Jump to content

Display header message?


borospohar

Recommended Posts

I have made a log in form for my project. The error message is being displayed when I'm on localhost, but it does not show up when I upload it to the server, instead the page refreshes when Log in button gets clicked.
What am I doing wrong?

 

Here is the source:

//This is the logic. This passes the data to the auth.php page (see code below)
<?php
require 'database.php';
require 'constants.php';

if (isset($_POST['username']) && isset($_POST['password'])) {

	    function validate($con){
        $con = trim($con);
	    $con = stripslashes($con);
        $con = htmlspecialchars($con);
	    return $con;
	}

	$username = validate($_POST['username']);
	$pass = validate($_POST['password']);

  	//If username/password field is empty -> error message
	if (empty($username)) {
		header("Location: " . ROOT_URL . "auth.php?error=Username is needed");
	    exit();
	}else if(empty($pass)){
        header("Location: " . ROOT_URL . "auth.php?error=Password is needed");
	    exit();
	}else{

		$result = $con->query("SELECT * FROM users WHERE username='$username' AND password='$pass'");

      	//If username/password fields are correct/wrong -> move to index page/error message
		if ($result->num_rows === 1) {
			$row = $result->fetch_assoc();
            if ($row['username'] === $username && $row['password'] === $pass) {
            	$_SESSION['username'] = $row['username'];
            	header("Location: " . ROOT_URL);
		        exit();
            }else{
				header("Location: " . ROOT_URL . "auth.php?error=Wrong username or password!");
		        exit();
			}
		}else{
			header("Location: " . ROOT_URL . "auth.php?error=Wrong username or password!");
	        exit();
		}
	}
	
}else{
	header("Location: " . ROOT_URL . "auth.php");
	exit();
}

Here is frontend part with the error feedback:

<?php
//Getting the database informations
require 'config/database.php';
?>

//Getting the information from the code above shown
<form action="success-auth.php" method="POST"> <!-- <?= ROOT_URL ?> -->
    <header>
        <div class="main-header">
          //The error message, which only works in localhost
            <?php if (isset($_GET['error'])) { ?>
                <p class="alert__message error"><?php echo $_GET['error']; ?></p>
                <?php } ?>
                <div class="inp">
                    <input type="text" name="username" placeholder="Username">
                </div>
                <div class="inp">
                    <input type="password" id="btn" name="password" placeholder="Password">
                </div>
                <p><button type="submit" name="submit">Log in</button></p>
        </div>
    </header>
</form>

 I can't find what the issue is. Any kind of help is appreciated!

z.png

Link to comment
Share on other sites

the code is probably redirecting around a couple of times, back to the form without any get parameters.

based on the paths in the require statements in the two pieces of posted code, you either have multiple database.php files at different paths OR auth.php isn't just the 2nd piece of code you have posted and there's more to this than what has been posted? what's the full code for auth.php?

next, by putting the form and the form processing code on different pages and accepting a get input that controls what message gets displayed, you have more code than is needed and you are opening up your site to a phishing attack, where someone can steal your user's login credentials on a copy of your site, then redirect them back to your site, making it look like they just mistyped a value.

here's a laundry list of things you should/should not be doing -

  1. put the form processing and the form on the same page.
  2. don't attempt to detect if form field(s) are set to detect if the form has been submitted. if you had 30 or a 100 fields, would writing out isset() code using all those fields make sense? instead, just detect if a post method form was submitted. all the always-set fields will then be set.
  3. keep the form data as a set in an array variable, then operate on elements in this array variable throughout the rest of the code.
  4. forget you ever saw this validate() function. it can from bad code at w3schools, is misnamed, and the only thing it is doing 'properly' is to trim the data value.
  5. after you do item #3 on this list, you can trim all the data at once, using one single php statement.
  6. when you validate the input data, store user/validation errors in an array using the field name as the array index.
  7. after the end of all the validation logic, if the array holding the errors is empty, use the form data.
  8. use a prepared query when supplying external, unknown, dynamic values to an sql query when it gets executed to prevent any sql special characters from being able to break the sql syntax, which is how sql injection is accomplished. you would also want to switch to the much simpler PDO extension.
  9. don't store passwords as plain-text. use php's password_hash() and password_verify()
  10. list out the columns you are selecting in a query.
  11. if the query matches a row of data, you know that the WHERE clause was true. there's no good reason to compare in the php code the value(s) that were used in the WHERE clause. Don't Repeat Yourself (DRY.)
  12. the only value you should store in a session variable upon successful login is the user's id (autoincrement primary index.) you should query on each page request to get any other user information.
  13. upon successful completion of the post method form processing code, redirect to the exact same url of the current page to cause a get request for that page. this will prevent the browser from trying to resubmit the form data if the visitor reloads the page or navigates back to the page.
  14. if there are errors at step #7 in this list, the code will continue on to display the html document, display any errors in the errors array, redisplay the form, populating the appropriate form field values with the existing data.
  15. to get a form to submit to the same page it is on, simply leave out the entire action='...' attribute.
  16. any value you output on a web page needs to have htmlentities() applied to it to help prevent cross site scripting.

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.