Help with a php login page

[rayburke519]

Followed some great instructions on developphp.com (Building a custom CMS site).

 

Here is a copy of the code/page. When I attempt to log in, I am getting a 500 error. Not sure what I missed out. Even looking over the source code, still throwing an error.

 

 

 

<?php
$error_msg = "";
if ($_POST['username']) {


$username = $_POST['username'];
$password = $_POST['password'];
// Simple hard coded values for the correct username and password
$admin = "admin";
$adminpass = "xxxxx";
// connect to mysql here if you store admin username and password in your database
// This would be the prefered method of storing the values instead of hard coding them here into the script
if (($username != $admin) || ($password != $adminpass)) {
$error_msg = ': <font color="#FF0000">Your login information is incorrect</font>';
} else {
session_register('admin');
$_SESSION['admin'] = $username;
require_once "index.php";
exit();
}


}// close if post username
?>



<?php
if ($_SESSION['admin'] != "admin") {
echo '<h3>Only the administrator can view this page</h3><br />

<table width="340" border="0">
<form action="admin_check.php" method="post" target="_self">
<tr>
<td colspan="2">Please Log In Here' . $error_msg . '</td>
</tr>
<tr>
<td width="96">Username:</td>
<td width="234"><input type="text" name="username" id="username" style="width:98%" /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password" id="password" style="width:98%" /></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" name="button" id="button" value="Log In Now" /></td>
</tr>
</form>
</table>
<br />
<br />
<br />


<a href="../">Or click here to head back to the homepage</a>';
exit();
}
?>

[lbh2011]

Have you connected to the database?

[lbh2011]

Does this work for you?

<?php
$error_msg = "";
if ($_POST['username']) {

$username = $_POST['username'];
$password = $_POST['password'];
// Simple hard coded values for the correct username and password
$admin = "admin";
$adminpass = "admin";
// connect to mysql here if you store admin username and password in your database
// This would be the prefered method of storing the values instead of hard coding them here into the script
if (($username != $admin) || ($password != $adminpass)) {
echo '<font color="#FF0000">Your login information is incorrect</font>';
echo '<h3>Only the administrator can view this page</h3><br />
<table width="340" border="0">
<form action="" method="post">
<tr>
<td colspan="2">Please Log In Here</td>
</tr>
<tr>
<td width="96">Username:</td>
<td width="234"><input type="text" name="username" id="username" style="width:98%" /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password" id="password" style="width:98%" /></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" name="button" id="button" value="Log In Now" /></td>
</tr>
</form>
</table>
<br />
<br />
<br />

<a href="../">Or click here to head back to the homepage</a>'; exit;
} else {
session_register('admin');
$_SESSION['admin'] = $username;
require_once "index.php";
}}
else
{
echo '<h3>Only the administrator can view this page</h3><br />
<table width="340" border="0">
<form action="" method="post">
<tr>
<td colspan="2">Please Log In Here</td>
</tr>
<tr>
<td width="96">Username:</td>
<td width="234"><input type="text" name="username" id="username" style="width:98%" /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password" id="password" style="width:98%" /></td>
</tr>
<tr>
<td colspan="2" align="center"><input type="submit" name="button" id="button" value="Log In Now" /></td>
</tr>
</form>
</table>
<br />
<br />
<br />

<a href="../">Or click here to head back to the homepage</a>';
}
?>

[Sanjib Sinha]

This is a 'catch-all' error generated by the Web server. Basically something has gone wrong, but the server can not be more specific about the error condition in its response to the client.

So you need to guess where it happens. I think it is session. I would have done in a different way, like this:

function check_auth()
{
if($_SESSION['admin_id'] and $_SESSION['admin_email'])
return true;
else
return false;
}

After creating a check_auth() function you can start your session at top and get your page like this:

if(!check_auth())
header("location:logout.php") or die();
$page="adminpage";

[PFMaBiSmAd]

A HTTP 500 error for a php page is usually the result of a fatal parse or fatal runtime error, but that the error_reporting/display_errors settings are not set up to report or display all php detected errors.. Since the problem occurs when you try to log in, that eliminates a fatal parse error as the cause, at least in the main file.

 

You need to have php's error_reporting set to E_ALL and display_errors set to ON in your php.ini on your development system.

[rayburke519]

Where would I inject this function check, Sanjib? Do I need a new logout.php file?

[rayburke519]

A HTTP 500 error for a php page is usually the result of a fatal parse or fatal runtime error, but that the error_reporting/display_errors settings are not set up to report or display all php detected errors.. Since the problem occurs when you try to log in, that eliminates a fatal parse error as the cause, at least in the main file.

 

You need to have php's error_reporting set to E_ALL and display_errors set to ON in your php.ini on your development system.

 

On the index.php page (login page), I am seeing these messages along the top:

 

 

Notice: Undefined index: username in /Applications/MAMP/htdocs/administrator/admin_check.php on line 3

 

Notice: Undefined index: admin in /Applications/MAMP/htdocs/administrator/admin_check.php on line 26

 

After enabling the error logging, this is what I am seeing:

 

Fatal error: Call to undefined function session_register() in /Applications/MAMP/htdocs/administrator/admin_check.php on line 15

Edited January 27, 2013 by rayburke519

[White_Lily]

You cannot use session_register().

 

Instead use this:

 

session_start();
$_SESSION["admin"];
require_once "index.php";

[Christian F.]

That tutorial you're following, is so outdated it's literally not working any more. As evidenced by this thread.

I strongly recommend finding a more recent tutorial, no older than 2 years at the most, and judicious use of the PHP manual for all of the (new) functions you're encountering. That will tell you whether or not the tutorial is relying upon outdated code, or if it's current.

 

Sanjib Sinha: While you are on the right track with the login check, you should never use or die () behind a header redirect. Even though it works, as header () returns void, things will break is this is ever changed.

The killing of the script after a redirect is not depending upon the (apparent) failure of sending said header, but is a step that needs to be taken unconditionally.

[PFMaBiSmAd]

@White_Lily,

 

Please stop posting nonsense code and code that doesn't directly address the problem in the thread.

 

The line of code - $_SESSION["admin"]; DOESN'T actually do anything, nor does posting it tell the OP what he needs to do or why he needs to do it. The line of code itself is wrong and it doesn't teach anything or explain the problem.

 

And if you had looked at the code the OP posted, he already has this - $_SESSION['admin'] = $username; in it. If you had explained what he needs to add to get that line of code to work and why, what to remove and why to fix the session_register error, you would have helped and possibly gotten a 'like' for the post.

 

Posts that don't explain what the OP is doing wrong and what he needs to do instead, DON'T HELP and don't teach anything. They just throw the thread off topic, taking up the time of other members pointing out problems in it.

[PFMaBiSmAd]

The first two Notice: Undefined index: ______ messages are because the person writing the code you found didn't know or care if it would gradually create a giga-byte size error log, filled up with undefined index/variable notice messages that would make finding actual errors next to impossible.

 

The correct way of detecting a variable that might not exist (a $_POST variable that will only be set when a form as been submitted or a $_SESSION variable that will only be set when the visitor is logged in), is to use isset.

 

The code at the first error should be - if(isset($_POST['username'])){

 

The code at the second error should be - if(!isset($_SESSION['admin']) || $_SESSION['admin'] != "admin"){ (never mind that a session variable that indicates the current visitor is logged in as an admin, that contains that person's username, will only allow ONE admin with the username 'admin')

 

The Fatal error: Call to undefined function session_register() message is because you have a php version where the very old and depreciated session_register() function has finally been removed. The correct way of setting or referencing session variables is to use the $_SESSION array. You also need a session_start(); statement on any page that sets or references a $_SESSION variable. Since the rest of the code you posted is already using $_SESSION variable(s), It's likely that there is already a session_start() statement present (it must occur in the code before anything is output to the browser), and you simply need to remove the session_register() statement from your code.

[rayburke519]

The first two Notice: Undefined index: ______ messages are because the person writing the code you found didn't know or care if it would gradually create a giga-byte size error log, filled up with undefined index/variable notice messages that would make finding actual errors next to impossible.

 

The correct way of detecting a variable that might not exist (a $_POST variable that will only be set when a form as been submitted or a $_SESSION variable that will only be set when the visitor is logged in), is to use isset.

 

The code at the first error should be - if(isset($_POST['username'])){

 

The code at the second error should be - if(!isset($_SESSION['admin']) || $_SESSION['admin'] != "admin"){ (never mind that a session variable that indicates the current visitor is logged in as an admin, that contains that person's username, will only allow ONE admin with the username 'admin')

 

The Fatal error: Call to undefined function session_register() message is because you have a php version where the very old and depreciated session_register() function has finally been removed. The correct way of setting or referencing session variables is to use the $_SESSION array. You also need a session_start(); statement on any page that sets or references a $_SESSION variable. Since the rest of the code you posted is already using $_SESSION variable(s), It's likely that there is already a session_start() statement present (it must occur in the code before anything is output to the browser), and you simply need to remove the session_register() statement from your code.

 

Great, thank you VERY much PFMaBiSmAd. I will review these comments/suggestions and try them tonight/this coming week. I'll let you know how I make out. Ideally, I am after creating an simple, efficient CMS/KMS where I can post articles to a database, allow users to easily search them without a lot of noise or overhead. This is a project I am taking on myself, and would like to present it to my employer if i can get a solid, working template. Another part is being able to allow users to login to the site, using current LDAP or network credentials (likely a whole new topic/discussion).

 

Again, appreciate the help, and I'll reply back when I have made these changes.