Jump to content

PHP form helper - displaying errors on the form!!

barbs75

By barbs75
in PHP Coding Help

 Share

Recommended Posts

barbs75 Member

barbs75

Posted
Posted

Hey guys,

 

I am doing a login/registration system on my website, at the moment i have an error page, where my form is in an html page, and then the form is submitted to a php page which then does the validation etc

 

What i want to do is have a form helper feature, where the errors appear on form rather than on a separate, naff looking page.

 

How do i do this??

 

I have been searching the internet, and there are tutorials, but it is all nested in another system, which i would like to keep my system, but just add the feature in, not re-code everything!!!

 

My code is shown below:

 

login_form.html

<body>   
<div id="mainContainer">
<div id="container-Content">
    	<div id="content-TopContent">
            <div id="TopBar">
            <div id="Logo"><img src="Images/Go4Home-logo.jpg" alt="Go4home.co.uk" width="201" height="39" /></div>
            <div id="myProfile"></div>
            <div id="Login"><a href="login_form.html">login</a></div>
            <div id="NotRegisteredText"><a class="blue" href="register.html">Not Registered?</a></div>
            </div><!--End of TopBar -->
            <ul id="navigationMenu">
                <li class="HomeButton"><a href="index.html"></a></li>
                <li class="SearchButton"><a href="Construction Page.html"></a></li>
                <li class="MoneyMarketButton"><a href="Construction Page.html"></a></li>
                <li class="GoBuyButton"><a href="Construction Page.html"></a></li>
                <li class="GoSellButton"><a href="Construction Page.html"></a></li>
                <li class="HelpButton"><a href="Construction Page.html"></a></li>
            </ul>
        </div><!--End of content-Topcontent -->   
  <div id="content-centrecontent">
  			<br />     
    		<h2 class="shadow">Log in here</h2>
            <br />
		<p class="centreContent">Not registered? Please register here and start looking for your dream home now!<br />
    		Otherwise please enter your username and password below to sign in to your profile</p>
		<div id="submitCustomerForm">
                <FORM ACTION="login.php" METHOD="POST" NAME="contact_form"> 
                    <table width="580">
                        <TR>
                            <TD width="40"></TD>
                            <TD colspan="4" border="0"><span class="asterix">*</span> Indicates a required field</TD>
                        </TR>
                        <TR border="0">
                            <TD></TD>
                            <TD></TD>
                            <TD width="187" align="left">Your Username:<span class="asterix"> *</span></TD>
                            <TD width="27"></TD>
                            <TD width="240" align="right"> <input class="fade" name="username" type=text size="30" maxlength="12"></TD>
                        </TR>
                        <TR border="0">
                            <TD></TD> 
                            <TD></TD>
                            <TD width="187" align="left">Your Password:<span class="asterix"> *</span></TD>
                            <TD width="27"></TD>
                            <TD width="240" align="right"> <input class="fade" name="password" type=text size="30" maxlength="12"></TD>
                        </TR>
                        <TR height="50" border="0">
                            <TD></TD>
                            <TD><label><input name="remember" type="checkbox" id="Consent1" /></label></TD>
                            <TD align="left">Remember me?</TD>
                            <TD></TD>
                        </TR>
                        <TR border="0">
                            <TD></TD>
                            <TD></TD>
                            <TD></TD>
                            <TD></TD>
                            <TD align="right"><input type="image" src="Images/loginButton.png" name="Submit" /></TD>
                        </TR>
                	</table>
                </FORM>
                
                <FORM ACTION="forgotten_pass.php" METHOD="POST" NAME="contact_form">
                	<table width="580">
                        <TR border="0" colspan="5">
                            <TD colspan="5"><hr /></TD>
                        </TR>
                        <TR border="0">
                            <TD></TD>
                            <TD colspan="4"></TD>
                        </TR>
                        <TR border="0">
                            <TD></TD>
                            <TD colspan="4"><h3>Forgotten your password?</h3></TD>
                        </TR>
                        <TR border="0">
                            <TD></TD>
                            <TD colspan="4"><span class="textSmall">If you have forgotten your password, then don't worry! just provide us with 			your registered email address below and we will give you easy instructions on how to reset your password</span></TD>
                        </TR>
                        <TR height="20" border="0">
                            <TD></TD>
                            <TD colspan="4"></TD>
                        </TR>
                        <TR border="0">
                            <TD></TD>
                            <TD width="280"></TD>
                            <TD width="187" align="left">Email:</TD>
                            <TD width="27"></TD>
                            <TD width="240" align="right"> <input class="fade" name="email" type=text size="30" maxlength="12"></TD>
                        </TR>
                        <TR height="20" border="0">
                            <TD></TD>
                            <TD colspan="4"></TD>
                        </TR>
                        <TR border="0">
                            <TD></TD>
                            <TD></TD>
                            <TD></TD>
                            <TD></TD>
                            <TD align="right"><input type="image" src="Images/requestButton.png" name="Submit" /></TD>
                        </TR>
                    </table>
                </FORM>
        	</div><!--End of submitForm -->
  </div><!--End of content-centrecontent -->
</div><!--End of container-Content -->


    <div id="footer">
        <ul id="footerMenu">
            <li><a href="Construction Page.html">Go4home terms & conditions</a></li>
            <li><a href="Construction Page.html">Accessibility</a></li>
            <li><a href="Construction Page.html">About Us</a></li>
            <li><a href="Construction Page.html">Privacy Policy</a></li>
            <li><a href="Construction Page.html">Contact Us</a></li>
        </ul>
        <div id="CopyrightText"></div>
    </div><!--End of footer -->
</div><!--End of mainContainer -->
</body>
</html>

 

login.php

<?php 
session_start(); 
header("Cache-control: private"); 
$user = $_POST['username']; 
$pass = $_POST['password'];

$con = mysql_connect("localhost","root","12waldron"); //Replace with your actual MySQL DB Username and Password
if (!$con) 
{ 
die('Could not connect: ' . mysql_error()); 
} 
mysql_select_db("customerhouses_db", $con); //Replace with your MySQL DB Name //change to database connection file

// checking if the user exists 
$sql_user_check = "SELECT * FROM customer WHERE username='$user'"; //your table name here
$result_name_check = mysql_query($sql_user_check); 
$usersfound = mysql_num_rows($result_name_check); 
// if user not found, note that and end 
if ($usersfound < 1) { 
    $error = "User $user not found."; 
// if user does exist, continue with processing 
} else { //else1
    // checking if passwords match 
    $sql_pass_get = mysql_query("SELECT * FROM customer WHERE username='$user'"); //your table name here
    $user_info = mysql_fetch_array($sql_pass_get); 
    $encryptpass = $user_info['encryptpass']; 
    // if doesn't match, note that and end 
    if ($encryptpass != md5($pass)) { 
        $error = "Invalid password.  Try again.";
} else {//else2
	//check that user has activated their account
	$sql_status_check = mysql_query("SELECT * FROM customer WHERE username='$user'");
	$status_check_result = mysql_fetch_array($sql_status_check);
	$status_info = $status_check_result['status'];
	echo "your status is $status_info";
	//if account hasnt been activated, throw error
	if ($status_info ==0) {
		$error = "$user, you haven't yet fully activated your account. Please check your email inbox for an activation email\n
					sent by us, and follow the given instructions to start using your profile";
	} else {//else3
	//create sessions for each table entry 
	$_SESSION['username'] = $user_info['username'];
	$_SESSION['title'] = $user_info['title'];
	$_SESSION['forename'] = $user_info['forename'];
	$_SESSION['surname'] = $user_info['surname'];
	$_SESSION['email'] = $user_info['email']; 
	$_SESSION['encryptpass'] = $user_info['encryptpass']; 
	$_SESSION['membership'] = $user_info['membership']; 
	}//end of else3
}//end of else2
}//end of else1
//checks username session is registered, if it isn't checks if a value is assigned to error, if it has been
//output error and send them back to login screen, otherwise they are logged in correctly and welcome them
if (!$_SESSION['username']) { 
    if ($error) {
        echo $error;
	header('Location: login_form.html');
    } else { 
	echo "Welcome to your login";
        include("welcome.php"); 
    }
//otehrwise they are still logged in and welcome them back! 
} else { 
    //echo "<html><head><title>Welcome Back</title></head><body>Welcome back ".$_SESSION['username']."  <a href=\"settings.php\">Click //here</a> to view your current settings.</body></html>";
header('Location: userprofile.php'); 
}  
?>

 

If any one can take a look at my code and suggest how i would implement this feature into my system, i would be very grateful....

 

The only way i have seen this done is by using an error array (this was in a very complicated looking system tutorial) or using php forms or including the php within the same page as the form???

 

Anyway, any help or direction welcomed with open arms

 

cheers

 

Craig

 

Link to comment
Share on other sites
cunoodle2 Member

cunoodle2

Posted
Posted

This is unrelated to your question but your code needlessly executes the exact same SQL query numerous times...

 

mysql_query("SELECT * FROM customer WHERE username='$user'")

 

Also be sure to apply mysql real escape string to your code.  If I knew your website address I could right now easily hack into it and delete everything in your database.  Note that I would NEVER do that to you.  I just want you to know how important it is to be as carefull as possible with your coding to make sure you prevent sql injections.  To read more about this see this nice example I found for you here...

 

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

Link to comment
Share on other sites
barbs75 Member

barbs75

Posted
  • Author
Posted

Hey RevRaz,

 

Thanks for your reply.

 

So the use of sessions then....would you be able to give me an example of that?? and can i do that using a separate processing page like i have done?

 

Cunoodle,

 

cheers for your reply as well, and you say about im using the line --mysql_query("SELECT * FROM customer WHERE username='$user'")-- too many times in my code....how would i re-write my script to prevent from doing this? Do i just pass the variable that this is placed in?

 

eg. the first time i use this line of code is: --$sql_user_check = "SELECT * FROM customer WHERE username='$user'";-- should i use the variable

--$sql_user_check-- to pass into every time i fetch an array and stuff?? is that better practice?

 

I will be sure to read up on sql injection and stuff, if i have any questions about it, can i send you a message or something??

 

cheers

 

Craig

Link to comment
Share on other sites
barbs75 Member

barbs75

Posted
  • Author
Posted

Cunoodle,

 

Just read the article, which i understand how it works and everything, just unsure how i would integrate that into my code??

 

I place that on my login.php script right? where i am doing the queries for checking the user exists etc right? not before the user puts the name in on my regsiter form and registers it in the database??

 

bit confused with where i put it....

 

I have put it in my login.php code as shown below:

 

login.php

<?php 
session_start(); 
header("Cache-control: private"); 
$user = $_POST['username']; 
$pass = $_POST['password'];

//Code to prevent mysql injection
$user_good = mysql_real_escape_string($user);

$con = mysql_connect("localhost","root","12waldron"); //Replace with your actual MySQL DB Username and Password
if (!$con) 
{ 
die('Could not connect: ' . mysql_error()); 
} 
mysql_select_db("customerhouses_db", $con); //Replace with your MySQL DB Name //change to database connection file

// checking if the user exists 
$sql_user_check = "SELECT * FROM customer WHERE username='$user_good'"; //your table name here
$result_name_check = mysql_query($sql_user_check); 
$usersfound = mysql_num_rows($result_name_check); 
// if user not found, note that and end 
if ($usersfound < 1) { 
    $error = "User $user not found."; 
// if user does exist, continue with processing 
} else { //else1
    // checking if passwords match 
    $sql_pass_get = mysql_query("SELECT * FROM customer WHERE username='$user_good'"); //your table name here
    $user_info = mysql_fetch_array($sql_pass_get); 
    $encryptpass = $user_info['encryptpass']; 
    // if doesn't match, note that and end 
    if ($encryptpass != md5($pass)) { 
        $error = "Invalid password.  Try again.";
} else {//else2
	//check that user has activated their account
	$sql_status_check = mysql_query("SELECT * FROM customer WHERE username='$user_good");
	$status_check_result = mysql_fetch_array($sql_status_check);
	$status_info = $status_check_result['status'];
	echo "your status is $status_info";
	//if account hasnt been activated, throw error
	if ($status_info ==0) {
		$error = "$user, you haven't yet fully activated your account. Please check your email inbox for an activation email\n
					sent by us, and follow the given instructions to start using your profile";
	} else {//else3
	//create sessions for each table entry 
	$_SESSION['username'] = $user_info['username'];
	$_SESSION['title'] = $user_info['title'];
	$_SESSION['forename'] = $user_info['forename'];
	$_SESSION['surname'] = $user_info['surname'];
	$_SESSION['email'] = $user_info['email']; 
	$_SESSION['encryptpass'] = $user_info['encryptpass']; 
	$_SESSION['membership'] = $user_info['membership']; 
	}//end of else3
}//end of else2
}//end of else1
//checks username session is registered, if it isn't checks if a value is assigned to error, if it has been
//output error and send them back to login screen, otherwise they are logged in correctly and welcome them
if (!$_SESSION['username']) { 
    if ($error) {
        echo $error;
	header('Location: login_form.html');
    } else { 
	echo "Welcome to your login";
        include("welcome.php"); 
    }
//otehrwise they are still logged in and welcome them back! 
} else { 
    //echo "<html><head><title>Welcome Back</title></head><body>Welcome back ".$_SESSION['username']."  <a href=\"settings.php\">Click //here</a> to view your current settings.</body></html>";
header('Location: userprofile.php'); 
}  
?>

 

Where i made a variable called $user_good which has the code: --$user_good = mysql_real_escape_string($user);-- and then when i do my query i use that variable, shown on this line of code: --$sql_user_check = "SELECT * FROM customer WHERE username='$user_good'";--

 

The script now takes me back to login form, which means it is throwing an error...

 

Can you help me with this?? where am i going wrong?

 

Cheers

 

Craig

Link to comment
Share on other sites
cunoodle2 Member

cunoodle2

Posted
Posted

Been pretty busy and I only come on here when I have lots of free time (not often).  I'll address your questions on a case by case basis here...

 

"I will be sure to read up on sql injection and stuff, if i have any questions about it, can i send you a message or something??"

  You can if you like but as you can see I'm not on here often.  Posting in the boards would be ideal as then someone else (maybe even with a better knowledge than me) can address your issue.  In addition these public postings will hopefully help someone in the future with the same (or similar) problem.

 

"Just read the article, which i understand how it works and everything, just unsure how i would integrate that into my code??"

  Try doing this instead...

<?php

//Code to prevent mysql injection
$user_good = mysql_real_escape_string($user);

//echo both items to the screen to see what is going on..
echo "<b>Using escape string</b><br />\n";
echo "<b>OLD input: </b>".$user."<br />\n";
echo "<b>NEW input: </b>".$user_good."<br /><br />\n";

//try doing the same thing with magic quote checking to see if that works better on your server
// Is magic quotes on? 
if (get_magic_quotes_gpc()) 
{
    // Yes? Strip the added slashes
    $user_good = array_map('stripslashes', $user);
}

//echo both items to the screen to see what is going on..
echo "<b>Using magic quotes..</b><br />\n";
echo "<b>OLD input: </b>".$user."<br />\n";
echo "<b>NEW input: </b>".$user_good."<br /><br />\n";
?>

 

If you ever aren't sure what is going on with you code it is always nice simply to echo it to the screen to find out exactly what is going on there.

 

"you say about im using the line --mysql_query("SELECT * FROM customer WHERE username='$user'")-- too many times in my code....how would i re-write my script to prevent from doing this? Do i just pass the variable that this is placed in?"

 

Ok.  Try this for the most part looks ok but I did a slight modification here...

<?php
// checking if the user exists 
$sql_user_check = "SELECT * FROM customer WHERE username='".$user_good."';" //your table name here
$result_name_check = mysql_query($sql_user_check); 
$usersfound = mysql_num_rows($result_name_check); 
?>

 

After that you can start trimming needless code out of there.  Remove this...

<?php
// checking if passwords match 
$sql_pass_get = mysql_query("SELECT * FROM customer WHERE username='$user_good'"); //your table name here
$user_info = mysql_fetch_array($sql_pass_get); 
?>

 

and replace with just this...

<?php
// checking if passwords match 
$user_info = mysql_fetch_array($result_name_check); 
?>

 

Then remove this..

<?php
//check that user has activated their account
$sql_status_check = mysql_query("SELECT * FROM customer WHERE username='$user_good");
$status_check_result = mysql_fetch_array($sql_status_check);
$status_info = $status_check_result['status'];
?>

 

and replace with just this...

<?php
$status_info = $user_info['status'];
?>

 

Also make sure you are cleaning your data at the very beginning of the page when it comes in.  Check your post variables properly by doing this...

<?php
$user = isSet($_POST['username']) ? $_POST['username'] : NULL;
$pass = isSet($_POST['password']) ? $_POST['password'] : NULL;
?>

 

Take a look and then let me know how its coming along.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.