share on other sites

mjdamato - it would be easy to understand if that was the code i posted, but my code is above. 

 

The issue is not how do i make it work, but why does it work.  i cant fathom why a user can login, surpassing the following code when there is no post of "username"

 

        if (!isset($_POST['username'])) {
                $_SESSION['invalid']='invalid';
                header("location:rmslogin.php");
        }

Link to comment
Share on other sites

mjdamato - it would be easy to understand if that was the code i posted, but my code is above. 

 

The issue is not how do i make it work, but why does it work.  i cant fathom why a user can login, surpassing the following code when there is no post of "username"

 

        if (!isset($_POST['username'])) {
                $_SESSION['invalid']='invalid';
                header("location:rmslogin.php");
        }

 

Sorry, I thought that first bit of code was from your previous post. Well, you just need to trace what is going on. The first thing I would do would be to put this code right before that IF statement:

echo "<pre>";
print_r($_POST);
echo "<pre>";
die();

 

Do the values make sense to what you expect? Is 'username' one of the values? Take a look at that output and then determine what to check next. Is there any chance the very first page the user is presented to log in is NOT rmslogin.php?

Link to comment
Share on other sites

i'm positive that it's rmslogin.php.  someone mentioned something about not placing an exit function after the header() on rmsloginverify.php, but i was under the impression that header() redirects as soon as its read and no code after will be executed.  the biggest thing though, is how would it send the user back to the first page if incorrect username and password where inputted.

Link to comment
Share on other sites

the biggest thing though, is how would it send the user back to the first page if incorrect username and password where inputted.

 

When rmsloginverify.php is called, the header to redirect to rmslogin.php is laid down, since $username is not set. But the script carries on, since no exit command has been declared. And since $loginname and $loginpassword are incorrect, the second header to redirect to rms.php is ignored. So, at the end of the script, you are redirected to rmslogin.php, as per the first header that was laid down.

 

On the other hand, if $loginname and $loginpassword are correct, the second header is successfully laid down and overrides the first header. So you are taken to rms.php instead.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.