[Tgrooms]

Hi,

I am a Phoob,

I am starting to create a website. Thus far I have managed to create the login,register, and logout pages myself. However I have ran into some trouble that when I click the login link it sets the variables automatically and i return an error. Any ideas why?

I will post my code below.


this is my register page.

<?
# display errors

require("conn.php");
# Form Variables
# using mysql_real_escape_string() to prevent sql injection
if ( isset($_POST['uname'])) {$uname = mysql_real_escape_string($_POST['uname']);}
if ( isset($_POST['password'])) {$password = mysql_real_escape_string($_POST['password']);}
if ( isset($_POST['fname'])) {$fname = mysql_real_escape_string($_POST['fname']);}
if ( isset($_POST['lname'])) {$lname = mysql_real_escape_string($_POST['lname']);}
if ( isset($_POST['email'])) {$email = mysql_real_escape_string($_POST['email']);}

#query db to see if username is already being used.
$result = mysql_query("SELECT uname FROM users WHERE uname = '$uname' LIMIT 1");
$usertaken = mysql_num_rows($result);

# Validation the form has been filled out and everything conforms.
if($_POST['submit'])
{
	
if (strlen($uname) == 0){echo "Please fill in all fields!<br>";}
elseif (strlen($uname) < 3){echo "Username too short, 3-20 characters!<br>";}
elseif (strlen($uname) > 20){echo 'Username too long, 3-20 characters!<br>';}
elseif ($usertaken == 1){echo'Username already taken,Please try again!';}
if (strlen($password) == 0){echo 'Please fill in all fields!<br>';}
elseif (strlen($password) < 3){echo 'Password too short, 3-20 characters!<br>';}
elseif (strlen($password) > 20){echo 'Password too long, 3-20 characters!<br>';}
if (strlen($fname) == 0){echo  'Please fill in all fields!<br>';}
elseif (strlen($fname) < 3){echo 'Firstname too short, 3-20 characters!<br>';}
elseif (strlen($fname) > 20){echo 'Firstname too long, 3-20 characters!<br>';}
if (strlen($lname) == 0){echo 'Please fill in all fields!<br>';}
elseif (strlen($lname) < 3){echo 'Lastname too short, 3-20 characters!<br>';}
elseif (strlen($lname) > 20){echo 'Lastname too long, 3-20 characters!<br>';}
if (strlen($email) == 0){echo 'Please fill in all fields!<br>';}
elseif (strlen($email) < 3){echo 'Email address too short, 3-50 characters!<br>';}
elseif (strlen($email) > 50){echo 'Email address too long, 3-50 characters!<br>';}
else
{
#register the user in database
$reg = mysql_query("INSERT INTO users VALUES('','$uname','$password','$fname','$lname','$email')");
echo"<p align='center'><font color='lime'>You have been successfully registered, Have fun!Click <a href='login.php'>Here</a>to goto login page! </font> ";
unset($_POST['uname']);
unset($_POST['password']);
}
}
?>
<html>
<head>
<title></title>
</head>
<body bgcolor="#333333">
<div class="boxMid">
 
<table width="100%" border="0" cellspacing="2" cellpadding="2">
  <tr>
    <form id="index" action="index.php" method="post">
	<table width="100%">
    <tr>
    <td width="50%" align='right'>Username:</td>
    <td width="50%"><input name="uname" type="text"  ></td>
	<tr>
    <td width="50%" align='right'>Password</td>
    <td width="50%"><input name="password" type="password"  ></td>
	<tr>
    <td width="50%" align='right'>First Name:</td>
    <td width="50%"><input name="fname" type="text"  ></td>
	<tr>
    <td width="50%" align='right'>Last Name:</td>
    <td width="50%"><input name="lname" type="text"  ></td>
	<tr>
    <td width="50%" align='right'>Email:</td>
    <td width="50%"><input name="email" type="text"  ></td>
	<tr>
    <td width="50%" colspan='2' align='center'><input name="submit" type="submit" ></td>
	</form>
      </tr>
</table>
</div>
 <div class="boxTitle" align="center"><?php echo "Already have an account? <a href='login.php'>Click Here</a> to go to login page!"?></div>
</body>
</html>

this is my login page.

<?
require("conn.php");

session_start($uname);
$uname = $_POST['uname'];
$password = $_POST['password'];
$users = mysql_fetch_array(mysql_query("SELECT id,uname,password FROM users"));

If ($uname != $users['1'])
#check username in db
{
die("Username not found!");
}
else
{
# make sure the password is correct
If ($password != $users['2'])
{
die("Wrong password for user $uname!");
}
    else
    {
    if ($uname == $users['1'] && $password== $users['2'])
    {header("Location: MF/index.php");}else{die("Could not log you in!");}
    }
    
}
?>







<html>
<head>
<title></title>
</head>
<body bgcolor="#333333">
<div class="boxMid">
	<table width="100%">
	<form id="login" action="login.php" method="post">
  <tr>
    <td width="50%" align='right'>Username:</td>
    <td width="50%"><input name="uname" type="text"  ></td>
	<tr>
    <td width="50%" align='right'>Password</td>
    <td width="50%"><input name="password" type="password"  ></td>
	<tr>
    <td width="50%" colspan='2' align='center'><input name="login" type="submit" ></td>
	</form>
  </tr>
</table>

	
</div>
</body>
</html>

this is my logout page.

<? 

session_start('$uname');
session_unset('$uname');
session_destroy();



?>

[Atli]

Hey.

All three scripts suffer from the same problem, although the logout script isn't visibly affected by it, and you've partially corrected it in your registration script.

Both the registration page and the login page are submitting to themselves, so that on the first run the PHP code that registers or logs the user in should not execute. However, in your login page you don't account for this. On EVERY run it will try to log you in, and if that fails (which it will on the first run) it will stop with an error.

If you look at line #18 in your registration script, you see that you use the isset() function to test to see if the "submit" button has been pressed before trying to go through with the registration. This, even though you've already executed the query to find if the user has been taken, prevents the script from executing the registration code until the second run when the form has been submitted. You need to do something similar with your login script.


Also, a few pointers:

• When testing to see if a self-submitting script should process the form data, don't test for a submit button. They are not guarenteed to be sent with the form. Instead, always test for the data itself.
  

  // Bad
  if (isset($_POST["submit"])) {
      // Process form here!
  }
  
  // Good
  if (isset($_POST["data1"], $_POST["data2"], $_POST["dataN"])) {
      // Process form here!
  }
  
  

  
  
  
• The session_start() function does not take a input parameter.
  
  
• The session_unset() function does not take a input parameter either. If you want to unset a session variable, use the unset() function.
  

  // Wrong:
  session_unset('$whatever');
  
  // Correct:
  unset($_SESSION["whatever"]);
  
  

  
  
  
• Always test SQL query return values for errors. Never assume a SQL query is successful.
  

  // Never do:
  $row = mysql_fetch_array(mysql_query("..."));
  
  // Instead always do:
  $res = mysql_query($sql);
  if (!$res) {
      trigger_error(mysql_error(), E_USER_ERROR);
  }
  $data = mysql_fetch_array($res);
  
  // Or, if you are lazy and just don't care about your
  // user experience:
  $res = mysql_query($sql) or die(mysql_error());
  $data = mysql_fetch_array($res);
  
  

  
  I know this is a bit more code, but error-proofing code like this is essential.
  
  
• Never do <? ... ?>, always do <?php ... ?>. The former is an optional format that is not supported on all servers. The latter is always supported. (Makes switching servers or reusing code much simpler.)
  
  
• All HTML documents should start with a Doctype Declaration. This is VERY important, and should not be ignored!
  
  
• Read up on, and pick, an Indent style. Dumping a bunch of statements into a single line to reduce the number of lines of code used is not a good idea. Fewer lines of code do NOT make the code easier to read! It's usually quite the opposite.

[Tgrooms]

Thanks for your help. Again just beginning to code so you and others will see more of my phoobishness. lol

This post has been edited by JackOfAllTrades: 09 May 2012 - 02:37 AM
Reason for edit:: Removed unnecessary quote