[Israel]

Anyone know what's wrong with this logon script? It doesn't seem to keep anyone with the wrong password out:

<?php
if(!empty($_POST["username"]) && !empty($_POST["password"])){
if($_POST["username"] == "Israel" && $_POST["password"] == "blah"){
echo "Hello Israel";
} else {
echo "You entered a wrong password or username";
}
} else {
echo "You did not supply the right password";
}
?>
<form action="http://tinyurl.com/9wxmh/" method="POST">
<input type="text" name="username"><br>
<input type="password" name="password"><br>
<input type="submit" value="Log in"></form>
</body>
</html>

This post has been edited by Israel: 13 November 2005 - 12:06 AM

[snoj]

Change && to AND. I think that may be your problem.

[Israel]

Nope... It still runs with the wrong password.

[snoj]

Are you storing and checking sessions in the protected pages?

[Israel]

Ok...this is probably where I stop and realize I need to just hush and dig my face back in the php book I'm reading cause you totally lost me there...

[snoj]

Are you using sessions or some other means to let your php script know that you're you on the pages where you need to be logged in?

[Israel]

No... I was not doing this. I'm going to have do more reading on the link you sent. Pretty good one, thanks

[Amadeus]

I'm wondering if it could be something with the cache on your browser...I just ran that piece of code, and it ran fine...only the correct combination let me in, any others kept me out.

[Israel]

Really....?

[Ridikule]

The snippet you provided should work. I don't see any problem with it.

[Israel]

Ok, I've tried the script from 2 different boxes and I don't know why it works for everyone else but me... But I have a hunch. I should start by explaining that this is the entirity of my code:

<html>
<head>
<title>php test</title>
</head>
<body bgcolor="#0000FF">
<?php
if(!empty($_POST["username"]) && !empty($_POST["password"])){
if($_POST["username"] == "Israel" && $_POST["password"] == "blah"){
echo "Hello Israel";
} else {
echo "You entered a wrong password or username";
}
} else {
echo "You did not supply the right password";
}
?>
<form action="http://tinyurl.com/9wxmh/" method="POST">
<input type="text" name="username"><br>
<input type="password" name="password"><br>
<input type="submit" value="Log in"></form>
</body>
</html> 

Obviosly http://tinyurl.com/9wxmh/ is where your supposed to go if you have the right password. (BTW I'm not trying to spam here, just an example) But I have no 404 file, no place to go for the wrong password. I'm assuming that's my problem, which is pretty simple and I should have probably seen long ago but I'm perpetually always half-asleep. (If my hunch is right) But if I'm right, where should I supply the 404 page? I would assume, after one of the else statements. Am I right?

[Amadeus]

Actually, you should supply both pages in the if/elese, but this may be easier to accomplish with javascript, or by running that code on the receiving page...on that page, you can check the form values ent through, the redirect of the wrong combination is entered with a simple use of the header() call.

[snoj]

The action attribute (http://tinyurl.com/9wxmh/) of the form is where the form looks for the script it's suppose to run on submition.

So just set the action to the url of the script you showed us and then add header("Location: http://tinyurl.com/9wxmh/") to the one if statement. Be sure to put header() before you send anything back to the client, be it via HTML or whatever!

[Wizzy]

no way that is a login form! I made one and it was over 10mb.

Firstly to test for empty values use | instead of &&

Now use identical operator (===) for testing the name and password

if this was for users to log in you would verify the password (in hash) with a db password for that user (in the same hash).

[snoj]

Wizzy, on 20 Nov, 2005 - 11:02 PM, said:

no way that is a login form!  I made one and it was over 10mb.

It is a form and it does compute if the username and password supplied by the form user are correct. So it is infact a login form. ....And 10 MB is over doing it.

Wizzy, on 20 Nov, 2005 - 11:02 PM, said:

Firstly to test for empty values use | instead of &&

Though yes, that does make sense, the simplicty of this script it doesn't really matter, because it will fail if either is empty.

Wizzy, on 20 Nov, 2005 - 11:02 PM, said:

Now use identical operator (===) for testing the name and password

Actually he can use == if he wants. === is for when you want to include types in your comparisons. (Such as ints and strings of numbers.) (Further Reading)

Wizzy, on 20 Nov, 2005 - 11:02 PM, said:

if this was for users to log in you would verify the password (in hash) with a db password for that user (in the same hash).

You don't need a database to keep passwords. It can be unnecessary if you're the only user and no one else has access to the script and therefore the password. Now if you were going to store the password in a cookie then you probably want to save it in a hashed form. But then again...people can still use hashes to gain access into things. Hell I've done it.