barbs75 Posted February 20, 2008 Share Posted February 20, 2008 Hey guys, I am doing a login/registration system on my website, at the moment i have an error page, where my form is in an html page, and then the form is submitted to a php page which then does the validation etc What i want to do is have a form helper feature, where the errors appear on form rather than on a separate, naff looking page. How do i do this?? I have been searching the internet, and there are tutorials, but it is all nested in another system, which i would like to keep my system, but just add the feature in, not re-code everything!!! My code is shown below: login_form.html <body> <div id="mainContainer"> <div id="container-Content"> <div id="content-TopContent"> <div id="TopBar"> <div id="Logo"><img src="Images/Go4Home-logo.jpg" alt="Go4home.co.uk" width="201" height="39" /></div> <div id="myProfile"></div> <div id="Login"><a href="login_form.html">login</a></div> <div id="NotRegisteredText"><a class="blue" href="register.html">Not Registered?</a></div> </div><!--End of TopBar --> <ul id="navigationMenu"> <li class="HomeButton"><a href="index.html"></a></li> <li class="SearchButton"><a href="Construction Page.html"></a></li> <li class="MoneyMarketButton"><a href="Construction Page.html"></a></li> <li class="GoBuyButton"><a href="Construction Page.html"></a></li> <li class="GoSellButton"><a href="Construction Page.html"></a></li> <li class="HelpButton"><a href="Construction Page.html"></a></li> </ul> </div><!--End of content-Topcontent --> <div id="content-centrecontent"> <br /> <h2 class="shadow">Log in here</h2> <br /> <p class="centreContent">Not registered? Please register here and start looking for your dream home now!<br /> Otherwise please enter your username and password below to sign in to your profile</p> <div id="submitCustomerForm"> <FORM ACTION="login.php" METHOD="POST" NAME="contact_form"> <table width="580"> <TR> <TD width="40"></TD> <TD colspan="4" border="0"><span class="asterix">*</span> Indicates a required field</TD> </TR> <TR border="0"> <TD></TD> <TD></TD> <TD width="187" align="left">Your Username:<span class="asterix"> *</span></TD> <TD width="27"></TD> <TD width="240" align="right"> <input class="fade" name="username" type=text size="30" maxlength="12"></TD> </TR> <TR border="0"> <TD></TD> <TD></TD> <TD width="187" align="left">Your Password:<span class="asterix"> *</span></TD> <TD width="27"></TD> <TD width="240" align="right"> <input class="fade" name="password" type=text size="30" maxlength="12"></TD> </TR> <TR height="50" border="0"> <TD></TD> <TD><label><input name="remember" type="checkbox" id="Consent1" /></label></TD> <TD align="left">Remember me?</TD> <TD></TD> </TR> <TR border="0"> <TD></TD> <TD></TD> <TD></TD> <TD></TD> <TD align="right"><input type="image" src="Images/loginButton.png" name="Submit" /></TD> </TR> </table> </FORM> <FORM ACTION="forgotten_pass.php" METHOD="POST" NAME="contact_form"> <table width="580"> <TR border="0" colspan="5"> <TD colspan="5"><hr /></TD> </TR> <TR border="0"> <TD></TD> <TD colspan="4"></TD> </TR> <TR border="0"> <TD></TD> <TD colspan="4"><h3>Forgotten your password?</h3></TD> </TR> <TR border="0"> <TD></TD> <TD colspan="4"><span class="textSmall">If you have forgotten your password, then don't worry! just provide us with your registered email address below and we will give you easy instructions on how to reset your password</span></TD> </TR> <TR height="20" border="0"> <TD></TD> <TD colspan="4"></TD> </TR> <TR border="0"> <TD></TD> <TD width="280"></TD> <TD width="187" align="left">Email:</TD> <TD width="27"></TD> <TD width="240" align="right"> <input class="fade" name="email" type=text size="30" maxlength="12"></TD> </TR> <TR height="20" border="0"> <TD></TD> <TD colspan="4"></TD> </TR> <TR border="0"> <TD></TD> <TD></TD> <TD></TD> <TD></TD> <TD align="right"><input type="image" src="Images/requestButton.png" name="Submit" /></TD> </TR> </table> </FORM> </div><!--End of submitForm --> </div><!--End of content-centrecontent --> </div><!--End of container-Content --> <div id="footer"> <ul id="footerMenu"> <li><a href="Construction Page.html">Go4home terms & conditions</a></li> <li><a href="Construction Page.html">Accessibility</a></li> <li><a href="Construction Page.html">About Us</a></li> <li><a href="Construction Page.html">Privacy Policy</a></li> <li><a href="Construction Page.html">Contact Us</a></li> </ul> <div id="CopyrightText"></div> </div><!--End of footer --> </div><!--End of mainContainer --> </body> </html> login.php <?php session_start(); header("Cache-control: private"); $user = $_POST['username']; $pass = $_POST['password']; $con = mysql_connect("localhost","root","12waldron"); //Replace with your actual MySQL DB Username and Password if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("customerhouses_db", $con); //Replace with your MySQL DB Name //change to database connection file // checking if the user exists $sql_user_check = "SELECT * FROM customer WHERE username='$user'"; //your table name here $result_name_check = mysql_query($sql_user_check); $usersfound = mysql_num_rows($result_name_check); // if user not found, note that and end if ($usersfound < 1) { $error = "User $user not found."; // if user does exist, continue with processing } else { //else1 // checking if passwords match $sql_pass_get = mysql_query("SELECT * FROM customer WHERE username='$user'"); //your table name here $user_info = mysql_fetch_array($sql_pass_get); $encryptpass = $user_info['encryptpass']; // if doesn't match, note that and end if ($encryptpass != md5($pass)) { $error = "Invalid password. Try again."; } else {//else2 //check that user has activated their account $sql_status_check = mysql_query("SELECT * FROM customer WHERE username='$user'"); $status_check_result = mysql_fetch_array($sql_status_check); $status_info = $status_check_result['status']; echo "your status is $status_info"; //if account hasnt been activated, throw error if ($status_info ==0) { $error = "$user, you haven't yet fully activated your account. Please check your email inbox for an activation email\n sent by us, and follow the given instructions to start using your profile"; } else {//else3 //create sessions for each table entry $_SESSION['username'] = $user_info['username']; $_SESSION['title'] = $user_info['title']; $_SESSION['forename'] = $user_info['forename']; $_SESSION['surname'] = $user_info['surname']; $_SESSION['email'] = $user_info['email']; $_SESSION['encryptpass'] = $user_info['encryptpass']; $_SESSION['membership'] = $user_info['membership']; }//end of else3 }//end of else2 }//end of else1 //checks username session is registered, if it isn't checks if a value is assigned to error, if it has been //output error and send them back to login screen, otherwise they are logged in correctly and welcome them if (!$_SESSION['username']) { if ($error) { echo $error; header('Location: login_form.html'); } else { echo "Welcome to your login"; include("welcome.php"); } //otehrwise they are still logged in and welcome them back! } else { //echo "<html><head><title>Welcome Back</title></head><body>Welcome back ".$_SESSION['username']." <a href=\"settings.php\">Click //here</a> to view your current settings.</body></html>"; header('Location: userprofile.php'); } ?> If any one can take a look at my code and suggest how i would implement this feature into my system, i would be very grateful.... The only way i have seen this done is by using an error array (this was in a very complicated looking system tutorial) or using php forms or including the php within the same page as the form??? Anyway, any help or direction welcomed with open arms cheers Craig Quote Link to comment Share on other sites More sharing options...
revraz Posted February 20, 2008 Share Posted February 20, 2008 What I do is use sessions to store the errors, so when you reload the page, you can display them. Quote Link to comment Share on other sites More sharing options...
cunoodle2 Posted February 20, 2008 Share Posted February 20, 2008 This is unrelated to your question but your code needlessly executes the exact same SQL query numerous times... mysql_query("SELECT * FROM customer WHERE username='$user'") Also be sure to apply mysql real escape string to your code. If I knew your website address I could right now easily hack into it and delete everything in your database. Note that I would NEVER do that to you. I just want you to know how important it is to be as carefull as possible with your coding to make sure you prevent sql injections. To read more about this see this nice example I found for you here... http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php Quote Link to comment Share on other sites More sharing options...
barbs75 Posted February 20, 2008 Author Share Posted February 20, 2008 Hey RevRaz, Thanks for your reply. So the use of sessions then....would you be able to give me an example of that?? and can i do that using a separate processing page like i have done? Cunoodle, cheers for your reply as well, and you say about im using the line --mysql_query("SELECT * FROM customer WHERE username='$user'")-- too many times in my code....how would i re-write my script to prevent from doing this? Do i just pass the variable that this is placed in? eg. the first time i use this line of code is: --$sql_user_check = "SELECT * FROM customer WHERE username='$user'";-- should i use the variable --$sql_user_check-- to pass into every time i fetch an array and stuff?? is that better practice? I will be sure to read up on sql injection and stuff, if i have any questions about it, can i send you a message or something?? cheers Craig Quote Link to comment Share on other sites More sharing options...
barbs75 Posted February 20, 2008 Author Share Posted February 20, 2008 Cunoodle, Just read the article, which i understand how it works and everything, just unsure how i would integrate that into my code?? I place that on my login.php script right? where i am doing the queries for checking the user exists etc right? not before the user puts the name in on my regsiter form and registers it in the database?? bit confused with where i put it.... I have put it in my login.php code as shown below: login.php <?php session_start(); header("Cache-control: private"); $user = $_POST['username']; $pass = $_POST['password']; //Code to prevent mysql injection $user_good = mysql_real_escape_string($user); $con = mysql_connect("localhost","root","12waldron"); //Replace with your actual MySQL DB Username and Password if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("customerhouses_db", $con); //Replace with your MySQL DB Name //change to database connection file // checking if the user exists $sql_user_check = "SELECT * FROM customer WHERE username='$user_good'"; //your table name here $result_name_check = mysql_query($sql_user_check); $usersfound = mysql_num_rows($result_name_check); // if user not found, note that and end if ($usersfound < 1) { $error = "User $user not found."; // if user does exist, continue with processing } else { //else1 // checking if passwords match $sql_pass_get = mysql_query("SELECT * FROM customer WHERE username='$user_good'"); //your table name here $user_info = mysql_fetch_array($sql_pass_get); $encryptpass = $user_info['encryptpass']; // if doesn't match, note that and end if ($encryptpass != md5($pass)) { $error = "Invalid password. Try again."; } else {//else2 //check that user has activated their account $sql_status_check = mysql_query("SELECT * FROM customer WHERE username='$user_good"); $status_check_result = mysql_fetch_array($sql_status_check); $status_info = $status_check_result['status']; echo "your status is $status_info"; //if account hasnt been activated, throw error if ($status_info ==0) { $error = "$user, you haven't yet fully activated your account. Please check your email inbox for an activation email\n sent by us, and follow the given instructions to start using your profile"; } else {//else3 //create sessions for each table entry $_SESSION['username'] = $user_info['username']; $_SESSION['title'] = $user_info['title']; $_SESSION['forename'] = $user_info['forename']; $_SESSION['surname'] = $user_info['surname']; $_SESSION['email'] = $user_info['email']; $_SESSION['encryptpass'] = $user_info['encryptpass']; $_SESSION['membership'] = $user_info['membership']; }//end of else3 }//end of else2 }//end of else1 //checks username session is registered, if it isn't checks if a value is assigned to error, if it has been //output error and send them back to login screen, otherwise they are logged in correctly and welcome them if (!$_SESSION['username']) { if ($error) { echo $error; header('Location: login_form.html'); } else { echo "Welcome to your login"; include("welcome.php"); } //otehrwise they are still logged in and welcome them back! } else { //echo "<html><head><title>Welcome Back</title></head><body>Welcome back ".$_SESSION['username']." <a href=\"settings.php\">Click //here</a> to view your current settings.</body></html>"; header('Location: userprofile.php'); } ?> Where i made a variable called $user_good which has the code: --$user_good = mysql_real_escape_string($user);-- and then when i do my query i use that variable, shown on this line of code: --$sql_user_check = "SELECT * FROM customer WHERE username='$user_good'";-- The script now takes me back to login form, which means it is throwing an error... Can you help me with this?? where am i going wrong? Cheers Craig Quote Link to comment Share on other sites More sharing options...
cunoodle2 Posted February 22, 2008 Share Posted February 22, 2008 Been pretty busy and I only come on here when I have lots of free time (not often). I'll address your questions on a case by case basis here... "I will be sure to read up on sql injection and stuff, if i have any questions about it, can i send you a message or something??" You can if you like but as you can see I'm not on here often. Posting in the boards would be ideal as then someone else (maybe even with a better knowledge than me) can address your issue. In addition these public postings will hopefully help someone in the future with the same (or similar) problem. "Just read the article, which i understand how it works and everything, just unsure how i would integrate that into my code??" Try doing this instead... <?php //Code to prevent mysql injection $user_good = mysql_real_escape_string($user); //echo both items to the screen to see what is going on.. echo "<b>Using escape string</b><br />\n"; echo "<b>OLD input: </b>".$user."<br />\n"; echo "<b>NEW input: </b>".$user_good."<br /><br />\n"; //try doing the same thing with magic quote checking to see if that works better on your server // Is magic quotes on? if (get_magic_quotes_gpc()) { // Yes? Strip the added slashes $user_good = array_map('stripslashes', $user); } //echo both items to the screen to see what is going on.. echo "<b>Using magic quotes..</b><br />\n"; echo "<b>OLD input: </b>".$user."<br />\n"; echo "<b>NEW input: </b>".$user_good."<br /><br />\n"; ?> If you ever aren't sure what is going on with you code it is always nice simply to echo it to the screen to find out exactly what is going on there. "you say about im using the line --mysql_query("SELECT * FROM customer WHERE username='$user'")-- too many times in my code....how would i re-write my script to prevent from doing this? Do i just pass the variable that this is placed in?" Ok. Try this for the most part looks ok but I did a slight modification here... <?php // checking if the user exists $sql_user_check = "SELECT * FROM customer WHERE username='".$user_good."';" //your table name here $result_name_check = mysql_query($sql_user_check); $usersfound = mysql_num_rows($result_name_check); ?> After that you can start trimming needless code out of there. Remove this... <?php // checking if passwords match $sql_pass_get = mysql_query("SELECT * FROM customer WHERE username='$user_good'"); //your table name here $user_info = mysql_fetch_array($sql_pass_get); ?> and replace with just this... <?php // checking if passwords match $user_info = mysql_fetch_array($result_name_check); ?> Then remove this.. <?php //check that user has activated their account $sql_status_check = mysql_query("SELECT * FROM customer WHERE username='$user_good"); $status_check_result = mysql_fetch_array($sql_status_check); $status_info = $status_check_result['status']; ?> and replace with just this... <?php $status_info = $user_info['status']; ?> Also make sure you are cleaning your data at the very beginning of the page when it comes in. Check your post variables properly by doing this... <?php $user = isSet($_POST['username']) ? $_POST['username'] : NULL; $pass = isSet($_POST['password']) ? $_POST['password'] : NULL; ?> Take a look and then let me know how its coming along. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.