Jptalon Posted October 22, 2012 Author Share Posted October 22, 2012 Finished and handed in. Thank you all for the guidance! Quote Link to comment Share on other sites More sharing options...
ignace Posted October 22, 2012 Share Posted October 22, 2012 $sessionID = rand(1,99999); I believe he said the sessionID had to be 5-chars long? rand only returns 1. But unfortunately I have to follow the directions I posted earlier. Sure, in regard to function names and their expected behavior. Everything aside from that is yours to decide. So if you want to create an extra function that converts a csv-file to a line-array is your decision. Creating a function to generate a SessionID is also your decision. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted October 23, 2012 Share Posted October 23, 2012 There are some issues in your code, especially regarding the session stuff. You should have used the $_SESSION superglobal for everything you wanted in your session, instead of using regular variables (upper-casing them doesn't do anything). I've also taken the time to re-write your code, to show you (approximately) how I'd do it. Note that I've just guessed at the position of the e-mail and password in the database file, and set them at first and second position (respectively). <?php // Start the session. session_start (); // Redirect to index if already logged in. if (isset ($_SESSION['email'])) { header ('Location: index.php'); die (); } // Include required functions require_once ('homepage/library.php'); /** * Process the submitted login form, returns the form with added error message if fails. * Otherwise it'll redirect the user to the correct welcome page. * * @return string */ function process_loginForm () { // Initialize variables for later use. $error = array (); // Retrieve e-mail address if it was sent, and if it's valid. if (!$email = filter_input (INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) { // Otherwise show error. $error[] = 'Invalid or missing e-mail address.'; if (isset ($_POST['email'])) { // E-mail address was sent. Add to form output variable. $email = $_POST['email']; } } // Make sure a password was sent. if (!isset ($_POST['password'])) { $error[] = 'Invalid or missing password.'; } // If errors have been set, shown form anew with user-data and error message. if (!empty ($error)) { return generate_loginForm ($error, $email); } // Run login for user, or show form with error message if fails. if (!check_login ($email, $password)) { return generate_loginForm (array ('Invalid email or password'), $email); } // Regenerate the session ID to prevent session fixation, and add e-mail address of the user to the session data. session_regenerate_id (); $_SESSION['email'] = $email; // Send the user to the welcome page. header ('Location: welcome.php'); die (); } /** * Create the login form, with list of error messages and predefined e-mail address (if given). * * @param array[optional] $error * @param string[optional] $email * @return string */ function generate_loginForm ($error = array (), $email = '') { // Check for error messages. if (!empty ($error)) { // Escape all error messages for HTML output, and implode them into an un-ordered list. $error = array_map ('htmlspecialchars', $error); $error = '<ul class="error"><li>'.implode ("</li>\n\t<li>", $error)."</li>\n</ul>"; } // Escape e-mail address for HTML output. $email = htmlspecialchars ($email); // Generate the completed form, and return it to the calling function. return <<<OutForm {$error} <form method="post" action=""> <fieldset> <label for="inp_email">Email:</label> <input id="inp_email" type="email" name="email" size="35" value="{$email}> <label for="inp_pass">Password:</label> <input id="inp_pass" type="password" name="password" size="35"> </fieldset> <fieldset class="buttons"> <input type="submit" name="submit" value="Log in"> </fieldset> </form> OutForm; } /** * Checks given login information against the user database. * Returns true on success or false if no record matches. * * @param string $email * @param string $password * @return bool */ function checkLogin ($email, $password) { // Open a file socket to read the user database file. $fp = fopen('homepage/registered_users.txt', 'r'); // If file could not be opened, terminate the script with a fatal error message. if (!$fp) { $error = '<h1>Error</h1><p>Could not open user database.<br>Contact administrator if this problem persists.</p>'; trigger_error ($error, E_USER_ERROR); } // Run through the file line-by-line, until the end is found. while (!feof ($fp)) { // Create an array from the current line. $line = explode ('|', fgets ($fp, 999)); // Hash the password with the salt from the users database. $password = hash_password ($password, $line[2]); // Return true if the e-mail and password combination matches the current row. if ($line[0] == $email && $line[1] == $password) { return true; } } // No matches found. return false; } /** * Determine whether a form has been submitted, or the user followed a link. */ if (isset ($_POST['submit'])) { // The submit button has been pressed, process the form. $form = process_loginForm (); } else { // No submission, just show the form. $form = generate_loginForm (); } ?> <doctype html> <html> <body> <?php echo $form; ?> </body> </html> Glad to see that you got some entertainment from the last few messages from me and salathe, but most of all that you found them informative. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.