matt.sisto Posted March 14, 2009 Share Posted March 14, 2009 Hello, I am trying to build a login form that will differentiate the login details from 3 different tables by way of a radio button. I am building a system for a consultancy firm, there will be clients, consultants, and organisations, each having a seperate table in the database. I am relatively new so still have alot to learn so any advice would be much apprecaited, I hope I have explained in well enough. http://salmonsreach.org/loginform1.php loginform1.php: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Log In</title> </head> <body> <h1>Log In</h1> <form name="login" method="post" action="logincheck1.php"> <Input type = 'Radio' Name ='id' value= 'client' >Client <Input type = 'Radio' Name ='id' value= 'consultant' >Consultant <Input type = 'Radio' Name ='id' value= 'organisation' >Organisation <p>Email:<br /> <input type="text" name="email_address" /> </p> <p>Password:<br /> <input type="password" name="passwd" /> </p> <p><input type="submit" name="submit1" value="Login"/></p> </form> </body> </html> logincheck1.php: <?php session_start(); require "dbconn2.php"; $email_address = $_POST['email_address']; $passwd = $_POST['passwd']; $id = $_POST['id']; if 'id' = 'client' { $sql = "SELECT * FROM client WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_array($result); } else 'id' = 'consultant' { $sql = "SELECT * FROM consultant WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_array($result); } else if 'id' = 'organisation' { $sql = "SELECT * FROM organisation WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_array($result); } if ($row != null) { $_SESSION['email'] = $row['email']; header("Location: calendar2.php"); exit(); } else { header("Location: loginform1.php"); exit(); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>logincheck1.php</title> </head> <body> </body> </html> Quote Link to comment Share on other sites More sharing options...
WolfRage Posted March 14, 2009 Share Posted March 14, 2009 1: Your if and else-if statements need to have parentheses. 2: "=" sets values "==" compares like items "===" compares exact items. 3: establish your session on the first page and maintain it all of the way through. 4: Security! If you take those variables and apply them directly to your database, your are going to have injection attacks that will make you hugely liable to that client. Quote Link to comment Share on other sites More sharing options...
waynew Posted March 14, 2009 Share Posted March 14, 2009 Ok.... it seems as if you're trying to run before learning how to walk. else if 'id' = 'organisation' ??? ? It seems as if you haven't actually learned how to use basic conditional statements. For example $name = "Wayne"; if($name == "Wayne"){ //IF the variable $name is equal to Wayne echo "Name is Wayne"; } else if($name == "WolfRage"){ //ELSE IF the variable $name is equal to WolfRage echo "Name is WolfRage"; } else if($name =="John"){ echo "Name is John"; } else{ //ELSE, if $name isn't equal to any of the above echo "Name not found"; } Quote Link to comment Share on other sites More sharing options...
matt.sisto Posted March 14, 2009 Author Share Posted March 14, 2009 waynewex this is true, its for my final year dissertation and I only have 2 months to complete it, so I need to learn quick. I am trying though. So it is sort of trial and error. WolfRage I was hoping to get the system working and then I intend to sort out the security, I haven't even considered potential attacks. ??? Quote Link to comment Share on other sites More sharing options...
waynew Posted March 14, 2009 Share Posted March 14, 2009 I've made some fixes. Try them out: <?php session_start(); require "dbconn2.php"; //Using the function mysql_real_escape_string() AFTER a connection //has been established will clean incoming variables and prevent //users from tampering with your SQL by inserting some of their own $email_address = mysql_real_escape_string($_POST['email_address']); $passwd = mysql_real_escape_string($_POST['passwd']); $id = mysql_real_escape_string($_POST['id']); if($id == 'client') { $sql = "SELECT * FROM client WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_row($result); } else if($id == 'consultant') { $sql = "SELECT * FROM consultant WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_row($result); } else if($id == 'organisation') { $sql = "SELECT * FROM organisation WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_row($result); } else{ echo 'Incorrect type'; } if (mysql_num_rows($row) == 1){ $_SESSION['email'] = $row['email']; header("Location: calendar2.php"); exit(); } else{ header("Location: loginform1.php"); exit(); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>logincheck1.php</title> </head> <body> </body> </html> Quote Link to comment Share on other sites More sharing options...
waynew Posted March 14, 2009 Share Posted March 14, 2009 Also, you should probably look into password encryption. Clear-text passwords shouldn't really be stored inside your database. You should encrypt passwords upon registration by using an encryption function such as the sha1() function. $clear_password = "mypassword"; $encrypted_password = sha1($clear_password); //insert $encrypted_password into database as user's password Then, when wanting to compare an attempted login with the encrypted password inside the database, simply encrypt their attempted password and compare that with the encrypted password that is already inside the database. $pass_attempt = $_POST['password']; $email = mysql_real_escape_string($_POST['email']); $encrypted_pass_attempt = sha1($pass_attempt); $sql = "SELECT * FROM users WHERE email = '$email' AND password = '$encrypted_pass_attempt'"; Quote Link to comment Share on other sites More sharing options...
matt.sisto Posted March 14, 2009 Author Share Posted March 14, 2009 Thanks waynewex. It seems to work better, its no longer getting stuck on the logincheck1.php however it is just returning to the loginform1.php? any ideas. Quote Link to comment Share on other sites More sharing options...
WolfRage Posted March 14, 2009 Share Posted March 14, 2009 Well your NULL else statement is being triggered, so the $row is not being returned from the MySQL query. Quote Link to comment Share on other sites More sharing options...
matt.sisto Posted March 14, 2009 Author Share Posted March 14, 2009 Wolfrage do you think it is having a problem with the using the value from the radio buttons on the loginform to determine the the value of the $id in logincheck? loginform1.php: <?php session_start(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Log In</title> </head> <body> <h1>Log In</h1> <form name="login" method="post" action="logincheck1.php"> <Input type = 'Radio' Name ='id' value= 'client' >Client <Input type = 'Radio' Name ='id' value= 'consultant' >Consultant <Input type = 'Radio' Name ='id' value= 'organisation' >Organisation <p>Email:<br /> <input type="text" name="email_address" /> </p> <p>Password:<br /> <input type="password" name="passwd" /> </p> <p><input type="submit" name="submit1" value="Login"/></p> </form> </body> </html> logincheck1.php: <?php session_start(); require "dbconn2.php"; //Using the function mysql_real_escape_string() AFTER a connection //has been established will clean incoming variables and prevent //users from tampering with your SQL by inserting some of their own $email_address = mysql_real_escape_string($_POST['email_address']); $passwd = mysql_real_escape_string($_POST['passwd']); $id = mysql_real_escape_string($_POST['id']); if($id == 'client') { $sql = "SELECT * FROM client WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_row($result); } else if($id == 'consultant') { $sql = "SELECT * FROM consultant WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_row($result); } else if($id == 'organisation') { $sql = "SELECT * FROM organisation WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_row($result); } else{ echo 'Incorrect type'; } if (mysql_num_rows($row) == 1){ $_SESSION['email_address'] = $row['email_address']; header("Location: calendar2.php"); exit(); } else{ header("Location: loginform1.php"); exit(); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>logincheck1.php</title> </head> <body> </body> </html> Quote Link to comment Share on other sites More sharing options...
WolfRage Posted March 14, 2009 Share Posted March 14, 2009 To test your theory purposely set the variables correctly and then feed it to your mysql statement, if the mysql statement works then your form is to blame if it does not work then your statement and or database is at fault. Quote Link to comment Share on other sites More sharing options...
matt.sisto Posted March 16, 2009 Author Share Posted March 16, 2009 I am going to uni today to sit down and go through it with my lecturer, hopefully I will get the code working today, I will let all of you know when and if I get it working how I did (for those of you that don't already know how to do it). Thanks for all your help so far. Quote Link to comment Share on other sites More sharing options...
matt.sisto Posted March 16, 2009 Author Share Posted March 16, 2009 So it appears to be working, There was just an issue with the Header: Location. Thanks wolfrage and waynewex. Here is the code should anyone wish to use it: Loginform1.php: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Log In</title> </head> <body> <h1>Log In</h1> <form name="login" method="post" action="logincheck1.php"> <Input type = 'Radio' Name ='id' value= 'client' >Client <Input type = 'Radio' Name ='id' value= 'consultant' >Consultant <Input type = 'Radio' Name ='id' value= 'organisation' >Organisation <p>Email:<br /> <input type="text" name="email_address" /> </p> <p>Password:<br /> <input type="password" name="passwd" /> </p> <p><input type="submit" name="submit1" value="Login"/></p> </form> </body> </html> logincheck1.php: <?php session_start(); require "dbconn2.php"; //Using the function mysql_real_escape_string() AFTER a connection //has been established will clean incoming variables and prevent //users from tampering with your SQL by inserting some of their own $email_address = mysql_real_escape_string($_POST['email_address']); $passwd = mysql_real_escape_string($_POST['passwd']); $id = mysql_real_escape_string($_POST['id']); if($id == 'client') { $sql = "SELECT * FROM client WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_row($result); } else if($id == 'consultant') { $sql = "SELECT * FROM consultant WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_row($result); } else if($id == 'organisation') { $sql = "SELECT * FROM organisation WHERE email_address='".$email_address ."' AND passwd='".$passwd."'"; $result = mysql_query ($sql, $connection) or die ("Could not perform query $sql <br />".mysql_error()); $row = mysql_fetch_row($result); } else{ echo 'Incorrect type'; } if ($row != null) { $_SESSION['username'] = $row['first_name']; header("Location: index.html"); exit(); } else { header("Location: loginform1.php"); exit(); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>logincheck1.php</title> </head> <body> </body> </html> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.