SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Enthusiast
    Join Date
    Oct 2007
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Broken PHP Login

    I'm developing a simple site right now that requires a user login to make changes to the site. I haven't added any real security yet so don't pay attention to that... Anyway, here's the deal:

    Here is the login form, in a file called login.php:
    Code:
    <form method="post" action="confirm_login.php">
    
    <h2>LOGIN</h2>
    <p>Username: <input type="text" name="username" /></p>
    <p>Password: <input type="password" name="password" /></p>
    <p><input type="submit" value="Login" name="submit" /></p>
    
    </form>
    And here is the code that processes the form in confirm_login.php:
    Code:
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);
    
    $q = "SELECT id FROM users WHERE user_name = '$username' AND password = '$password' LIMIT 1";
    
    $result = mysql_query($q) or die(mysql_error());
    
    if (mysql_num_rows($result) == 1) {
    	$_SESSION['authorized'] = 1;
    	header("Location: ./admin/index.php");
    } else {
    	header("Location: login.php");
    }
    Basically, what's supposed to happen is that when an incorrect username or password is typed into the form, it should send the user back to login.php. If the login credentials are correct, however, it should set a SESSION variable (authorized) to 1 and then send the user to the admin page.

    Here's what really happens... When an incorrect user or password is typed into the form, it sends the user back to login.php, like it should. BUT, when the login credentials are input correctly, it just sends the user to index.php (the homepage of the site), rather than the admin page...

    So... any ideas? Please let me know if I left out any important info.

    Thanks!

  2. #2
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi!
    Do you have session_start() anywhere in confirm_login.php? Because if you don't the session is not established and your check (which Im gessing you probably do) in ./admin/index.php against registered session fails and user is redirected (I guess) back to index.php

  3. #3
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Addtionally, in the header call you need to provide the full address, like so:

    PHP Code:
    <?php
    header
    ('Location: http://www.yourserver.com/admin/index.php');
    ?>
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  4. #4
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by SilverBulletUK View Post
    Addtionally, in the header call you need to provide the full address, like so:

    PHP Code:
    <?php
    header
    ('Location: http://www.yourserver.com/admin/index.php');
    ?>
    Do you? I never knew that. I've always used relative paths!

  5. #5
    rajug.replace('Raju Gautam'); bronze trophy Raju Gautam's Avatar
    Join Date
    Oct 2006
    Location
    Kathmandu, Nepal
    Posts
    4,013
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It is not needed but it think it doesn't matter either and that shouldnt be the case in OP's case/problem. But in the mod_rewrite (via .htaccess) implemented case, sometimes you may need it AFAIK though it can be fixed by setting the base path.
    Mistakes are proof that you are trying.....
    ------------------------------------------------------------------------
    PSD to HTML - SlicingArt.com | Personal Blog | ZCE - PHP 5

  6. #6
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stormrider View Post
    Do you? I never knew that. I've always used relative paths!
    Apparently so, see this excerpt from RFC2616

    14.30 Location

    The Location response-header field is used to redirect the recipient
    to a location other than the Request-URI for completion of the
    request or identification of a new resource. For 201 (Created)
    responses, the Location is that of the new resource which was created
    by the request. For 3xx responses, the location SHOULD indicate the
    server's preferred URI for automatic redirection to the resource. The
    field value consists of a single absolute URI.

    Location = "Location" ":" absoluteURI

    An example is:

    Location: http://www.w3.org/pub/WWW/People.html

    Note: The Content-Location header field (section 14.14) differs
    from Location in that the Content-Location identifies the original
    location of the entity enclosed in the request. It is therefore
    possible for a response to contain header fields for both Location
    and Content-Location. Also see section 13.10 for cache
    requirements of some methods.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  7. #7
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Ah OK. Will have to keep that in mind in future!

  8. #8
    SitePoint Enthusiast
    Join Date
    Oct 2007
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @Aleksejs: I do have a session_start(), i just didn't show it above.

    @SilverBulletUK: That seems to do the trick, but still don't think it's necessary (although it may be the most correct way)

    Anyway, I just realized that I was editing a duplicate of confirm_login.php rather than the one that was actually being used. Whoops! All is well now.

    Thanks


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •