php login form validation

[jarv]

Hi my code below checks for Username and password from a form and if they match those in database, it redirects to main.php However, I would like some help setting up error page?!

at the moment if the username or password are incorrect and teh form is submitted, the pages just goes white and blank?!

 

<?php
session_start();
include_once("config.php");
checkLoggedIn("no");
if(isset($_POST["submit"])) {
field_validator("rsUser", $_POST["rsUser"], "alphanumeric", 3, 15);
// password must be between 4 and 15 chars - any characters can be used:
field_validator("rsPass", $_POST["rsPass"], "string", 3, 15);

if($messages){
	doIndex();
	exit;
}
if( !($row = checkPass($_POST["rsUser"], $_POST["rsPass"])) ) {
        $messages[]="Incorrect login/password, try again";
    }

if($messages){
	doIndex();
	exit;
}

cleanMemberSession($row["rsUser"], $row["rsPass"], $row["UserID"]);

if ($user = checkPass($_REQUEST['rsUser'], $_REQUEST['rsPass'])) {
  cleanMemberSession($user['rsUser'], $user['rsPass'], $user['UserID']);
} else {
  echo('Login failed');
}  
header("Location: main.php");
} else {
doIndex();
}
function doIndex() {
global $messages;
global $title;
}
?>

 

Login failed does not get shown if a username is entered wrong?!

[Brian W]

exit; kills your application right there... nothing else is processed from that point on. So, your code says that if their is any error messages then simple kill the entire page without spitting out the messages for the user to see. I'd help more, but frankly your code is seems to me that its far from working at all. Please post the functions: field_validator(), checkPass(), and cleanMemberSession(). That should help us with your overall problem.

[jarv]

function field_validator($field_descr, $field_data,
  $field_type, $min_length="", $max_length="",
  $field_required=1) {
/*
Field validator:
This is a handy function for validating the data passed to
us from a user's <form> fields.

Using this function we can check a certain type of data was
passed to us (email, digit, number, etc) and that the data
was of a certain length.
*/

# array for storing error messages
global $messages;

# first, if no data and field is not required, just return now:
if(!$field_data && !$field_required){ return; }

# initialize a flag variable - used to flag whether data is valid or not
$field_ok=false;

# this is the regexp for email validation:
$email_regexp="^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|";
$email_regexp.="(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$";

# a hash array of "types of data" pointing to "regexps" used to validate the data:
$data_types=array(
	"email"=>$email_regexp,
	"digit"=>"^[0-9]$",
	"number"=>"^[0-9]+$",
	"alpha"=>"^[a-zA-Z]+$",
	"alpha_space"=>"^[a-zA-Z ]+$",
	"alphanumeric"=>"^[a-zA-Z0-9]+$",
	"alphanumeric_space"=>"^[a-zA-Z0-9 ]+$",
	"string"=>""
);

# check for required fields
if ($field_required && empty($field_data)) {
	$messages[] = "$field_descr is a required field.";
	return;
}

# if field type is a string, no need to check regexp:
if ($field_type == "string") {
	$field_ok = true;
} else {
	# Check the field data against the regexp pattern:
	$field_ok = ereg($data_types[$field_type], $field_data);
}

# if field data is bad, add message:
if (!$field_ok) {
	$messages[] = "Please enter a valid $field_descr.";
	return;
}

# field data min length checking:
if ($field_ok && ($min_length > 0)) {
	if (strlen($field_data) < $min_length) {
		$messages[] = "$field_descr is invalid, it should be at least $min_length character(s).";
		return;
	}
}

# field data max length checking:
if ($field_ok && ($max_length > 0)) {
	if (strlen($field_data) > $max_length) {
		$messages[] = "$field_descr is invalid, it should be less than $max_length characters.";
		return;
	}
}
}
function cleanMemberSession($login, $password, $id) {
/*
Member session initialization function:
This function initializes 3 session variables:
  $login, $password and $loggedIn.

$login and $password are used on member pages (where you
could allow the user to change their password for example).

$loggedIn is a simple boolean variable which indicates
whether or not the user is currently logged in.
*/
$_SESSION["USERID"]=$id;
$_SESSION["RSUSER"]=$login;
$_SESSION["RSPASS"]=$password;
$_SESSION["loggedIn"]=true;
}
function checkPass($login, $password) {
/*
Password checking function:
This is a simple function that takes the $login name and
$password that a user submits in a form and checks that a
row exists in the database where:

the value of the 'login' column is the same as the value in $login
and
the value of the 'password' column is the same as the value in $password

If exactly one row is returned, then that row of data is returned.
If no row is found, the function returns 'false'.
*/
global $link;

$query="SELECT * FROM Users WHERE RSUSER='$login' and RSPASS='$password'";
$result=mysql_query($query, $link)
	or die("checkPass fatal error: ".mysql_error());

// Check exactly one row is found:
if(mysql_num_rows($result)==1) {
	$row=mysql_fetch_array($result);
	return $row;
}
//Bad Login:
return false;
}

[jarv]

there are a couple of exit; in my incdex.php

 

<?php
session_start();
include_once("config.php");
checkLoggedIn("no");
if(isset($_POST["submit"])) {
field_validator("rsUser", $_POST["rsUser"], "alphanumeric", 3, 15);
// password must be between 4 and 15 chars - any characters can be used:
field_validator("rsPass", $_POST["rsPass"], "string", 3, 15);

if($messages){
	doIndex();
	exit;
}
if( !($row = checkPass($_POST["rsUser"], $_POST["rsPass"])) ) {
        $messages[]="Incorrect login/password, try again";
    }

if($messages){
	doIndex();
	exit;
}

cleanMemberSession($row["rsUser"], $row["rsPass"], $row["UserID"]);

if ($user = checkPass($_REQUEST['rsUser'], $_REQUEST['rsPass'])) {
  cleanMemberSession($user['rsUser'], $user['rsPass'], $user['UserID']);
} else {
  echo('Login failed');
}  
header("Location: main.php");
} else {
doIndex();
}
function doIndex() {
global $messages;
global $title;
}
?>