register_globals

[webwired]

I have researched and researched and read tutorial after tutorial and I just can't seem to get it... Could someone please tell me why the following login script won't work with register_globals off

[b]login.php[/b]
[code]
<?php

if(isset($_POST[login]))    {

include_once "connection.php";

$query = mysql_query("select * from users where username = '$_POST[username]' and password = '$_POST[password]'")or die(mysql_error());

$count = mysql_num_rows($query);

if ($count == 1)    {

        header("Location: loginaction.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]");

                    }elseif($count == 0)    {

                    echo 'Invalid Username and/or Password';

                                            }

                            }

?>
<br><br>
<center>
<h1>Login</h1>

<form method="POST" action="<?php echo $_SERVER[php_self]; ?>">

<table border="0" width="300">

  <tr>

      <td>Username</td>

    <td><input type="text" name="username" size="20"></td>

  </tr>

  <tr>

      <td>Password</td>

    <td><input type="password" name="password" size="20"></td>

  </tr>

  <tr>

      <td colspan="2"><center><input type="submit" name="login" value="Submit"></center></td>

  </tr>

</table>

</form>
</center>
[/code]

[b]loginaction.php[/b]
[code]
<?php

session_start();

    $_SESSION['userid'] = $_GET[userid];

    $_SESSION['condition'] = $_GET[condition];

    $_SESSION['username'] = $_GET[username];

        header("Location: index.php");

?>
[/code]

[kenrbnsn]

Why do you say it's not working? Do you get errors? Give us a hint...

Ken

[webwired]

Well, it just doesn't redirect to the loginaction.php page... When you enter your username and password, it just comes back to the login screen... So its accessing the database and seeing that its a valid username and password, because if you enter a bad username and password, it'll perform: echo 'Invalid Username and/or Password'; It works fine with register_globals "ON".

[trq]

Well, for starters. Non numerical array keys need to be surrounded in quotes. So this...
[code]
if(isset($_POST[login]))
[/code]
Should be...
[code]
if(isset($_POST[login]))
[/code]
Php is pretty forgiving in this area, but dont push your luck. There is quite a few places in your code where you have neglected to use this proper syntax.

Then, if your using non numerical array keys within a double quoted string you need to surround them in curly braces.
[code]
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
[/code]

[webwired]

Forgive me thorpe, but on your example I think you forgot to make your example change, was it supposed to be if(isset($_POST["login"])) ?

[webwired]

I've made all of these changes as you can see from the following code, but it still doesn't redirect to the loginaction.php page with the register_globals off. I tried to change the task if login was successful, such as echo something and that works, so it's definately something about the header that register_globals doesn't like.[code]header("Location: loginaction.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]");[/code]


[code]
<?php

if(isset($_POST["login"]))    {

include_once "connection.php";

$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());


$count = mysql_num_rows($query);

if ($count == '1')    {

        header("Location: loginaction.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]");

                    }elseif($count == '0')    {

                    echo 'Invalid Username and/or Password';

                                            }

                            }

?>
<br><br>
<center>
<h1>Login</h1>

<form method="POST" action="<?php echo $_SERVER[php_self]; ?>">

<table border="0" width="300">

  <tr>

      <td>Username</td>

    <td><input type="text" name="username" size="20"></td>

  </tr>

  <tr>

      <td>Password</td>

    <td><input type="password" name="password" size="20"></td>

  </tr>

  <tr>

      <td colspan="2"><center><input type="submit" name="login" value="Submit"></center></td>

  </tr>

</table>

</form>
</center>
[/code]

[trq]

Yeah... sorry, that was a typo before. Im really not sure this will even help, but it is best practice.

You didn't make ALL required chnges.
[code]
header("Location: loginaction.php?userid={$row['userid']}&condition=logged&username={$row['username']}");
[/code]
Dont see why you need that all broken up with concatination.

[webwired]

Sorry, yeah I missed that on the Header, I'll remember from now on the {}

Still doesn't work though, like you expected. Is there some kind of rule about header("Location: with register_globals off versus with register_globals on that I'm missing?

[kenrbnsn]

In order to prove or disprove that the header does or doesn't work, create two small PHP scripts, one with the header() function and one as the target.

header_test.php:
[code]<?php
$row = array('userid' => '1234', 'username' => 'test1234');
$x = "Location: header_target.php?" . "userid=$row[userid]&" . "condition=logged&" . "username=$row[username]";
header($x);
exit('did not transfer to loginaction ... ' . $x);
?>[/code]

header_target.php:
[code]<?php
echo '<pre>' . print_r($_GET,true).'</pre>';
?>[/code]

Invoke header_test.php
If you see the dump of the $_GET array, then everything worked and your non-working script has a differenct problem.

Ken

[webwired]

The result of test is as follows:
Address: [a href=\"http://url.com/header_target.php?userid=1234&condition=logged&username=test1234\" target=\"_blank\"]http://url.com/header_target.php?userid=12...ername=test1234[/a]

Displays:
Array
(
[userid] => 1234
[condition] => logged
[username] => test1234
)

[kenrbnsn]

This proves that the header() function works as advertised and your script is not failing there.

Is error reporting turned on? You may be getting "header already sent" errors and not seeing them if error reporting is turned off.

Ken

[webwired]

I'm not sure about if error reporting is turned on, I'll have to ask dedicated server support,... but I did try another test, I put your code into mine and it worked fine, but when I changed the redirect URL back to loginaction.php it wouldn't work again... so it leads me to think something about my loginaction.php page isn't accepting the redirect somehow...
[code]
<?php

session_start();

    $_SESSION['userid'] = $_GET[userid];

    $_SESSION['condition'] = $_GET[condition];

    $_SESSION['username'] = $_GET[username];

        header("Location: index.php");

?>
[/code]

[txmedic03]

Just a note...where you use $_GET and $_POST I notice you use things like $_GET[userid]...that would mean userid is a constant that refers to an entity in an array...I believe it is proper to use $_GET['userid'] to reference entity with key userid in array $_GET...just a bit of a side note there...

[kenrbnsn]

PHP will do the "right thing" in these situations after issuing a warning. If it is issuing a warning that could be what is preventing the header function from working. Clean up your array references and see if that makes a difference.

Also, why don't you do this code in your first script and then go directly to the "index.php" script? That would save one header bump.

Ken

[webwired]

Ok, did all of those things... Still don't work. Here's my code.

[code]
<?php
session_start();
if(isset($_POST['login']))    {
include_once "connection.php";
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
$count = mysql_num_rows($query);
if ($count == '1')    {
    $_SESSION['userid'] = $row['userid'];
    $_SESSION['condition'] = 'logged';
    $_SESSION['username'] = $row['username'];
        header("Location: index.php");
                    }elseif($count == '0')    {
                    echo 'Invalid Username and/or Password';
                                            }
                            }
?>
<br><br>
<center>
<h1>Login</h1>
<form method="POST" action="<?php echo $_SERVER['php_self']; ?>">
<table border="0" width="300">
  <tr>
      <td>Username</td>
    <td><input type="text" name="username" size="20"></td>
  </tr>
  <tr>
      <td>Password</td>
    <td><input type="password" name="password" size="20"></td>
  </tr>
  <tr>
      <td colspan="2"><center><input type="submit" name="login" value="Submit"></center></td>
  </tr>
</table>
</form>
</center>
[/code]

[kenrbnsn]

Let's make sure there are no errors that are not being reported. Put this line:
[code]error_reporting(E_ALL);[/code] right after the sessin_start()

Also in this section of code:
[code]<?php
if ($count == '1')    {
    $_SESSION['userid'] = $row['userid'];
    $_SESSION['condition'] = 'logged';
    $_SESSION['username'] = $row['username'];
        header("Location: index.php");
                    }elseif($count == '0')    {
                    echo 'Invalid Username and/or Password';
                                            }
?>[/code]
The value of $count will only be 1 or 2, so you don't need a "elseif" here. A "else" will work fine.
[code]<?php
if ($count == '1')    {
    $_SESSION['userid'] = $row['userid'];
    $_SESSION['condition'] = 'logged';
    $_SESSION['username'] = $row['username'];
    header("Location: index.php");
}
else echo 'Invalid Username and/or Password';
?>[/code]

Ken

[txmedic03]

[code]<?php

session_start();
if(isset($_POST['login']))    {
include_once "connection.php";
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
if ($query) {
  $row = mysql_fetch_assoc($query); // Notice modification made here.
  $_SESSION['userid'] = $row['userid'];
  $_SESSION['condition'] = 'logged';
  $_SESSION['username'] = $row['username'];
  header("Location: index.php");
}elseif($count == '0')    {
  echo 'Invalid Username and/or Password';
}

?>[/code]

$row[] is not defined until you define it. Try the above code and see how it works for you.

[webwired]

kenrbnsn, I put in that error code and changed the elseif to an else... Like txmedic03 said, "$row[] is not defined until you define it" was what I was getting... So I changed to his code, still nothing, no errors, no redirect... nothing, even when I put in a wrong username and password. So I made a hybrid of his code and my code, still doesn't redirect, it'll do anything you want it to do, but redirect...

[code]
<?php
session_start();
error_reporting(E_ALL);
if(isset($_POST['login']))    {
include_once "connection.php";
$query = mysql_query("select * from users where username = '{$_POST['username']}' and password = '{$_POST['password']}'") or die(mysql_error());
$count = mysql_num_rows($query);
if ($count == 1)    {
  $row = mysql_fetch_assoc($query);
  $_SESSION['userid'] = $row['id'];
  $_SESSION['condition'] = 'logged';
  $_SESSION['username'] = $row['username'];
  header("Location: index.php");
                    }else    {
  echo 'Invalid Username and/or Password';
                            }
                            }
?>
[/code]