[SOLVED] form goes to white screen

[jmr3460]

This form test every way except when I submit with out anything in the form fields. I have added the form to the bottom of this script. It also did it while it was separate.

<?php
ini_set ("display_errors", "1");
error_reporting(E_ALL);

//this is administrator html display
$admin = "<h1>Administrator Page</h1>";

	//this is the site admin display
$simple = "<h1>Site Admin Page</h1>";

//check for  cookie or required fields
if  (isset($_COOKIE['admin']))
{
echo  "<html>
	<body> $admin <br /> $simple
	</body></html>";
}
//check for  cookie or required fields
elseif (isset($_COOKIE['simple']))
{
echo  "<html><body>  
       $simple</body></html>";
}
//testing for admin user
elseif ((isset($_POST['username'])) && (isset($_POST['password'])))
{
//setup names of database and table to use
$db_name = "simplic5_users";

//connect to server and select database
$connection = @mysql_connect("localhost", "user", "password")
     or die(mysql_error());

$db = @mysql_select_db($db_name, $connection) or die(mysql_error());

//build and issue ADMIN query
$sql = "SELECT * FROM admin WHERE
username = \"$_POST[username]\" AND
password = password(\"$_POST[password]\")";

$result = @mysql_query($sql) or die (mysql_error());

//get the number of rows in the result set
$num = mysql_numrows($result);

//set a cookie and echo html if authorized,
//or redirect elsewhere if unauthorized
if ($num != 0) {
     $cookie_name = "admin";
     $cookie_value = "auth";
     $cookie_expire = "0";
     $cookie_domain = "mysite.org";
     setcookie($cookie_name, $cookie_value, $cookie_expire,
     "/" , $cookie_domain, 0);

     echo "<html><head>
	<title>Admin Area</title>
	</head><body>
    	        $admin <br />
    	        $simple
               </body></html>";
}
//if cookies are not set and admin form info not good
//run form information again
//testing for simple user
elseif ((isset($_POST['username'])) && (isset($_POST['password'])));
{
//build and issue simple query
$sql = "SELECT * FROM simple WHERE
username = \"$_POST[username]\" AND
password = password(\"$_POST[password]\")";

$result = @mysql_query($sql) or die (mysql_error());

//get the number of rows in the result set
$num = mysql_numrows($result);

//echo html and set a cookie if authorized,
//or redirect elsewhere if unauthorized
if ($num != 0) {
     $cookie_name = "simple";
     $cookie_value = "auth";
     $cookie_expire = "0";
     $cookie_domain = "simplicityworks.org";
     setcookie($cookie_name, $cookie_value, $cookie_expire,
     "/" , $cookie_domain, 0);
     echo "<html><body>
     $simple
     </body></html>";
}
}
}
else
{
//this is the default form
echo "<html><body><center>
       <h1>Login to XYZ Admin Site</h1>
       <form method=\"POST\" action=\"authuser.php\" style=\"border:solid red 5px;width:250px;\">
      <p><strong>Username:</strong><br />
      <input type=\"text\" name=\"username\" size=\"25\" maxlength=\"25\"></p>
      <p><strong>Password:</strong><br />
      <input type=\"password\" name=\"password\" size=\"25\" maxlength=\"25\"></p>
      <p><input type=\"submit\" name=\"submit\" value=\"Login\"></p>
      </form></center></body></html>";
}

Everything works great unless I submit a blank form. If I copy and paste the browser address bar the form appears like it is designed to do. This problem only happens when I submit a blank form. Is there anyway to make the form not submit unless something is in the form fields? I have tried a couple of things only to go into this endless loop thing.  Oh yea the name of this form is authuser.php. I would like to separate the form if I can get this issue corrected. This is the index.php (the form has  been added to the authuser.php as an attempt to solve the issue):

<?php
ini_set ("display_errors", "1");
error_reporting(E_ALL);
session_start();
$_SESSION['count']++;
$msg = "<p>You have been here $_SESSION[count] times.</p>";
if ($_SESSION['count'] >= "7")
{
echo "You have run out of tries. Please try again later.";
exit;
}
//checks to see if cookie is set
//if set it should to to admin page
if ((isset($_COOKIE['admin'])) || (isset($_COOKIE['simple'])))
{
header("Location: authuser.php");
exit;
}
?>
<html>
<head>
<title>Login to Admin Site</title>
</head>
<body>
<center>
<h1>Login to XYZ Admin Site</h1>
<form method="POST" action="authuser.php" style="border:solid red 5px;width:250px;">
<p><strong>Username:</strong><br />
<input type="text" name="username" size="25" maxlength="25"></p>
<p><strong>Password:</strong><br />
<input type="password" name="password" size="25" maxlength="25"></p>
<p><input type="submit" name="submit" value="Login"></p>
</form>
</center>
</body>
</html>

Thanks for any help!

 

 

[Alt_F4]

I believe (unless I am mistaken) that this line

 

elseif ((isset($_POST['username'])) && (isset($_POST['password'])))

 

will only check if the $_POST['username'] and $_POST['password'] variables are set - ie. do not contain a NULL value.

see here - http://au.php.net/isset

 

Don't confuse this for checking if $_POST['username'] and $_POST['password'] contain actual data.

 

You could use empty() in conjunction with isset() to check if the $_POST['username'] and $_POST['password'] variables contain a value that is not an empty string (ie. what happens when you submit an empty form field)

 

see here for empty() - http://au.php.net/empty

 

OR

 

you could use javascript to validate the data before you process it in your php code.

 

OR

 

better still use both so that if browsers have javascript disabled you still can catch the blank form fields and act accordingly.

[corbin]

"OR

 

better still use both so that if browsers have javascript disabled you still can catch the blank form fields and act accordingly."

 

 

 

ALWAYS use both.  JS is just client side, and client side stuff should never be trusted.  JavaScript validation should be used to help the user or something else, never for actual security.

 

 

 

 

[jmr3460]

Thank you very much. Another problem averted by the PHP Freaks. Thanks guys. I used both just in case.