Validating and logging in from a form

[lewashby]

In the following pages I'm trying to validate if a user is signed in or not. If the user is signed in I would like to see 'Log Out' printed to the screen(I'll do more with that later). If the user is not signed in I would like to see a login form at the top right of the screen. As it stands I'm only seeing 'Log Out' on the screen, I can't get the form to show up anymore. I thought it might be because the session variable was still hanging around but I restarted my computer to make absolutely sure but I'm still just getting 'Log Out'. At the moment I need this program to work as is as much as possible. If you see an entirely different approach that you would use that's fine but I don't currently have the time to go changing a lot, I need to get this going kinda quick. Thanks.

 

records-board.php

<?php
require_once('includes/init.php');
if(!isset($_SESSION)) { init_session(); }
?>






<html>
  <head>
    <Title>Pop Report</title>
    <link rel="stylesheet" type="text/css" href="styles/popreport2.css">
    <h1>Pop Report</h1>
  </head>


<body>
<?php


if(isset($_POST['nameinput']) && isset($_POST['passinput']))
{
    $nameinput = $_POST['nameinput'];
    $passinput = $_POST['passinput'];
    User::sign_in($nameinput, $passinput);
}


if(!isset($_SESSION['user']))
{
    print_form();
}
else
{
    echo "Log Out ";
    echo $_SESSION['user']->name; // this line was just trouble shooting, it told me nothing!
}


?>

user.php

<?php


if(!isset($_SESSION)) { init_session(); }


class User
{
    public $name;


    public function __construct($username, $password)
    {
        
        $connection = get_db_connection();
        $query = $connection->query("SELECT * FROM users WHERE username='$username' AND password='$password'"); 
        
        if(!$query)
        {
            echo "Invalid username or password";
        }


        else
        {
            $result = $query->fetch(PDO::FETCH_ASSOC);


            if(!$result['username'] == $username || !$result['password'] == $password)
            {
                echo "Invalid username or password";
            }
            else { $this->name = $result['username']; }
        }
    }


    public static function sign_in($username, $password)
    {
        $_SESSION['user'] = new User($username, $password);
    }
}
?>

<?php


function print_form()
{
    echo "<form id='loginform' name='loginform' action='records-board.php' method='post'>";
    echo "Username: <input type='text' name='nameinput'>";
    echo "Password: <input type='text' name='passinput'><br />";
    echo "<input type='submit' value='Sign In'>";
    echo "</form>";
}


?>

 

 

[requinix]

What's the code for init_session()?

[cyberRobot]

Is user.php being imported into the script? Perhaps that's being done in init.php.

 

Is PHP set to display all errors and warnings? Note that you can add the following to the top of your script during the debugging process:

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
?>

[mac_gyver]

your code contains two logic problems.

 

1) if(!$query) - this condition means that the query failed with an error of some kind (sql syntax error, wrong table or column name.) it does not mean that the username/password was invalid. your code should actually be using exceptions to handle database errors so that the main program logic only has to deal with the non-error conditions.

 

2) your code creates an instance of the user class in $_SESSION['user'] any time the User::sign_in() method gets called, regardless of the username/password matching anything. any request to the page after that will result in $_SESSION['user'] being set.

 

your user class needs a property or method you can use in your code to determine the logged in state.