PLEASE HELP... why does this code work? it's not making sense to me!

[ejarnutowski]

Below are two pages used for an account login - one for entering the login information and one for verifying that information.  When a user types in the wrong login information, they are redirected back to the first page and it says "The username or password you entered was incorrect  Please try again."  Please explain how this happens.  it's driving me nuts!  ALSO, why wouldnt the user be redirected back to the first page every single time since there is no $_POST['username'] from the first page.  Please help.  Thanks in advance.

 

 

FIRST PAGE - rmslogin.php

 

<?php


         session_start();

                                        if (isset($_SESSION['invalid'])) {
                                                Print '<br><h2>The username or password you entered was incorrect<br>Please try again<br><br></h2>';
                                        }
                                ?>

			<form action="rmsloginverify.php" method="post">
                                    <table border="0" id="RMSlogin" cellspacing="0" cellpadding="0">
                                    <tr><td><label><h2>Username: </h2></td><td><input type="text" name="loginname" size="30"/></label></td> 
                                    <tr><td><label><h2>Password: </h2></td><td><input type="password" name="loginpassword" size="30"/></label></td>
                                    </table>
                                    <h2><input type="submit" value="Login" /></h2>
                                    </form><br>

 

SECOND PAGE - rmsloginverify.php

 

<?php

session_start();

        if (!isset($_POST['username'])) {
                $_SESSION['invalid']='invalid';
                header("location:rmslogin.php");
        }
        

// username and password sent from signup form 
$username=$_POST['loginname']; 
$userpassword=md5($_POST['loginpassword']);

$sql="SELECT * FROM user WHERE username='$username' and userpassword='$userpassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "rms.php"
$_SESSION['username']=$username;
$_SESSION['userpassword']=$userpassword;
header("location:rms.php");
}

?>

[priti]

Hi,

 

login functionality is kept for security purpose on site so that only valid user get entry in the system.So when your system sees that they don't have matching username and password combination it means either he is new user or someone is trying to get entry without credentials to your site.

 

Now technically on your first page

 

what is happening is you are given a form to enter the login info then your hit submit and then this is been POST to other page.

 

on second page validations are been done.

 

1.If some one has not given any username you don't need to check wether this user belongs to your site right ????

so if username is empty it is been redirected to your first page forcing user to give his/her correct username nad password.

 

$_SESSION['invalid']='invalid';

invalid is a flag to identify the invalid session.

 

session keeps the variable live in one to other page .Kindly reset on first page once you show the message to user

i.e

 

if (isset($_SESSION['invalid'])) {

                                                Print '<br><h2>The username or password you entered was incorrect<br>Please try again<br><br></h2>';

$_SESSION['invalid']='';                                        }

 

else it will keep on showing you this message :-)

 

hope this much understanding will give you insight of what is going on in your code.

 

Have a gr8 day.

 

[ejarnutowski]

The only thing is that there is no post of "username" from the first page.  There's only a post of "loginname" and "loginpassword".  Also, how is the user being redirected to the first page if incorrect login information is inputted?  this currently happens.  thanks.

[priti]

yes then instead $_POST['username'] check $_POST['loginname'] and the redirection is happening because of header() function.

 

 

[ejarnutowski]

i understand what would make the redirection happen, however, there is no $_POST['username'] from the previous page and the rest of the code runs.  i understand that it would make sense if it was $_POST['loginname'] but it's still working with $_POST['username'].  in the current code, with incorrect login information, how is that user being sent back to the first page? 

[johnny44]

In the second file, placing:

exit;

 

immediately after

header("location:rmslogin.php");

 

would generate the behaviour that you were expecting. The lack of the exit command is what generates the behaviour that you are actually seeing. But someone correct me if I'm wrong.

[priti]

my guess would be

 

if($count==1){

// Register $myusername, $mypassword and redirect to file "rms.php"

$_SESSION['username']=$username;

 

NOTE HERE YOU ARE POPULATING THE USERNAME IN SESSION ON CONDITION OF COUNT ONE AND ONCE THE SESSION GOT FILLED YOU ARE NOT RESETTING TO SOMETHING I MEAN UNSET IT .... SO NEXT CHANCE WHEN YOU WILL REFRESH IT WILL DO JUSTICE TO THE CODE.

 

(uppercase is simply used to show my response in your code)

 

$_SESSION['userpassword']=$userpassword;

header("location:rms.php");

}

 

Regards